Slashdot Mirror

You wanted a design that meets your requirements, and when security is part of the design it's an admission of failure?

This is an admission of failure -- you can't do what's needed, so you opt to limit damage. But it's not going to work perfectly.

Did you even read what I wrote? I offered a better way of implementing what you're doing, then admitted that it did not fit your scenario, and offered one that did.

Views help reduce duplication, and they can be parameterized. Some database servers allow using the results of a stored proc, so you can refactor a lot. Your example isn't the only way to accomplish what you want. You can do a stored proc that returns vastly different results based on input. In this system, you'd pass want_names to the database, and it would return the results for you. You can bypass the different number of columns problem by returning CASE when want_names then name ELSE '' END, so even the strictest systems will work.

Take for instance an interface that displays a list of songs, and allows sorting by name, artist, genre, duration or size

You could implement the sorting client-side with javascript, that's a more efficient way to interact with a website. The client already has the data, so why send it again? This is the point where you might be tempted to insert "that's an admission of failure". Here's my indication that I'm about to make an alternate suggestion. I'll even begin a new paragraph.

But, let's do it in SQL. You can use a view to eliminate duplication. You can use Order by case to determine which column to use, no duplication needed.

Selecting with different criteria can be done by using WHERE (@variable1 IS NULL or file == @variable1) for each variable. You only need to make two copies of the code if you want to use equals or like, or you can refactor everything but the criteria into a view, or you can add another variable that lets you check (@variable1 IS NULL or file == @variable1) when a 'like' variable is unset, or (@variable1 IS NULL or file like @variable1) when set.

So there goes your duplication complaint, and limits of practicality. So let's add a basic check for mismatched escape characters on to what I wrote and ignore your complaints. I think you underestimate what can be done in SQL.

The rules say, "no dynamic code". I'm not a MS-SQL guy, but this article makes it pretty clear that one has to use the MS SQL "EXEC" statement to dynamically evaluate a stored procedure. In my brief look at the databases, I did find some EXEC statements, but not many.

Just finding an EXEC statement is probably not enough to establish a "smoking gun". If the only variable parts of the stored procedure are parameter value placeholders, then the EXEC may just be serving as a way to encapsulate parameters, which sounds like an attempt to prevent an injection attack. I guess you'd have to inspect the source code that defined the actual values passed into the procedure to be sure.

For VBScript I tend to use google to find specific things. I haven't found one site that really covers enough in one place. Most people will write off VBScript being that it is Microsoft and Windows is evil and all that.

Seeing as I use VBScript mainly for natively being able to pull information from LDAP directories from a Windows XP machine I must at least defend it.

MS Scripting Guy, DevGuru, 4GuysFromRolla, and last but not least ActiveXperts.

It depends if I want info on WMI, LDAP, or general WSH Objects.

For VB or MSVC++ its MSDN.

The main source of information just is.

*Ducks*

For years I have fallen back on http://itr.org/ for their wonderful Javascript F.A.Q.s

For asp I have fallen on the habit of going to google, typing the object name and 'asp', from there I find http://w3schools.com/ and http://4guysfromrolla.com/ to have the best code samples and descriptions of use. However, I hate navigating both of them so Google has become my default doorway into them.

I'm not ashamed to admit I hit http://experts-exchange.com/ as a last resort.

Although this isn't really new why do SQL injection attacks still occur. There are countless articles on how to protect yourself. Or do the webmaster simply not care?

Are you serious? Not use Microsoft controls? Override Page handling? Those are the entire point of using ASP.NET - it would be like using MFC without using CString, and the hundreds of other classes they out in .NET for the sole purpose of attempting to make your life easier.

I won't give you links or references, if you're really a .NET developer and test with Firefox it wouldn't take you long to find things that doesn't work. What I will do is just assume you mean ASP.NET 2.0, where they did fix a lot of things. 1.0 and 1.1 were horrible and output especially non-standard Javascript (actually JScript/EXMA hybrid that worked on IE but nothing else at the time). 2.0 has fixed a lot of that, but for people who tried the "new technology" and abandoned it because of its non-standard output, what the GP said remains true.

