Latest Posts
SQL Saturday #17 is scheduled to take place in Baton Rouge, Louisiana on August 1 (yes, it's a Saturday :o)). I will present on the ADO.NET Entity Framework version 4 and on SQL Server 2008 FILESTREAM.
There are many other great speakers lined up, and as always, the event is free to attend. It's an excellent opportunity for learning, networking, and skipping out on the honey-do list for another week.
Hope to see you there!
This is probably one of the most common questions IS students ask: How come you don't teach ? The answer is usually one of the following: we can't, because of time constraints, because we may not be versed well enough in the technology to teach it, and because at a four-year traditional institution, we teach career skills (i.e. long-term focus) and not job skills.
The question is nonetheless relevant. Students should not expect to only spend time in class and on coursework and then find the highest paying positions upon graduation. It is going to take a lot more effort and time. However, it doesn't have to cost a lot of money. Students can't afford to pay for the traditional courses offered by technology vendors or third-parties, they can't afford to attend the industry conferences, etc.
They can however join the major national associations as student members, where they mostly receive the same benefits professional members receive, but at a fraction of the cost. The Association for Computing Machinery (ACM), IEEE (originally short for Institute
of Electrical and Electronics Engineers) and Society for Information Management (SIM) all have such incentives for students to join.
What are the benefits for students? Plentiful: they include access to digital libraries (often full text, as well as abstracts), online books from Books24x7 or Safari, and online courses.
If you are not familiar with a SQL Saturday, it's like a Code Camp, but focused on SQL Server.
SQL Saturday #14 is the Pensacola, Florida event for 2009. The lineup of sessions, location, and registration is available from the SQL Saturday web site at http://www.sqlsaturday.com/eventhome.aspx?eventid=18.
I will be presenting a session on the SQL Server 2008 FILESTREAM feature.
On side note, I like the concept of sqlsaturday.com: one site where all SQL Saturday events are managed from. Makes me think we need something like this for Code Camps also. It cuts down on the amount of coding each organizing committee has to do, allowing them more time to focus on the actual organization. Attendees and presenters benefit from the uniform interface.
P.S.: There is one May 30 in Birmingham, AL also. I will not be attending that event though.
From what I saw, the Atlanta Code Camp yesterday, March 14, was a success. Attendance was great, there were many sessions, and the location (Georgia Gwinnett College) is very well suited for a Code Camp.
Thank you to those who attended my sessions on the ADO.NET Entity Framework and SQL Server 2008 FILESTREAM. Unfortunately, we ran short on time in both sessions. Still, all the major points came across. The downloads from the session are available now (see below). The downloads include my PowerPoint slides, my demo scripts, start and finish code of each demo, and (where applicable) starting database.
Any follow up questions or comments are welcome.
For your day-to-day activities, that is. The blog post below points this out one more time:
NEWS: “Removing end user admin rights eliminates 92% of vulnerabilities"This advice holds independent of operating system, version, etc.
I do believe though that Vista's User Account Control (UAC) provides significant security and usability benefits by allowing people to easily provide administrative credentials or elevation of privilege to selected processes.
From ComputerWorld:
Microsoft: Office 14 won't ship until 2010
Is it the economy? I wonder how Software Assurance customers feel about this... After all, they are the ones who have already paid for it!
The 2009 edition of the Atlanta Code Camp is scheduled for March 13, 2009 at Georgia Gwinnett College.
I will be presenting two sessions in the Data track: one on the Entity Framework and a second one on the FILESTREAM feature in SQL Server 2008.
Post a comment to this blog if you are interested in meeting up!
For information and registration, see
http://www.atlantacodecamp.com.
The Atlanta Code Camp 2007 (http://www.atlantacodecamp.com) was another successful CodeCamp event.
I presented a session on creating a custom extender with ASP.NET AJAX RC. If you were present in Montgomery, you'll find the download from the Atlanta Code Camp useful, as it has been revised for RC (I used Beta 2 during the Montgomery CodeCamp).
The download (zip file containing demo script and code) is available
here.
Yesterday's third Alabama Code Camp was a good experience for me. Contrary to my post on 9/12, I did not do a talk on Windows Communication Foundation, but added a session on creating an Extender with ASP.NET AJAX ("Atlas").
