"At manufacturing companies," Brent Railey wrote, "all you ever hear about is SAFETY, SAFETY, SAFETY. In fact, that was exactly the type of application I was tasked with reviewing: an 'Activity Based Safety Program' application for the corporate offices. It was a Classic ASP application that was 'slightly customized' from another application."

"As I was testing out the application, I noticed a little AJAXy behavior. When I selected one category, it would populate another section with the list of items in that category. Not bad for ASP, I figured. That is, until I looked at the code."

Sub CategoryOnChange()
    categoryValue = window.event.srcElement.value
    document.all("aBehavior").length = 0
    
    ' Add 'Select a Behavior' option
    Dim noneOpt  
    Set noneOpt = document.createElement("OPTION")
    noneOpt.value = 0
    noneOpt.text = "Select a Behavior"
    noneOpt.setAttribute "DetailLine", "0", 0
    document.all("aBehavior").add noneOpt 
    Set noneOpt = Nothing
        
    set dbconn = CreateObject("ADODB.Connection")
    set dbRS = CreateObject("ADODB.Recordset")
    dbconn.Open "Driver={REMOVED};server=FREAKING;uid=PLAINTEXT;Password=CONNECTION;Database=STRING;dsn=;"
    
    'SQL = "SELECT Key, Category, Desc FROM KSB WHERE Category = " & categoryValue & " ORDER BY KSBDesc"
    SQL = "select ksb.*, cardversion.*, carddetail.* , categories.* "
    SQL = SQL & " from ksb, cardversion, carddetail , categories "
    SQL = SQL & " WHERE CARDVERSION.CARDACTIVE = 1 "
    SQL = SQL & " AND Cardversion.cardid = carddetail.detailcard "
    SQL = SQL & " and carddetail.detailksb = ksb.ksbkey "
    SQL = SQL & " and ksb.ksbcategory = categories.categoryKey "
    SQL = SQL & " and ksb.ksbcategory = " & categoryValue
    SQL = SQL & " order by carddetail.detailline "
    
    dbRS.open SQL, dbconn, 1  
    Do while not dbRS.eof
  
      Dim opt  
      Set Opt = document.createElement("OPTION")
      Opt.value = dbRS.fields("KSBKey")
      Opt.text = dbRS.fields("KSBDesc")
      Opt.setAttribute "DetailLine", CStr(dbRS.fields("DetailLine")), 0
      document.all("aBehavior").add Opt 
      Set Opt = Nothing 
  
      dbRS.MoveNext
    Loop
    dbRS.Close
        
  End Sub

"At first glance," Brent continued, "this didn't look too bad. But then I realized where I was staring at the code. It was in Notepad, launched by Internet Explorer's View->Source option."

"That's right, it was all done client-side by firing off a VBScript when the user picked a category. It connects straight to the database, dynamically constructs an SQL statement, and executes it. Who needs XML web services when you can just go straight to the database? Why have that extra layer when it just slows things down? Brilliant!"