Not even AJAX stuff, I mean just normal "get some values and post back" processing. Which of course is ludicrous because why not just have a normal form and post values? .NET uses ONCLICK instead, where the javascript sets up some return values for the server to deal with, and without javascript enabled the whole site can degrade disgracefully. Overengineering at its best, and when done by people who are only microsoft-aware (MS employees) while IE 6 has 90+% market share, the problems of .NET 1.0 and 1.1 are almost guaranteed.

Okay, you got me, I decided to try to find the biggest issue I remember, the document.all problem with validators.
http://aspnet.4guysfromrolla.com/articles/051204-1.aspx

No it's incredibly shoddy coding that could be done on any platform.

Here's an example on how to encrypt URL data in ASP:

Using this encryption, you can transform a standard QueryString like:
/SomePage.asp?SL=ActiveServerPages&N1=4GuysFromRolla.com&N2=FreeURL.com
to utter goobledegook, something that the web surfer will have no idea what variables and values are being passed along through the QueryString:
/SomePage.asp?crypt=w%96%9Ei%7D%9D%AE%91%B7%ACf%86%C4%AC%CA%90%96c%A1%9D%8F%89%B2z%92U%87Z%95%CF%A6%A5i%BE%96%9C%91%B9%AA%A5%97d%BE%BF%95gwb%8C%93%B7%8A%88%A7%A2%94h%B8%A9%AA

Code sample is here:
http://www.4guysfromrolla.com/webtech/code/qs.enc.asp.html

[Microsoft][ODBC SQL Server Driver][SQL Server]Transaction (Process ID 128) was deadlocked on lock resources with another process and has been chosen as the deadlock victim. Rerun the transaction.

Dictionaries describe usage in general terms. That doesn't make the word choice correct. If you say that you write web pages in SGML, people are going to assume something like DocBook, even though HTML is an SGML dialect. If you start talking about writing SGML pages with JavaScript applets, you would still be correct according to any dictionary definition, but people would be right to assume you're confused, and you would be wrong to describe your work that way.

Likewise, if you put "ASP" on your resume, and the company that hires you finds out that you don't know a thing about VBScript---that your "ASP" experience was actually only with Python/ASP---no dictionary would prevent you from being fired with just cause.

True, but ASP (Active Server Pages) has been deprecated in favour of ASP.NET for 5 years now. ASP is not supported by Microsoft anymore, so that's a moot point. The new ASP.NET has the option of coding the "old way" in a single-source file, but its power is that you can *completely* separate presentation from code using the code-behind model. About code-behind. It's really good stuff. I wouldn't be surprised if PHP follows suit soon enough.

I believe Mozilla needed cross-platform widgets around the 1999 timeframe (where it had already been under development for a year or two before I started using it). WayBack says:

http://web.archive.org/web/19990508065645/www.gtk. org/announce.html

"""GTK+ is also being ported to Win32. For further information see: http://www.iki.fi/tml/gimp/win32/.""" ...which theoretically shows that Gimp was working on Win32 at the time although probably not landed in the existing GTK Branches. (http://web.archive.org/web/19990202104158/user.sg ic.fi/~tml/gimp/win32/)

But keep in mind a few other requirements:

    1- Browser Theming / Skinning (see if you can find that recent slashdot link about Mozilla / FireFox history and marketing requirements).

    2- Cross-Platform UI (Windows, Mac, Linux, etc)

    3- CSS / Web styling on HTML buttons (http://www.4guysfromrolla.com/webtech/100601-1.sh tml) ... probably would have been difficult with stock GTK (I think GTK uses system-wide themes rather than arbitrary themes generated on the fly from CSS per control per page

Once you've got to render buttons on web-pages with CSS 100% reliably anyway, and you add in that cross platform and themeable UI requirement, it's not that much of a stretch to add a Tab, Listbox, and Menu elements that can hook into your user interface. Yeah, it's kindof strange but it's helpful to remember the context of the time.