The evening before the event, I was asked to take over a session for Joe Healy, who had a family emergency. His talk was an introduction to ASP.NET AJAX and fit right in with mine. I had to scramble to prepare for that talk, but managed to do it just in time for the session's start.
P.S.: To those who attended my sessions, thank you for the feedback
and the response. I enjoyed the questions and interaction. The slides,
code and demo scripts will be posted later today.
Upcoming Code CampsNext spring, there is a Code Camp in the works for Mobile. I will likely make plans to attend and present some sessions there too.
A code camp is scheduled in Atlanta on January 20th. I have not yet made a decision about attending.
The Alabama Code Camp is having its third edition on Saturday, October 28th in Montgomery (Auburn University at Montgomery). I missed the second edition, because Huntsville is quite a while away from Troy. However, Montgomery is probably as close as it will come, so I will be there.
I have submitted a proposal for a talk on unit testing with Visual Studio Team System, and I am considering an updated talk about web services with Windows Communication Foundation (WCF) and a new talk about Windows Workflow Foundation (if I get around to developing some demos for it).
I truly enjoyed the talks I attended at the first Code Camp. The content was interesting, at the right level, and presented well. I encourage every developer in the area to attend. There are already a number of sessions scheduled, but I believe there will be many more to come.
See you in Montgomery!
The title of this post might actually be more appropriate if it was called what aren't they planning. If you've been reading my blog, you'll know that I was an active beta tester during the Visual Studio 2005 beta period. Microsoft sent me (and many others) a Customer Appreciation Award. Nice token, thanks for that.
However, after the release of VS 2005, I still found some annoyances. I posted two feedback items at the Microsoft Connect site ([1] and [2]) on November 21. Only now have I gotten feedback on those items' status. I can understand that, the team had probably lots of other things on their mind, such as VS 2005 Beta 1.
However, I am concerned about the reply that was posted for both topics. If you have a Microsoft Connect account, I encourage you to look at the items and judge for yourself; but, in my opinion, these are fairly minor changes. One would require adding a missing runat="server" attribute to a tag when Local Resources are generated and another would involve automatically generating resource entries for columns in a GridView. The response I got to both items basically stated that these items won't be fixed for the Orcas timeframe because they would produce breaking changes and the goal for Orcas is to have "a high degree of backward compatibility" [3]. It turns out that the requests I submitted are in the "Red" bits (read the blog post at [3]).
I am concerned because first of all, I was hoping for a fix for these items in a Service Pack; and seeing as how "Orcas" is now supposed to be just a Service Pack where it concerns "Red" bits (again, see [3]), I was certainly hoping for a fix in that time frame. Now, it turns out that even such minor feature changes are not considered for Orcas. So, it seems to me that
Orcas = VS 2005 + (WPF, WCF, WWF designers)
just like
.NET 3.0 = .NET 2.0 + WPF + WCF + WWF
When will that huge dev team at Microsoft get going on delivering high quality software on time on a reasonable schedule?
Sven.
P.S.: Those readers who think I believe Microsoft is the next best thing since sliced bread... there you have it ;o)
[1]: http://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=104600
[2]: http://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=104598
[3]: http://blogs.msdn.com/somasegar/archive/2006/05/18/601354.aspx
(Note: This is my first "live" blog post...)
I am in Atlanta for Windows Vista Developer Training. I've had a chance to get used to the user experience (UX) in Windows Vista, and I like it. The developer side of Vista is exciting also, but is clearly still in the works. The lab exercises that are provided are those that were also used during the PDC. They have been updated to an extent.
But on my machine, I installed the Vista July CTP build (build 5472) with its matching .NET Framework 3.0. The Windows Communication Foundation lab 2 went fairly well, but did require some changes to the code. I've uploaded my solution for lab 2 here [2]. Hopefully, this can be of use to someone who's trying the lab on a recent build.
The main differences are here: The Session property of the OperationContractAttribute is now called SessionMode and has changed from a boolean value to an enum. The MSMQ exercise in the lab requires an additional configuration attribute in the tag, "exactlyOnly="false"". (Unless you enable transactional support first; but in the lab, this is done later)
[2] http://www.adduxis.com/downloads/WCF_HOL2/TradingService.zip
At a customer's site, an application needed to format and accept formatted input for currencies. They had already made several attempts at getting the .NET 2.0 WinForms MaskedTextBox to behave the way they wanted, without success.
