"At manufacturing companies," Brent Railey wrote, "all you ever hear about is SAFETY, SAFETY, SAFETY. In fact, that was exactly the type of application I was tasked with reviewing: an 'Activity Based Safety Program' application for the corporate offices. It was a Classic ASP application that was 'slightly customized' from another application."
"As I was testing out the application, I noticed a little AJAXy behavior. When I selected one category, it would populate another section with the list of items in that category. Not bad for ASP, I figured. That is, until I looked at the code."
Sub CategoryOnChange() categoryValue = window.event.srcElement.value document.all("aBehavior").length = 0 ' Add 'Select a Behavior' option Dim noneOpt Set noneOpt = document.createElement("OPTION") noneOpt.value = 0 noneOpt.text = "Select a Behavior" noneOpt.setAttribute "DetailLine", "0", 0 document.all("aBehavior").add noneOpt Set noneOpt = Nothing set dbconn = CreateObject("ADODB.Connection") set dbRS = CreateObject("ADODB.Recordset") dbconn.Open "Driver={REMOVED};server=FREAKING;uid=PLAINTEXT;Password=CONNECTION;Database=STRING;dsn=;" 'SQL = "SELECT Key, Category, Desc FROM KSB WHERE Category = " & categoryValue & " ORDER BY KSBDesc" SQL = "select ksb.*, cardversion.*, carddetail.* , categories.* " SQL = SQL & " from ksb, cardversion, carddetail , categories " SQL = SQL & " WHERE CARDVERSION.CARDACTIVE = 1 " SQL = SQL & " AND Cardversion.cardid = carddetail.detailcard " SQL = SQL & " and carddetail.detailksb = ksb.ksbkey " SQL = SQL & " and ksb.ksbcategory = categories.categoryKey " SQL = SQL & " and ksb.ksbcategory = " & categoryValue SQL = SQL & " order by carddetail.detailline " dbRS.open SQL, dbconn, 1 Do while not dbRS.eof Dim opt Set Opt = document.createElement("OPTION") Opt.value = dbRS.fields("KSBKey") Opt.text = dbRS.fields("KSBDesc") Opt.setAttribute "DetailLine", CStr(dbRS.fields("DetailLine")), 0 document.all("aBehavior").add Opt Set Opt = Nothing dbRS.MoveNext Loop dbRS.Close End Sub
"At first glance," Brent continued, "this didn't look too bad. But then I realized where I was staring at the code. It was in Notepad, launched by Internet Explorer's View->Source option."
"That's right, it was all done client-side by firing off a VBScript when the user picked a category. It connects straight to the database, dynamically constructs an SQL statement, and executes it. Who needs XML web services when you can just go straight to the database? Why have that extra layer when it just slows things down? Brilliant!"