This post is a (live) report from Tom Kyte's session with the title above he did in a packed room on Thursday morning on OOW2011.
1. Trigger trickery
A before row trigger uses consistent read. So it uses the situation as it was when the statement started. So during long running updates the actual situation might differ from the 'consistent read' situation. That might lead to a rollback and re-fire of the statement, and thus the trigger as well. So every before statement and row level trigger (apart from the last row) might fire twice!
So don't do anything you can't roll back in a trigger. If you call some autonomous auditing function in a trigger, you might encounter rows in your auditing table that didn't actually happen...
Direct path loads bypass triggers...so triggers don't always fire!
So, if you can avoid triggers...please avoid triggers.
2. Ignore errors
Error handling is done wrong more often than it's done right. Only catch exceptions that you are expecting - which means they aren't real exceptions anymore (like a NO_DATA_FOUND, but then in the same block as the SQL statement itself and not a general one at the end of your code). All the other ones should be raised, either immediately or at a later moment in the transaction.
3. Elaboration code
You can use instantiation code in a package body, by defining an anonymous block within the body. It runs one time only per session (and after ever reinstantiation).
4. Implicit conversions
Always use explicit conversions. Especially when you're relying on specific NLS settings, for example when converting dates! Implicit conversions might even lead to SQL injection by tweaking the NLS_DATE setting!!!
Relying on implicit conversion also might have a performance penalty, because the conversion takes CPU time and has impact on the access path the optimizer comes up with.
You need direct grants on an object in order to use that object in a PL/SQL object, roles don't work - on purpose. If you use "invoker rights", your code uses the roles and grants of the user who runs the code. Default code is created using "defined rights" and then the code uses the grants of the definer. Especially when you use invoker rights, you could encounter unexpected results, because table T of the definer might not be the same table T of the invoker....