A quick search reveals that they were not the only ones struggling with this issue. However, Irena Kennedy [1] had posted some sample code that would make the MaskedTextBox behave more appropriately. While the sample provides an excellent overview of how to handle currency values, two features were lacking:
- Support for the currency group separator (the , in the US English culture)
- Support for different cultures (important, considering the fact that the default MaskedTextBox allows you to specify a culture)
The download below [2] is a zip file containing a sample implementation for both of the above features. The code is based on Irena's code. Feel free to download this sample and use it in your applications. However, I provide no warranty whatsoever that this CurrencyMaskedTextBox will suit your needs. If you make any modifications, please continue to include my name and Irena's name.
[1]: http://blogs.msdn.com/irenak/archive/2006/03/21/556434.aspx
[2]: http://www.adduxis.com/downloads/CurrencyMaskedTextBox/CurrencyMaskedTextBox01.zip
I couldn't blame anyone for thinking that this blog is dead. However, it's not. I could come up with scores of excuses as to why I haven't posted anything, but that won't serve any valuable purpose.
Rather, I'd like to write something about the subjects I can post about, namely
- The betas of Windows Vista and Office 2007.
I've installed them both, and I am gradually learning the differences and the exciting new features. Many pundits always claim that upgrades such as these have very little to offer in terms of business value. While I believe that they often make good points, I also think that for true "Information Workers" (I don't like that term very much...), the differences between Office 95 and Office 2007 are certainly significant. I am using such a big timespan to illustrate that over an 11-year period, there are significant advances in software. If each individual upgrade didn't provide benefits, where did these combined advances come from?
Office 2007's new user interface is radically different. My first experiences with it are positive. I've been used many of the advanced features of Outlook and Word (Excel somewhat less) for many years now. Naturally, I was apprehensive about this new interface. I was afraid that I wouldn't be able to find the commands I was looking for anymore. Good news on that front: everything is right where I would expect it to be. The first time using a command, it might take perhaps a second or two, but the new interface grows on me quickly. Whether or not novice users will now actually be able to find and use the advanced features more easily remains to be seen. I suspect that they might.
- Visual Studio 2005 and SQL Server 2005
They have been available for several months now, of course. If you've read my blog before, you'll know that I've been developing applications using Visual Studio 2005 for quite some time. Visual Studio is not without its problems (Service Pack, please...), but I believe that Microsoft is committed to fixing some of the problems they introduced (witness thereof the new Web Application Project and Web Deployment Project templates).
- Atlas
I don't buy into the Web 2.0 etc. hype. But, AJAX does offer benefits. I've been developing an application that requires a form to be completed in a number of steps; and within each step, the web server has to provide more data based on user selections. While regular ASP.NET can handle that just fine, refreshing entire (complex!) web pages versus just a few of the elements on them is very different. The user experience is enhanced significantly by allowing a page to be partially refreshed. Speed is one factor. I know the form inside out, and I can complete it in about 60 seconds with AJAX. It takes over 2 minutes if AJAX is not enabled. The difference: the web server response time.
I don't recommend site designs that do not ever navigate to a new web page, because there are certainly many issues with that approach, including manageability and accessibility.
- VOIP
I recently switched to Voice over IP at home and in the office. I am impressed with the quality, the features and the price. However, using cable modem connections at both locations highlights one important point: Using QoS (Quality of Service) is absolutely necessary. Backups at the office are done over the Internet to a remote site, and these uploads take up most/all of the available uplink bandwidth. Having a phone conversation at the same time is impossible without bandwidth management.
I hope to be writing about these subjects more soon.
Sven Aelterman.
While converting a project from VS.NET 2003 to Visual Studio 2005, I also converted the unit tests to the Visual Studio Team System unit testing framework. While I believe that the unit testing framework in VS 2005 has merits, I am not sure if I am ready to dump NUnit. NUnit has a major advantage over Visual Studio for the specific project I am working on: it can correctly compare the contents of arrays.
Suppose you have a custom class. In order to properly compare two instances, you override the Equals method. Both NUnit and Visual Studio Team System will use the Equals method in their respective Assert.AreEqual methods.