--Robert

By default, .NET is configured to work well with IE... but .NET also provides you the tools to change how it plays with all browsers. Yes, it should play nice with all by default, and hopefully we'll see more of that when ASP.NET 2.0 is final.

For rendering pages, tou have some good amount of control over what .NET considers up or down-level and how it renders HTML. All it takes is properly setting up a Browsercaps section in your Web.Config or modifying the default one in Machine.Config.

There are plenty of examples of this on the web (including this one at 4Guys). I've gotten the same code to be generated for all modern browsers (IE, Safari, Mozilla, Firefox, etc) with just a little bit of work.

Border-Collapse is part of the CSS2 spec. You can't easily get rid of .NET including it unfortunately, but you can set your data control's "gridlines" property to False, which at least allows you to control the borders with CSS. Or, as someone has already mentioned, you could roll your own control that overrides the rendering.

Also, avoid the built-in form-validation controls like the plauge as they only work acceptably with IE. Fortunately, there are many options out there that are much, much better and compatible with all modern browsers (such as Paul Glavich's awesome, free, OS, DOM Validators). And, as with other controls, you also have the ability to roll your own.

With a strict doctype and, a modified web.config file and replacement form validators, you can do a lot to making your .NET pages render the same in nearly all modern browsers without loosing any of the benefits of the .NET platform.

In the default .NET installation, yes - it favors IE. But to make the blanket statement that all of the built in controls won't work properly in other browsers is nothing but FUD.

To complain that Microsoft made a new development framework defaulted for their browser, but at the same time included a vast amount of flexibility to modify it as you see fit is also nonsensical.

There are plenty of tutorials and samples for configuring the .NET engine to render the same in all modern browsers, and it's hardly as difficult as you make it out to be. I agree -- if you can't figure out how to include a BrowserCaps block in machine. or web.config to change the rendering mode, ASP.NET is probably not for you. Personally, I've had very little difficulty writing apps that work identically in all of the major modern browsers.

The only included controls that I have experienced trouble with are the built-in validation controls - though I admitedly avoid most of the built in ones. There are much improved alternatives to the built in validation controls -- a few of which are completely free and/or open source. You can of course, easily write your own as well.

As far as the other controls go, there are equally as many alternatives that are cross-browser compatible with little or no effort. A few minutes in ASP.NET's Control Gallery will get you started. And again, you can always write your own.

I'm no Microsoft Apologist(R) for sure (owning 5 Macs to my two PCs and lots of Apple stock), but to say that ASP.NET is crap because it doesn't work right in non-IE browsers is ridiculous. In my opinion, ASP.NET is one of the few things that Microsoft has got mostly right.

In regards to portability, look towards Mono.

That doesn't mean there isn't room for improvement (it's still officially at version 1.1 after all). I would love to see out of the box browser compatiblity and VisualStudio.NETs HTML handling is atrocious -- constantly mangling my hand-formatted code when switching into design mode. I anxiously await a production release of v2.0 where it is rumored that these items, among others, have been addressed :)

ASP.NET (and the Java equivalent, JavaServer Faces) have a much different, (arguably) more sophisticated approach to web development. There is actually a pretty good story for UI/logic separation, eventing, and maintaining state. You can have your HTML tags constituted into a mutable object graph before rendering (example).

The end result is a development style that lets one write web apps the same way one writes desktop GUI apps, and as a bonus you get far more compile time guarantees than before (even vis-a-vis compiled scripting languages like JSP). Whereas in most scripting languages, getting a dynamic <select> to default to the proper selection and remember its selection across page redraws takes an annoying kludge of code, it's trivial in ASP.NET.

You don't have to like the direction MS has taken with ASP.NET, but the fact that the author didn't even mention the fundamentally different programming model it offers vs. PHP says to me that he didn't bother doing much research into it.

Although not as good as php.net, there are a few decent places for ASP tips and tricks: 4 Guys from Rolla, Dev Articles, ASP Free, Juicy Studio)

There are many ways to use Javascript from within ASP.NET, and no you don't *have* to use the ASP.NET form validator if you don't want to.

