Galin Iliev's blog

Software Architecture & Development

How bad is SQL Injection

I have been presenting IIS (Internet Information Services) for a while and there is one slide in my deck which says that there is No critical security patch since RTM for IIS6.

Recently there was some news about 500k web pages was exploited with SQL Injection hack(more info here and here).

Although this could put some shadow on IIS security it has to be clear that this is not an IIS exploit. This is application exploit. Any application could suffer SQL Injection (video: Length: 6:01 - Size: 6.37 MB ).

It is not like uploading harmful file on the server and execute it, isn't it?

So it has to be clear: Do not use such code:

public bool Login(string userName, string password)
    string command = string.Format("SELECT COUNT(*) FROM User WHERE UserName='{0}' AND Password='{1}'",
        userName, password);

    using (conn)
        SqlCommand cmdLogin = new SqlCommand(command, conn);
        int res = cmdLogin.ExecuteScalar();
        return res == 1;

Do you know why?!

Because if you get as password the following string ' OR 1=1 '; drop table Users; you will drop the table from DB and apparently the application will stop working.

Do it this way:

public bool Login(string userName, string password)
    string command = string.Format("SELECT COUNT(*) FROM User WHERE UserName=@UserName AND Password=@Password",
        userName, password);

    using (conn)
        SqlCommand cmdLogin = new SqlCommand(command, conn);
        cmdLogin.Parameters.AddWithValue("@UserName", userName);
        cmdLogin.Parameters.AddWithValue("@Password", password);

        int res = cmdLogin.ExecuteScalar();
        return res == 1;

It is much safer...

Hope this helps!

Release package is settled: Entity Framework & ADO.NET Data Services in VS 2008 SP1 and .NET 3.5 SP1

It's settled! The Entity Framework (and the Entity Designer) along with ADO.NET Data Services will RTM as part of the Visual Studio 2008 and .NET 3.5 SP1 releases!

Unfortunately, we don't have official release dates at this point, but stay tuned. You'll also want to keep an eye out for the upcoming SP1 Beta 1, which will be your next chance to check out updated bits for both of these products.

Elisa Flasko
Program Manager, Data Programmability

(via this ADO.NET team blog post)

VS2008 and .NET 3.5 (WCF, WPF, WF) Training Kit

Microsoft released a nice training kit for the latest technologies that will help you to become a real hero very quickly.

This package is a real treasure because it covers a bunch of technologies:

  • C# 3.0
  • VB 9.0
  • LINQ
  • WPF
  • WCF
  • WF
  • Silverlight
  • AJAX
  • CardSpace
  • Mobile
  • Visual Studio Tools for Office
  • Visual Studio Team System
  • Application Lifecycle Management

And the materials are of the different types:

  • Presentation - will be very helpful to prepare talks for community
  • Demos
  • Labs - very helpful to walk through new technologies in deep.

Go grab it!

How to kill C# 2.0 compiler

I found an interesting article on CodeProject: How to crash MS C# Compiler!.

These are interesting issues. I am not a compiler guy (meaning I do not write compilers) but still it is interesting.

Case 1 - ++ operator overload
   1: public class TestClass
   2: {
   3: public static TestClass operator ++(TestClass ts)
   4: {
   5:     return new TestClass();
   6: }
   7: }
   9: public class MyTest
  10: {
  11: public TestClass TestProperty
  12: {
  13:     get
  14:     {
  15:         return new TestClass();
  16:     }
  17: }
  19: public void BadMethod()
  20: {
  21:     TestProperty++; // <-- PROBLEM HERE
  22: }
Case 2 - null array
   1: void SomeMethod()
   2: {
   3:     //const AnyType[] X = null;
   4:     const int[] X = null;
   5: }
Case 3 - Attribute with delegate
   1: public delegate void Proc();
   2: public class CrashAndBurnAttribute : System.Attribute
   3: {
   4:     public CrashAndBurnAttribute(Proc p)
   5:     { }
   6: }
   8: public class CrashAndBurnClient
   9: {
  10:     [CrashAndBurn(delegate { return; })]
  11:     public void Foo()
  12:     {
  13:     }
  14: }

Who needs to write such statements!?

Learn C# 3.0 by solving interesting problems

Project Euler is a series of challenging mathematical/computer programming problems that will require more than just mathematical insights to solve. Although mathematics will help you arrive at elegant and efficient methods, the use of a computer and programming skills will be required to solve most problems.

Bill Wagner started solving them employing new C# 3.0 features and post them in MSDN Code Library.

Follow his blog post series to learn them.

Of course it is preferable to try to solve them by yourself in order to tease your brain :)

ADO.NET Data Services Framework samples

As project codename Astoria has new name "ADO.NET Data Services Framework " and it is part of ASP.NET 3.5 a.k.a ASP.NET futures it has its place on site.

There are plenty of samples and descriptions what is it and how to use from client and server site.

If you struggle what is REST and how it is different than well known web services  take a look at this web presentation: Reconciling Web Services and REST Services.

Microsoft DevDays 2008 in April

The registration for the biggest annual event for developers in IT pros in Bulgaria is open. It will be held in International Exhibition Center - Sofia, Bulgaria. For second year in row it is paid event but the price is very low for the knowledge one can gain - it is just 50 EUR.

I am going to present two sessions: LINQ to XML - Data Access Technologies and IIS7 for Administrators.