However, NUnit will compare arrays on an element-by-element basis, calling the Equals method on each element in the array. Visual Studio Team System expects you to iterate over the array and call Assert.AreEqual for each element (which I would think is what NUnit does under the covers (I haven't actually looked at the source code, but it seems to make sense)). If you supply two arrays to Visual Studio's Assert.AreEqual, then the unit test framework will consider the arrays equal if they refer to the same memory address (reference equality).
P.S.: There is one more difference that makes NUnit preferable in certain situations. NUnit introduces a concept of "Categories." Each unit test can be assigned to one or more categories. You can then elect to only run unit tests in a specific category, or exclude unit tests from a specific category. For a large project, or a project where you know under certain circumstances tests will fail, this is particularly attractive.
UPDATE: According to the documentation, the Team Edition for Testers (and therefore Team Suite) provides the notion of Test Lists, which allow logical groups of tests to be created. Sadly, this means developers have to pay extra for this functionality if they choose to use the Team System testing framework.
A customer asked me if it was possible to create a post-build event in Visual Studio 2005 that would only be run if the active mode was "Debug."
A brief search in the Internet (using A9.com, to keep getting "a piece of the Π") revealed that there was no "built-in" support or any solution previously posted. However, the solution is rather simple, almost trivial. Build events are just commands that get passed to the command line interpreter (with some escaping taking place).
I remember that MS-DOS used to support IF statements for batch files. The Windows Server 2003 command interpreter (cmd.exe) still does, and this is the syntax:
IF [NOT] condition command
Type "help if" at the command prompt to see more information. IIRC, the MS-DOS IF statement was not nearly as extensive as the one supported by cmd.exe.
Combine this with the fact that the build events provide several "macros" (variables is what I would call them) that are replaced with values before the command is sent to the command line, and you get this command:
IF /I "$(ConfigurationName)" == "Debug" <command to run>
The /I switch makes the comparison case-insensitive. The quotes around the macro name are necessary in order to make the command interpreter see it as a string. <command to run> can be replaced with the command. If the command contains spaces, it must also be enclosed between quotes.
If you need to execute multiple commands for a single condition, there are two ways to achieve this: either repeat the IF statement on as many separate lines as you have conditional build events, or put them all in a batch file. The latter method would definitely be the preferred method. Note that you cannot put parentheses () around the multiple commands. In a batch file, each command must be and can be separated by a newline character. However, each build event must be separated from the next one by a newline character as well. There is an inherent conflict there.
During my talk at the Alabama Code Camp, I demonstrated how you can host a soap web service in a WinForms application (or a Windows Service, etc.). However, my solution required the use of SOAP over TCP, which does make it less interoperable.
Angel Machin has a post that would allow any .NET application to host HTTP web services (using Web Services Enhancements). I have not tried this myself, but I got the link from William Stacey's blog.
William Stacey himself hasn't been idle either lately. He posted an improved custom solution to create a security context token on Channel 9. His first solution can be found on his blog and as a complete sample in my Alabama Code Camp downloads (Demo 2). I will probably change an implementation of web services I was working on to this SRP implementation. It is standards-based (which makes long-term maintenance, including maintenance by others) easier and promotes better security because the protocol has seen extensive reviews by the security community.
The Alabama Code Camp last Saturday was, from my perspective, a success. I thought that attendance was high and the quality of the sessions I attended good to very high. Thanks to the sponsors for enabling this (including a "free lunch").
The only side of the event I liked less was the venue. Computer classrooms are not the best places to sit and watch demonstrations. Also, the building is a complete maze and there are no pointers whatsoever to help you find a particular room number.
I believe people who came to my presentation were satisfied. Unfortunately, one hour was not nearly enough to show what I really wanted to show. My slides and the code for WSE 2.0 have been posted. I am working on an issue with one of the demos in WSE 3.0, but expect those files to be posted soon. I need to mention that the idea for Demo 2 in my presentation was obtained from William Stacey's blog.
Security Gaffe
One thing that is nearly as funny as this, is a poster I noticed at the Virginia College, Palisades II campus (where the Code Camp was held). The poster was meant to inform their students of the availability of a virtual library. As such, it was posted at the main entrance. Unfortunately, the poster included not only the URL to the virtual library, but also the password...
I wonder why they even bother to have a password then? (Note that I didn't actually try this out, and it's possible that the virtual library is only accessible through their student portal site, which probably requires a separate logon. Still, it makes no sense to have a secondary password then.)
