<July 2004>

On this page...



Member of...

ASP Insiders

MVP Visual Developer ASP/ASP.NET

Enter CodeZone

Blog Categories



Deutsche Resourcen


Sign In

#  Thursday, July 29, 2004

The Web Application Security Consortium has released a paper (PDF link) on threat classification. Its intention is to clarify and organize the threats to the security of a Web site. The goals of this project:

  • Identify all known web application security classes of attack.
  • Agree on naming for each class of attack.
  • Develop a structured manner to organize the classes of attack.
  • Develop documentation that provides generic descriptions of each class of attack.

Definitely an interesting read if you are concerned about Web site security.

Categories: Newsbites | Security
Thursday, July 29, 2004 8:33:40 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


Version 0.6 was released yesterday. IronPython is a Python implementation that works for both .NET and Mono, however, at the moment is only recommended for experimenting (a thing I really like doing) and not production. The most interesting thing about it in my opinion is that also the source code is included (released under the CPL, you know, the license Eclipse made popular).

Thursday, July 29, 2004 8:26:50 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


#  Wednesday, July 28, 2004

There is a great article on linux.com (you didn't expect such a link here, did you?) titled SysAdmin to SysAdmin: It's the documentation, stupid! It is about a topic that is close to my heart: developers don't like writing documentation, and keep telling you (user) that the source is the documentation - which I couldn't agree with less, even if I am a programmer-user.

Now though this article is targetted at Open Source projects, you will agree that you too have seen less-than-stellar documented projects in companies (even yours), or you had to work with third party software whose documentation left to be desired. How did you feel when you had to find out how to achieve a task? Right.

Having this said, I'd like to offer a great starting point for writing technical documentation: quite some time ago, Bernd (de) wrote an article titled Technical Writing Made Easier, specifically targetted at programmers. Check it out.

Categories: this
Wednesday, July 28, 2004 1:01:48 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]


A Channel 9 video where Anders Hejlsberg talks about the future of programming data in C# 3.0.

Categories: Newsbites
Wednesday, July 28, 2004 10:41:20 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


The MSR article Why It’s A Bad Idea For Stealth Software To Hide Files had me stumble across a project of MSR, Strider. According to the description, it is "a black-box, state-based, and component-based approach to systems management and diagnostics. The statistical data analyses that we produce and the infrastructures and tools that we build help users manage their systems today and help developers design new operating systems with better manageability tomorrow."

I really like the idea of Strider Ghostbuster that is outlined in the article - to convince you to read it yourself, I'll show the overview diagram of what Ghostbuster does (Figure 1. The ScanDiff approach to exposing file-hiding software [from the aforementioned article]):

Ghostbuster allows you to find rootkits, keyloggers and other malware that hides itself from plain directory listing. How is it done? Perform a directory listing on the infected machine (step #1), boot from a WinPE CD and scan again (step #2), and then compare the two scans (step #3). You'll see immediately what was hidden, and it takes only around 15 minutes to do this - absolutely neat!

Closing words: be sure to check out the References section of the article!

Categories: MSR | Security
Wednesday, July 28, 2004 10:19:16 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


#  Tuesday, July 27, 2004

The book Improving Web Application Security: Threats and Countermeasures (online: Guidelines Corrections) can also be browsed via solutions at a glance. I've been recommending this book for quite some time in the German community, so why not plug it again (and hence start the Security section of my blog).

Categories: Security
Tuesday, July 27, 2004 1:39:18 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


Microsoft has a new site dedicated to SQL Server 2005 (including the Express edition). Note though that only the Express Beta 2 can be downloaded freely.

Categories: SQL Server
Tuesday, July 27, 2004 1:22:02 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


Continuing in the “What’s cool in 2.0” series, I’ll look at a BCL feature today. Imagine you have a Web form, and one of the values a user has to enter is a double. The not-so-ingenious version to accomplish the task is as follows:

void Button1_Click(object sender, EventArgs e)
string val = TextBox1.Text;

// I'm sure: it is a double
double d = Double.Parse(val);

What’s wrong? Well, there are several things that could make your application go south, err, throw an exception: the value is null, the value is not a double, the value is out of range for a double (all three conditions are well-documented). So you rewrite your application like this:

double d = 0.0f;
d = Double.Parse(val);
catch (ArgumentNullException ane)
catch (FormatException fe)
catch (OverflowException oe)

This is how you would do it in 1.1, unless you first do a sanity check using regular expressions (remember: all input is evil until proven otherwise). So what is wrong here? The point is the exception throwing / catching in itself – it involves a stack walk, which equates to lost performance (especially nasty when we are talking heavy-load Web applications). Wouldn’t it be nice if we could get away without exceptions?

Good news! The BCL data types sport a new method – TryParse. Like the Parse method, it takes the input string as the first parameter. The input is followed by an out parameter, which was the return value of Parse – the return value of TryParse is a simple boolean: did the conversion succeed or did it fail. No exceptions.

The following code snippet shows how easy this is:

double d = 0.0f;
if (!Double.TryParse(val, out d))
// handle error condition

My advice: when porting 1.1 applications to 2.0, make sure that you convert all old Parse code to the new TryParse – your applications will perform and scale a lot better.

Categories: 2 Ohhhh | BCL
Tuesday, July 27, 2004 7:47:44 AM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


#  Monday, July 26, 2004

Thomas (de) picked up the topic of validating multiple forms in ASP.NET 1.1 (de) - and was wondering if / how this is solved in 2.0. Great opportunity to start my series on "What's cool in 2.0". The good doctor is in!

One of the features on the (rather long) list of cool features in 2.0 is validation groups. It allows you to group certain controls - validators and controls that allow (auto-)postback - in a validation group: only the validators in the group that is posted back is actually being executed.

Let me illustrate, take a look at the following "two form page" (contrived as always):

In the old days of 1.1, when you clicked either of the two buttons, all validators would be executed, even though not all are applicable for both forms. In 2.0, all you have to do to sort out this dilemma is to set the ValidationGroup property:

Now when we run our sample application, only the validators associated with the respective "form" (validation group defined by the button) fire:

I'm sure that a lot of my fellow developers can't wait till this feature RTM's!

To wrap up, Stephen Walter wrote the article Changes to the Validation Controls in ASP.NET 2.0, which goes into more depth on the validation control changes.

Categories: 2 Ohhhh | ASP.NET
Monday, July 26, 2004 9:21:40 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [1]


#  Wednesday, July 21, 2004

{ End Bracket } is a column in MSDN Magazine, and its August 2004 edition deals with the challenge of writing a C# to Visual Basic Translation Tool. John Robbins explains why there is a need for this (Joe Developer: "I really wish all the samples were written in my programming language."), and how it can be done - using #develop!

Now, this is a vindication for the project manager (me) who spent quite some time to coax the programmer (Mike) into implementing this feature.

Wednesday, July 21, 2004 3:13:26 PM (W. Europe Daylight Time, UTC+02:00)  #    Comments [0]


© Copyright 2021 Christoph Wille

newtelligence dasBlog 2.3.9074.18820
Subscribe to this weblog's RSS feed with SharpReader, Radio Userland, NewsGator or any other aggregator listening on port 5335 by clicking this button.   RSS 2.0|Atom 1.0  Send mail to the author(s)

Don't contact us via this (fleischfalle@alphasierrapapa.com) email address.