Friday, April 30, 2010

Generate from using - creating stubs first in VS 2010

A feature that every one loved in VS 2005 is to just type in you class and press Alt+Shift+F10 and Visual studio shows you the options to add the using statements.

VS 2010 this has been extended, to create class stubs for you while you code.

For an example, if I want to use a class called Person in my code and if the Person class is not there yet in your code base, all you got to do is type the following.

Person p = new Person()

Press Alt+Shift+F10 and it will show an option asking if it should create the stub Person, if you say yes, VS will create the Person class for you in your current project.

Now next when you need to put a property into the Person class all you have to do is :

p.Name = "Jack";

again press Alt+Shift+F10, and tell VS to create the property, now in the person class you will see the property Name.

You can do the same to generate method stubs as well.

Thursday, April 29, 2010

Web Protection Library and XSS attacks

I started using the AntiXSS library that comes with the Microsoft Web Protection Library (WPL), this library gives you several APIs that can be used to protect your application from Cross Site Scripting (XSS).

So, What is an XSS attack?, this is where a malicious user injects scripts into the web page the user is viewing and the script runs as part of the response from compromised web site.

As a simple example, lets say a malicious user enters a comment on a blog post, with the comment he also appends a script that runs for 1000 times where a alert box is displayed.
Now every time a user views the comment section of the particular post, the script would execute.

An extream scenario would be where a user enter a script in the comment box where the script passes on the session id or a cookie of the logged in user to the hacker's web site.

In not these cases, if the input of the comment text box was scanned for any malicious code before saving it to a data source.

WPL supports APIs that will encode inputs and sanitize malicious code.

TO demonstrate how it is easy to use this library, all you have to do is to add a reference to the AntiXSS library and in the Microsoft.Security.Application namespace
you will get a Class called Encoder, this class has several static methods.

One of these methods is Encoder.HtmlEncode

EG Encoder.HtmlEncode(input)

WPL is still in CTP and can be downloaded from the MS site.

By rule, any input that is displayed to the user from an external source, for an example a share database has to go through the encode methods in the Encoder class and
any HTML that is displayed to the user composed form user inputs like query strings ot input fields need to be encoded before be show to the user and also these values have to encoded if they are persisted to in a data store.

ASP.NET by default supports input validation, by default this is enabled, and will not accept any malicious characters (like script and tags) from inputs, if they are present an exception is thrown.

WPL also comes with the Security Runtime Engine (SRE), this is a again a component that can be used to implicitly protect your application from XSS and SQ Injection attacks.

TO configure SRE, you can use the SRE configuration generator windows application.
You can point to an existing web.config file and add Encoded types, that is what types of controls needs to be encoded by SRE.

And that's it you are done, you application is protected from SQL injection and XSS.

Monday, April 26, 2010

Linked Servers and OPENQUERY

So how do you access data from one database to another? (specifically talking about SQL SERVER)

One possible way you can do is to create a Linked Server to the database you want to connect to.
The easiest way to do this is to go to Management Studio, right click on "Server Objects" and click "New Linked Server"

Now on the "New Linked Server" dialog you have 2 ways you can create a Linked Server.
1) Create a Linked Server pointing directly to a SQL SERVER instance
2) Create a Linked Server pointing to several set of supported data sources, this includes OlE DB data sources and also SQL SERVER.

I prefer choosing the 2nd option to create a linked server to SQL SERVER, although I can do this easily by using the first option, the 2nd option gives me the flexibility to easily change my data source without effecting any objects that use it.

For an example, if you use option one, you can access an object (eg an SP) in the other database by using a 4 part name, as following

EXEC LinkedServerName.DataBaseName.SchemaName.ObjectName

so in this case if you change the database name, you need to go change all your objects that uses this Linked Server.

However, if we go for the 2nd option you don't need to, if you use OPENQUERY.

OPENQUERY is a way to execute distibuted queries through a linked server, so for an example, you can write a query like this.

SELECT * FROM OPENQUERY(LinkedServerName, "Select * from countries")

The catch here is that you need to pass in the query as a string to openquery, this means that your execution would be a dynamic SQL.
There is an advantage here as well, now the query executes in the other database, and you can ease up the processing on you database, for this to happen you need to make sure that the query that is passed into OPENQUERY returns a limited filtered set of data, that is the query has a restrictive WHERE clause.

The problem with OPENQUERY is that you won't be able to create your query on the fly with your parameters, nor can you pass in a VARCHAR. The only way you can create your query with your parameters is to create a query that encapsulate the OPENQUERY clause itself, execute the dynamic query and populate a table variable.

Let's hope the next version of SQL SERVER will ease up developer effort on using OPENQUERY.

Saturday, April 24, 2010

Still no Workflow support in Visual Studio 2010

I was trying out Visual Studio 2010, but was disappointed that they have not included Workflow templates into the express edition (They did not in the 2008 express edition too.)

However, you can still create workflows, as it is part of .NET 4.0, but with a lot of pain, that is you have to manually code what ever the designer does for you in the normal editions !.

Well, this is where I start hating Microsoft :)

Friday, April 23, 2010

Workflows and MS WF

Yesterday, I completed my training on Windows Workflow foundation.
In my opinion, it yet a new tech and provides you with a set of good features.
However, a question that was racing my mind all the time was, why the hell do you need workflows, I mean almost all programs that we write have activities and business logic within them, so what the big use of using a framework to model workflows.

These were some of the pointers the trainer think of if you need to go for workflows.

1) Activities can be clearly identified with boundaries
2) Whether to use state machine workflows can be determined if the logic is push based and not pull based
3) When rules need to be customized externally without rebuilding the system.
4) You have huge number of human interaction (to determine if you need to use state machines)
5) Long running process that can be done asynchronously without user intervention

On the other hand, MS Workflow foundation has its own advantages.
1) A cool designer support.
2) Custom activities can be created that is compiled but you can have your work flow in an external XML file, so it s configurable. The workflows loaded into the runtime by de-serelizing the XML and passing the XML reader into the CreateWorkFlow method of the runtime.
3) Workflows can be started and stopped at will, and the program state can be persisted (the property values and all), there is a default persistence service you can use with SQL server.
4) Transaction handling is cool, putting up a transaction scope would revert back the whole set of state of the workflows (even reseting member variables that we changed in the process).
5) For the stuff that the workflow cannot revert back in a transaction rollback, you can write your compensation transaction.
6) Fault handling can be done for each activity of the work flow.
7) You can host the runtime in a asmx webservice or a wcf sebservice, how you do this is also becomes simple.

We'll these are some of this stuff I remember and by the way state machine gets deprecated in .net 4.0