Today, someone asked me if it was possible to make Excel highlight the column and the row of the cell that is selected. Excel already highlights the column and row header, but when working on a high-resolution screen, that does not help much in ensuring that you are actually entering data in the right cell.
I set out to find a solution, and on the Microsoft Office Assistance site, I found [1]. While this certainly works, it has a major drawback: any conditional formatting that is applied to any cell in your worksheet is lost. The worksheet for which this solution was needed didn't actually have any conditional formatting, but I figured that that might change and users would probably never figure out why their conditional formatting was always lost.
The problem with the solution at [1] is that it indiscriminately removes all conditional formatting in the worksheet. I figured that a better solution can be found if you merely keep track of the previously highlighted area. That way, you only need to undo the conditional formatting the macro applied, rather than all of it. In addition, the macro can be improved even further by only removing the conditional formatting that actually matches the conditional formatting it previously set. In other words, only delete the conditional formatting if the formula and the expression matches what the macro itself applies.
That conditional formatting is very simple, by the way. It merely applies a background color (which is guaranteed to be different from any background color the cell already has and from the font color in the cell) if the formula "TRUE" is True, which it always is, of course.
An additional improvement I made is that the last "banding" is removed before the workbook is closed. That way, when you open the workbook next time, there are no oddly highlighted cells. If that would happen anyway, the solution is simple of course: just put the cursor cell that was selected before the workbook was saved and then move it away from that cell.
Here's the VBA code that achieves this. Just copy and paste it in your workbook's ThisWorkbook VBA code.
Option Explicit
Private LastTarget As Range
Private Sub Workbook_BeforeClose(Cancel As Boolean)
UndoBanding LastTarget
End Sub
Private Sub Workbook_SheetSelectionChange(ByVal Sh As Object, ByVal target As Range)
' Undo last target band coloring
UndoBanding LastTarget
' Save the current target as the last target
Set LastTarget = target
' Band color the current target
DoBanding target
End Sub
Private Sub UndoBanding(ByVal target As Range)
Dim c As Range
Dim CurrentRow As Integer, CurrentColumn As Integer
Dim i As Integer
If (Not target Is Nothing) Then
' Undo in the actual target cell(s)
If (target.Cells.Count = 1) Then
UnBandCell target
Else
UnBandCell target.Cells(1, 1)
End If
' Un-highlight the same column's cells above
CurrentRow = target.Cells(1, 1).Row
CurrentColumn = target.Cells(1, 1).Column
For i = CurrentRow - 1 To 1 Step -1
UnBandCell target.Worksheet.Cells(i, CurrentColumn)
Next i
' Un-highlight the same row's cells to the left
' TODO: How about other cultures? (R-t-L)
For i = CurrentColumn - 1 To 1 Step -1
UnBandCell target.Worksheet.Cells(CurrentRow, i)
Next i
End If
End Sub
Private Sub DoBanding(ByVal target As Range)
Dim HighlightColor As Variant
Dim c As Range
Dim CurrentRow As Integer, CurrentColumn As Integer
Dim i As Integer
If (Not target Is Nothing) Then
HighlightColor = target.Interior.ColorIndex
' Ensure that a proper color is selected
If (HighlightColor < 0) Then
' The default is light blue
HighlightColor = 37
Else
' Add 1 to the color index of the current cell
HighlightColor = HighlightColor + 1
End If
' Highlight the actual target cells
If (target.Cells.Count = 1) Then
BandCell target, HighlightColor
Else
BandCell target.Cells(1, 1), HighlightColor
End If
' Highlight the same column's cells above
CurrentRow = target.Cells(1, 1).Row
CurrentColumn = target.Cells(1, 1).Column
For i = CurrentRow - 1 To 1 Step -1
BandCell target.Worksheet.Cells(i, CurrentColumn), HighlightColor
Next i
' Highlight the same row's cells to the left
' TODO: How about other cultures? (R-t-L)
For i = CurrentColumn - 1 To 1 Step -1
BandCell target.Worksheet.Cells(CurrentRow, i), HighlightColor
Next i
End If
End Sub
Private Sub UnBandCell(ByVal cell As Range)
Dim fc As FormatCondition
If (Not cell Is Nothing) Then
' If this cell has any conditional formatting at all
If (cell.FormatConditions.Count > 0) Then
' Find the conditional formatting this macro applied
For Each fc In cell.FormatConditions
' This is based on the formula and the expression type
' Note: in the very unlikely case that someone actually has a use for
' this conditional formatting, it would be deleted also
If (fc.Formula1 = "TRUE" And fc.Type = 2) Then
fc.Delete
End If
Next
End If
End If
End Sub
Private Sub BandCell(ByVal cell As Range, ByVal color As Variant)
' Ensure that the cell's background color is not the same as the color about to be applied
If (color = cell.Interior.color) Then
color = color + 1
End If
' Ensure that the cell's font color is not the same as the color about to be applied
If (color = cell.Font.color) Then
color = color + 1
End If
' If there are no conditional formattings applied yet
If (cell.FormatConditions.Count = 0) Then
' Apply it
cell.FormatConditions.Add xlExpression, , "TRUE"
cell.FormatConditions(1).Interior.ColorIndex = color
End If
End Sub
Not all is well with this solution. Because four loops have to be executed and conditional formatting is applied on a cell-by-cell basis, slower machines may experience a delay, especially the further away from the A:1 cell the cursor is positioned. Also, if it would so happen that all cells that would be highlighted by this macro already have conditional formatting applied, not a single cell will be highlighted. Of course, this does not cause any harm, but then again, the macro doesn't do anything to make the spreadsheet easier to use either.