Rather than explain it all here, I'd suggest that you get your friend to look at this article for pointers on how to use javascript from within ASP.NET

First, is that part of the SQL standard, or something that Microsoft tacked on as per usual? I'm not asking facetiously: I really want to know. In other words, is PostgreSQL deficient, or is MS-SQL non-compliant?

Second, is this really so difficult:

kanga=# select * from test;
rowid | rowvalue
-------+----------
1 | a
2 | B
3 | D
4 | c
(4 rows)

kanga=# select * from test order by rowvalue;
rowid | rowvalue
-------+----------
2 | B
3 | D
1 | a
4 | c
(4 rows)

kanga=# select * from test order by lower(rowvalue);
rowid | rowvalue
-------+----------
1 | a
2 | B
4 | c
3 | D
(4 rows)

OK, now that we've demonstrated that it's trivially easy to do case-insensitive sorting, let's ask the inverse: how easy is it to do case-sensitive sorting on MS-SQL? I'm not an expert, but several Google results seem to indicate that it's not very easy.

In other words, do you think that it's easier to discard unwanted information or to write code to create needed information? I choose the former, and apparently the PostgreSQL folks did, too.

My solution is to usually email them and appeal to their morality. Let them know that "Plagairsm is stealing, 'mkay?" Most times it's good enough to get an apology and, at minimum, credit added to the article, if not removing it altogether. (Or perhaps they just say that and move it to a different URL......)

1. Code Project
2. SQL Server Central
3. .NET Weblogs, SQL Junkies
4. ASP.NET forums
5. 4 Guys from Rolla
6. ASP Alliance mailing lists
7. CodeGuru discussion forums
8. TopXML discussion forums - this is mostly about Microsoft XML technologies
9. .NET Junkies
10. SQL Team .

And easy, actually. I've done some proximity-based searching for a store locator, and it is simple if you have the data (ZIP to lat/long db).

Algorithms and ASP code here:
http://www.4guysfromrolla.com/webtech/010500-1.sht ml
http://www.4guysfromrolla.com/webtech/040100-1.sht ml
http://www.4guysfromrolla.com/webtech/010500-2.sht ml

Just re-write in Perl or Python, and run it anytime there's an earthquake, emailing anyone within X (user definable) miles of the event. (email addresses, zips, etc in MySQL or PostGres)

Free 2000 data at: http://www.census.gov/tiger/tms/gazetteer/

Cheap ($29) data at: http://www.zipcodedownload.com/index.aspx

More expensive data at: http://www.GreatData.com/

And easy, actually. I've done some proximity-based searching for a store locator, and it is simple if you have the data (ZIP to lat/long db).

Algorithms and ASP code here:
http://www.4guysfromrolla.com/webtech/010500-1.sht ml
http://www.4guysfromrolla.com/webtech/040100-1.sht ml
http://www.4guysfromrolla.com/webtech/010500-2.sht ml

Just re-write in Perl or Python, and run it anytime there's an earthquake, emailing anyone within X (user definable) miles of the event. (email addresses, zips, etc in MySQL or PostGres)

Free 2000 data at: http://www.census.gov/tiger/tms/gazetteer/

Cheap ($29) data at: http://www.zipcodedownload.com/index.aspx

More expensive data at: http://www.GreatData.com/

And easy, actually. I've done some proximity-based searching for a store locator, and it is simple if you have the data (ZIP to lat/long db).

Algorithms and ASP code here:
http://www.4guysfromrolla.com/webtech/010500-1.sht ml
http://www.4guysfromrolla.com/webtech/040100-1.sht ml
http://www.4guysfromrolla.com/webtech/010500-2.sht ml

Just re-write in Perl or Python, and run it anytime there's an earthquake, emailing anyone within X (user definable) miles of the event. (email addresses, zips, etc in MySQL or PostGres)

Free 2000 data at: http://www.census.gov/tiger/tms/gazetteer/

Cheap ($29) data at: http://www.zipcodedownload.com/index.aspx

More expensive data at: http://www.GreatData.com/

It worked here, we've all got visual studio .net and it's a nice editor, though it would be very nice to be able to turn some of that crap off after a while (I spend about as much time as I'd save backspacing over the helpfully inserted wrong data type, property, method of whatever)

The worst thing about .net is the help that is included is still horrible. I dropped a few hundred $ on books for VB6, which we then dropped for (Gee whiz golly) .net, so I'm not in a hurry to drop $ on books again so soon after getting burned. Useful examples are rare in the help so I end up at sites like this.