If you're particularly interested in some details drop me a line and I will try to cover it. In case it is too specific to present we can chat after the session.

Almost forgot: The event will take place at April 24th and 25th 2008.

See you there!

Visual LINQ

LINQ is a nice way to write a more readable code but sometimes it is diffucult to understand the actions and the order they happens.

Visual LINQ project would give you an idea (watch the screencast of Visual LINQ in action) :

So for this query

VisualSource<string> words = new VisualSource<string>
    (new[] { "the", "quick", "brown", "fox", "jumped", 
             "over", "the", "lazy", "dog" }, 
     canvas, "words");
var query = from word in words
            where word.Length > 3
            select new { Word = word, Length = word.Length};
pipeline = query.End(); 

you will see similar screens:

Download source code.

(For more detailed info read Jon Skeet's blog post Visual LINQ: Watch query expressions as they happen!)

'Hawaii': A Visual Studio Paradise for Developers?! C# 4.0?

After it ships the "Whidbey" and "Orcas" versions of its popular Visual Studio tool set, Microsoft Corp.'s Visual Studio development team is headed for "Hawaii."

Hawaii is the code name for a version of Microsoft's Visual Studio tool set two versions beyond Whidbey, also known as Visual Studio 2005, according to sources familiar with Microsoft's plans. Hawaii will be a completely redesigned tool set, aimed at taking developers well beyond current capabilities, the sources said.

Although Microsoft had been using the names of Pacific Northwest islands, such as Whidbey and Orcas, to code-name new versions of Visual Studio, developers chose the code name Hawaii because it takes developers much further than the other two versions and also because the team plans to celebrate redesigning the IDE (integrated development environment) in Hawaii, sources close to the company said.

(from the Live Spaces blog post and a bit more info here)

Also here are some news about C# v4.0: C# will have dynamic lookup - this is what VB devs call "late binding".

MS MVP Jon Skeet compiled a good list of mistakes in C# design in past releases. Although nice summary of important additions we cannot blame C# Team for not having all goodies in v 1.0

Breaking changes in IIS7 (integrated pipeline) when hosting ASP.NET 2.0 sites

Mike Volodarsky posted a nice list of breaking changes when you run ASP.NET 2.0 web sites on IIS7 Integrated mode.

Here is the list (for workarounds take a look at Mike's blog post).

Migration errors
  1. ASP.NET applications require migration when specifying configuration in <httpModules> or <httpHandlers>.
  2. ASP.NET applications produce a warning when the application enables request impersonation by specifying <identity impersonate=”true”> in configuration.
  3. You receive a configuration error when your application configuration includes an encrypted <identity> section.
Authentication, Authorization, and Impersonation

  1. Applications cannot simultaneously use FormsAuthentication and WindowsAuthentication.
  2. Windows Authentication is performed in the kernel by default.  This may cause HTTP clients that send credentials on the initial request to fail.
  3. Passport authentication is not supported.
  4. HttpRequest.LogonUserIdentity throws an InvalidOperationException when accessed in a module before PostAuthenticateRequest.
  5. Client impersonation is not applied in a module in the BeginRequest and AuthenticateRequest stages.
  6. Defining an DefaultAuthentication_OnAuthenticate method in global.asax throws PlatformNotSupportedException.
  7. Applications that implement WindowsAuthentication_OnAuthenticate in global.asax will not be notified when the request is anonymous.
Request limits and URL processing
  1. Request URLs containing unencoded “+” characters in the path (not querystring) is rejected by default.
  2. Requests with querystrings larger then 2048 bytes will be rejected by default.
Changes in response header processing
  1. IIS always rejects new lines in response headers (even if ASP.NET enableHeaderChecking is set to false)When the response headers are cleared with HttpResponse.ClearHeaders, default ASP.NET headers are not generated.  This may result in the lack of Cache-Control: private header that prevents the caching of the response on the client.
  2. When the response is empty, the Content-Type header is not suppressed.
  3. When the response headers are cleared with HttpResponse.ClearHeaders, default ASP.NET headers are not generated.  This may result in the lack of Cache-Control: private header that prevents the caching of the response on the client.
Changes in application and module event processing
  1. It is not possible to access the request through the HttpContext.Current property in Application_Start in global.asax.
  2. The order in which module event handlers execute may be different then in Classic mode.
  3. ASP.NET modules in early request processing stages will see requests that previously may have been rejected by IIS prior to entering ASP.NET.  This includes modules running in BeginRequest seeing anonymous requests for resources that require authentication.
Other application changes
  1. DefaultHttpHandler is not supported.  Applications relying on sub-classes of DefaultHttpHandler will not be able to serve requests.
    It is possible to write to the response after an exception has occurred.
  2. It is not possible to use the ClearError API to prevent an exception from being written to the response if the exception has occurred in a prior pipeline stage.
  3. HttpResponse.AppendToLog does not automatically prepend the querystring to the URL.
Other changes
  1. ASP.NET threading settings are not used to control the request concurrency in Integrated mode.
  2. ASP.NET application queues are not used in Integrated mode.  Therefore, the “ASP.NET Applications\Requests in Application Queue” performance counter will always have a value of 0
  3. IIS 7.0 always restarts ASP.NET applications when changes are made to the application’s root web.config file.  Because of this, waitChangeNotification and maxWaitChangeNotification attributes have no effect.