[1]: http://office.microsoft.com/en-us/assistance/HA011366231033.aspx
Alabama .NET code community, if you were not already aware, mark your calendars: on October 29th, the first Alabama Code Camp will be held in Birmingham. It's an event for developers by developers, and registration is free (but required). You can find registration information, directions, and session listings at their web site.
I will be speaking about Web Services Enhancements 2.0 and 3.0 and specifically how those products can be used in real-world applications. I am developing a commercial application at this time that uses WSE 2.0 (and soon 3.0), so I will be able to provide some interesting insights.
I will post a link to my presentation and code downloads on my blog shortly after the Code Camp is over.
I hope to see you there!
I apologize that it has been a while since I have posted anything on my blog. I have several ideas in the pipeline, including some management posts, but both professional and personal enterprises have kept me from actually creating any content.
I have been working with July Community Technology Preview of VS 2005. I had already mentioned that many bugs in Beta 2 had been fixed in the June CTP. By using the July CTP more in-depth (including at a customer's site), I have indeed been able to validate that those bugs have been resolved.
I have to say though that the environment works a lot better for C# than it does for VB.NET (at this time). I believe that VB.NET's background compiler still has some issues left. Even though the memory leak is gone, the environment is really slow when a line is being edited where a warning or error occurs. It may take 5-7 seconds before the environment responds again. (This is running VS 2005 July CTP (team suite) in a virtual machine (MS Virtual PC) on Windows XP Professional SP 2 with 512 MB of RAM).
There are several new features in the IDE I like a lot. I believe that for managing projects, the most important improvement is that "solution folders" can now be created which allow the solution's projects to be grouped together logically instead of allowing only alphabetical listings. I've seen that a popular way of grouping projects in a solution goes something like this: "Client", "Server", "Service Interfaces", "Data Access", etc. In other words, grouping the projects by the logical application layer to which their output belongs. This is also my first use for the solution folders. I am wondering if anyone has a more creative use for solution folders?
I wrote before that I would validate fixes for the bugs I found previously in VS 2005. Unfortunately, many had not been fixed in the Beta 2 release. The two most annoying ones are documented in [1] and [2]. They are particularly annoying because they deal with cryptography. As such, any application that relies on one of these cryptography features (a major project I am working on relies on both) won't run properly.
Now, the good news is that in the June 2005 Community Technology Preview, many bugs are fixed, including the PasswordDeriveBytes one. The memory leak in the VB.NET background compiler [3] also seems to be gone. These fixes result in a much more workable environment. I will be trying (again) to port the project to VS 2005. Hopefully for good this time.
[1]: PasswordDeriveBytes returns different results than .NET 1.1
[2]: RSACryptoServiceProvider.SignHash fails with "Keyset does not exist"
[3]: Memory Leak in VS 2005 Beta 2 (possibly related to vb background compiler)
About 2 months ago, I stumbled upon a slightly disconcerting SQL injection attack vector.