During class even the instructor said he didn't think .net has a very easy future, with Java so well established (however never rule out the neophyte managers who buy into the bleeding edge because 'nobody ever got fired for buying Microsoft')

I like your solution, but I think it would be more effective if you took a little bigger approach. Instead of using Verisign or Paypal for the actual transactions, do it yourself. This is of course impractical for small discrete payments, but if you implemented it as a certain number of page views for $10 (like Slashdot did) it might be feasible.

What I meant by thinking bigger is to record page views across several sites web users visit. That way I can pay $10 and get 1000 page views at DevZone, WDVL, 4GuysFromRolla, jguru, and other sites who chose to participate.

I've found http://www.4guysfromrolla.com/ to be an excellent source for ASP and ASP.NET technologies. Worth signing up for their newsletter.

1. Newsgroups: Most microsoft technologies have a newsgroup in the microsoft.public.* hierarchy that are read not only by Microsoft employees but by dozens of regular developers who just want to help others who are having problems. I personally monitor microsoft.public.xml and microsoft.public.dotnet.xml where I answer a lot of questions and pass many of those I can't answer to the actual devs who work on the applications and APIs in question.
   
   
2. Online Communities: There are a number of strong online communities where Windows developers congregate to share information, tips and tricks. These range from Microsoft sponsored sites like GotDotNet, ASP.NET, and Windows Forms.NET that are run by MSFT employees who participate actively in these communities to independent sites like 4 Guys from Rolla, Code Project, Dev Hood, DevelopMentor and CodeGuru
   
   
3. Microsoft Websites: Few places beat MSDN as a source of information about Microsoft technologies. By the way, if you are into XML check out my Extreme XML column
   
   
4. Mailing Lists: There are number of mailing lists hosted by various parties about Microsoft technologies. The ones I've seen with the most vibrance have been the DevelopMentor mailing lists and the ASP Friends lists

If you're an ASP type of guy, try this. You have to plan ahead a bit, but DIY beats not having to deal with people who aren't polite about linking.

From what I've read, while there's a lot of new functionality (try/catch error handling, for example) you can use in VB.Net compared to VB6, it's not hard to change VB6 code to work with VB.Net. Here's an article on it... the changes really do not look that major.

Arrays are 0-based now... well, I never made any other kind anyway. Variants are replaced by the Object type, but I never used Variants anyway. The try/catch error-handling is now, but the old VB style of error-handling will work even though it is deprecated.

There are other minor syntax changes, such as removal of the Set/Let keywords, some minor variable-scope changes, etc... but the compiler is going to easily catch these... I mean, read the article, they're trivial.

Maybe we have different definitions of "extensive". I guess a pretty high number of lines of code will need to be touched to go from VB6->VB.Net, so I suppose you could call that "extensive". However, most of the changes are so simple to the point of being no-brainers... most of them could probably be done with Search-and-Replace and to me it looks like nearly 100% of the changes will be caught by the compiler, anyway, making them easy to catch. It doesn't look like there's any of those insidious errors that will compile but behave slightly differently... those are bitches. ;-)

Anyway, so when I say "not extensive" I mean very little thought/effort looks to be required to upgrade.

No support from the community, huh?

15 Seconds
Active Server Pages

4 Guys from Rolla
ASP 101

There are a lot more, but I'm getting tired. Oh yeah, and there are all of the companies making components for ASP. Right. No support. Good troll. Try harder next time. Oh, and ASP has nothing to do with CGI. But, good try.

If the course was about building complex systems, then borrowing other code would probably be OK.. As long as you make it clear what's you're code, and what came from elsewhere. If the course was about learning how to write programs, then 'borrowing' someone elses' code would be against the purpose of the course.

