Over ten years, the legacy report page mutated from a locked-down SQL form. It ended up as a hidden console spilling raw database guts.
Developers swapped hardcoded queries for database-driven report names. They slapped on timeouts, string filters, and warnings but skipped restoring safe defaults.
Implication: Piecemeal UI tweaks without a master plan can fling raw SQL into the wild and blow up security.