I'm sitting right now in that session. The speaker is just demoing yet another example which has a SQL Injection vulnerability! The killer: a script callback that uses the params unvetted to dynamically build a SQL string. MS definitely should vet the demos for security problems.