Think about it for a second. Just about any problem simple enough for a beginner programer to solve already has a solution written. Bubble sort? No problem. Quick sort? Right here!. You can get a garbage collector from this page. (none of these took me more than a minute to find with google).

So how are you going to actually learn how to program if all you're doing is stealing other people's code. More importantly: How do you learn how to fix problems with code if you're doing this?

Of course, it would be hell for an instructor. If you wanted to force your students to write their own code, the only problems that you could give them would be problems that even the best experts hadn't been able to solve.

Welcome to computing 101. This week I'm going to be teaching you about loops. To force you all to write your own code, I'm going to assign each one of you a different device for which the manufacturer has not released specs. Your first assignment is to reverse engineer your device and write a device driver using a polling loop.

Any questions?

I'd buy 10% of the users to his site use non-IE. It's an ASP information site, so, yes, the majority of users use IE. I've seen the same numbers on my ASP site.

Annoying, yes, but I take it as a bit of a compliment... one of those things that if you have to worry about it, you know you're doing decent traffic.

Concerning the ASP+ stuff, though, there are a ton of things built in to increase performance. For example, current ASP pages are scripted... they are interpretted, an execution path stored in memory... when the cache maxes out, the plan for the least used script is dumped and if that page is visited again, it needs to be re-interpretted. ASP+, however, creates a "compiled" version and caches it to disk. (The compiled version is the bytecode in the .NET CLR.) For a good article on ASP+ be sure to check out this piece I wrote:
ASP+: An Introduction and My Views on the Matter
http://www.4guysfromrolla.com/ webtech/071500-1.shtml

Happy Programming!

A somwhat useable RS4 implementation with vbscript
If you search the site for the word "encryption" there are a few follow-up articles that you should check out as well if yer into that sort of thing.

--Clay

If you're a Java lover but you're forced to use ASP, you can put your business logic into Java classes and call them from your ASP pages! That way the suits will be happy, and you'll still be doing most of your coding in your language of choice (Java). Here's a great article that shows you how to do that. It's quite easy! http://www.4guysfromrolla.com/ webtech/080999-1.shtml

A bit of advice from a guy who's learned it the hard way.... no matter what language you're coding in, your ASP or JSP tier should just be a thin "glue" to hold together the objects that contain yer bizness logic. Those objects can be either compiled DLL's or Java classes, it really does not matter- just as long as you keep it out of your ASP and JSP pages where it's ugly and not very reusable. With prior proper planning, you can create a set of middle-tier objects that will make your ASP/JSP pages a snap to code.

IMHO, the ASP/JSP tier should be so thin it really shouldn't make too much of a difference whether you use ASP or JSP. The meat of your code should be in the middle tier. I haven't done any real work in JSP, so I can't directly compare it to ASP, but I would agree that Java is a nicer language than VB to code in, so it's a good choice for your middle tier logic objects. :) Good luck on your project!!!! :)

If the script itself can't do something I can create a component and call it through ASP. I can also separate my display/data/logic layers that way.

One of the beauties of ASP is you can use vbScript, JavaScript, PerScript (more perlscript), etc...to develop with as well as COM object built in vb, C/C++, etc... There are also MANY good code snippets and help available without having to look hard.

Some good URL's:
ActiveServer pages.COM
4guys from Rolla
Abundance of helpful mailing lists & FAQ's
ASPToday
ASPHole(Under construction right now)
15 Seconds
and a whole slew of other good sites (they usually link back & forth to articles.

If you want a " in your string with vbscript you can stick in two " and it'll be escaped OR you can append the Chr() of it to the string.

So far the only limitation I have come across has nothing to do with ASP: HTML sucks for complex forms. Client side Javascript can do a lot but often you still need to split your forms up if you can't use ActiveX or Java.

Any other Q's?

--Clay

However, many guides do advise against using session variables, though not because of the load-balancing issues anymore. A quick search turns up one here. (I think this one is ASP-specific, though.)

Another correction to my posting: since sessionIDs are generally stored in a cookie, users will still have to have cookies enabled if you're going to use session variables.