Most guidance that deals with avoiding SQL injection attacks includes using ADO.NET Command objects and their Parameters property. When you combine the use of ADO.NET Command/Parameter objects with SQL stored procedures, you should be protected well against SQL injection attacks. (At least, that's what I understand from the guidance available from Microsoft at [1].
Now, this seems to work effectively: bad "characters" are somehow filtered out. I am not sure where this happens, in the Command object or by the stored procedure (I've heard some conflicting statements about that from Microsofties).
However, there is one scenario in which this doesn't work at all, and that's when your stored procedures create a dynamic SQL statement. So, if your stored procedure looks like this:
CREATE PROCEDURE dbo.InjectTest
(
@Input varchar(20)
)
AS
BEGIN
DECLARE @Sql varchar(60);
SET @Sql = 'SELECT * FROM Entries WHERE ID = ''' + @Input + '''';
EXEC (@Sql);
END
GO
And then you call that stored procedure as follows:
Dim Conn As New SqlClient.SqlConnection("server=(local);database=Tests;integrated security=sspi;")Dim Command As New SqlClient.SqlCommand("InjectTest", conn)
Command.CommandType = CommandType.StoredProcedure
Command.Parameters.Add(
New SqlClient.SqlParameter("@Input", SqlDbType.VarChar, 20))Command.Parameters("@Input").Value = "' OR 1 = 1 --"
You'd actually select all rows from the table, or in other words, a SQL injection attack is possible. And while you should always validate user input as early as possible in your application, a string like that might be considered valid in many scenarios.
Note: This is with .NET 1.1 and SQL Server 2000. I have not tested this on other platforms. I am especially eager to find out what would happen in .NET 2.0 and SQL Server 2005, but I have not had a chance yet to install SQL Server 2005.
[1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetch12.asp
I learned a new thing today: static local variables (a feature inherent to VB.NET) and serialization don't mix.
Here's what I did that did not work. I have a class whose objects can expose themselves as objects of a different class. Because I am not familiar with any design pattern to do this (maybe the actor-role pattern (or role pattern for short) will do this?), I came up with this solution:
Public Readonly Property StringAsSentence As Sentence
Get
Static RetVal As New Sentence
' More code here to initialize the sentence
Return Sentence
End Get
End Property
Now, it turns out that the way the VB.NET compiler gets around the Framework's inability to use static local variables is by actually declaring that local variable as a class level Shared (static in C#) variable. Patrick Steele has a good explanation of this process.
The problem seems to be that although the MSDN document states that StaticLocalInitFlag is Serializable, it is not. Therefore, while trying to invoke a remote method that uses an object of the class that defined the above method as a parameter, I get the following error message:
The type Microsoft.VisualBasic.CompilerServices.StaticLocalInitFlag in Assembly Microsoft.VisualBasic, Version=7.0.5000.0, Culture=neutral, PublicKeyToken=<snip> is not marked as serializable.
I couldn't actually find this exception message anywhere on the Internet, so I was a bit at a loss at first. Also, in the documentation for .NET 1.1, the StaticLocalInitFlag class is not documented. (The URL above refers to the documentation for .NET 2.0, but states that it applies to .NET 1.1 also.)
Here's how I tried to solve the problem at first. I tried to change the property into a function, thinking that the Framework wouldn't try to serialize this no longer. Unfortunately, I wasn't paying attention to what I had just read in Patrick Steele's blog, because as long as that local static variable exists, it will turn into a Shared member variable of the class whose objects needs serializing. It continued to fail. So I just removed the Static declaration and the problem was solved.
If you are reading my blog, then by now you have figured out that Visual Studio 2005 Beta 2 has gone live. The download for MSDN Subscribers is free, if you can wait until your connection has pulled in 3.75 GB. Alternatively, you may order a DVD for a minimal cost.
I haven't tried it yet, but I will be sure to validate that all the bugs I posted on "LadyBug" have been resolved. I'll keep everyone updated.
The good news is that Microsoft now allows Beta 2 applications to be used in production environments. You will need to agree to the Go-Live license.
More good news comes from my web host, CrystalTech. I have always been impressed with them, but now they are offering anyone a free ASP.NET 2.0 Beta 2 test platform. You can find the details here. As can be expected, the plan does not contain all the features of their commercial plans, but they do give 30 MB of SQL Server disk space and 30 MB of MySQL disk space for free, and even 5 e-mail accounts. They even offer support!
1