Domain: dotnetjunkies.com
Stories and comments across the archive that link to dotnetjunkies.com.
Comments · 19
-
Re:Better tools, good process, learning from other
Only if they're used correctly.
A code like $query = "CALL mystoredprocedure($data)"; is just as vulnerable to injection attacks as other queries.
While the stored procedure might be safe the code executing the SQL is not. One could easily input " somedata); SELECT * from something;-- "
Someone posted this link in another discussion and it's pretty good: http://www.dotnetjunkies.com/WebLog/chris.taylor/archive/2004/10/13/28370.aspx
One method I use when securing SQL is to run scripts in a least privileged mode, ie. the script db user can not drop tables etc..
-
Re:oh well...
The right way to fix SQL injection is to use parametrized queries.
-
Re:Stored procedures BAD... story
OK, first it sounds like you need better planning from management. You don't change the front ends, then change the back-ends, do it all at the same time. Also, if your queries worked without change from one RDB to another, they weren't that complicated and would have survived some search-and-replace to make the transition.
Here's why stored procs are bad, it includes some information like stored procs don't even run faster:
http://weblogs.asp.net/fbouma/archive/2003/11/18/3 8178.aspx
And my response to that article
Ad-hoc SQL Script is brittle
"changes to a relational model will have always an impact on the application". so you could update your procs which are all in one place, or search for and hope you changed all of your ad-hoc queries. Either way you have to change something, the only benefit is not involving a DBA.
Security
Instead of applying security through stored procs, do it through roles. Oh yeah that's basically the same thing too? Oh I didn't think of that. What did you say about Parameterized queries? Totally secure? then this guy's an idiot.
http://dotnetjunkies.com/WebLog/chris.taylor/archi ve/2004/10/13/28370.aspx
Performance
So, procs have their execution plans cached like dynamic SQL? Great, that's the third thing that's basically the same. Oh yeah and stored procs are bad because of cursors. (wtf?) And a database with 100 tables, with 7 fields per table. "You can't create stored procedures for all possible combinations either, that would require 100*7! procedures." Yeah, I can do it in SQL and C# and ASP 3.0 and probably some other stuff. Who writes their own add/update/delete procs these days?
So his argument is Don't use stored procs because dynamic SQL is exactly the same. And disregard SQL injection, that's not important, it's much better to spend time validating all of your input. And apparently his DBA doesn't like him. And he changes his data model far too often, he needs better design discipline.
The only part of this I agree with is the comment:
I would hate to run into this type of code personally. I mean, you are basically writing a stored procedure at that point and hard coding it into your app. -
Re:Simple solution
Bo - sheet
http://www.dotnetjunkies.com/WebLog/chris.taylor/a rchive/2004/10/13/28370.aspx
Anything made can be unmade, but it is staggering how many choose not to do at lease strSQL.Replace(";","BLAHBLAH - SIMPLEINJECTDEFEAT"); before executing SQL. Nobody needs to allow ";" in any query. -
Re:Dvorak: wrong, again.We're going to have to agree to differ about Windows and NeXTSTEP's stability.
My point is that Windows on decent hardware will give you excellent stability. If it doesn't, you can either a) whine about it on Slashdot or b) remedy the situation by finding out what the problem is and fixing. You should not, however, consider anything that could be deemed "instability" as expected behaviour.
Comparing glibc and IE is comparing apples and oranges. With Linux you'd need to replace glibc with something that implemented the same functionality, but you can change the window manager or browser without difficulty.
IE IS NOT JUST A WEB BROWSER APPLICATION. It's a reusable *module*. It's an OS-level shared library just like glibc, QT, khtml, WebCore/WebKit, Quicktime, or any of a million others.
Your argument that Windows is modular because the modules have dependencies on each other is not only logically unsound, it demonstrates a deep misunderstanding about what "modular" actually means.
Cutting and pasting code isn't modularity - this is what Visual Studio encourages (code snippits). Simply put, nobody but Microsoft would even have thought to add such a feature.
Not being a VS user, I'm afraid I don't know what you're talking about. A few Google results, however, would suggest your complaint is completely without merit, if not outright lying.
Windows is definitely designed in a very modular fashion. That Microsoft don't have an easy way to custom-build your own Windows "distribution", does not change this.
WMF needed extra patches applied if Office was installed - simply put the code was duplicated from Windows into Office. It should have been in a framework that Office called.
Well, The January patch summary would suggest otherwise, however, the Office team are well-known for going their own way and reimplementing OS functionality. Again, your logic is faulty as this is irrelevant to the modularity of Windows - it's like arguing Linux isn't modular because there's a zillion different widget libraries for X.
Microsoft are not a single, well organised, coherent entity, they're a bunch of different groups that just happen to be grouped under the same umbrella. The Office and Windows teams may as well be different comapanies.
This kind of "design" is totally different to Mac OS X - where there are modules and clear interfaces.
So you're saying there isn't a *single* OS X application that reimplements functionality provided in the OS ? Because that's the logic you're trying to use to argue Windows isn't "modular".
Microsoft have said that Windows Vista is a total rewrite of Windows around these design ideas, clearly XP wasn't!
Windows VIsta isn't a "complete rewrite" in anything outside of staged press interactions. It's Windows NT 6.0 - certainly there have been some major changes and cleanups (particularly to do with internal dependencies), but nothing approaching a "complete rewrite".
-
Re:Mono is better in many ways
Read about it here. The URL on that site is broken, so if you want to read more, try this http://www.microsoft.com/backstage/bkst_column_46
. mspx">archive.org link -
Suggest, anybody??Here is the link to build a Google Suggest like application using ASP.Net
You can call it Ajax or whatever. Basically it uses asynchronous calls from the client side using Javascript.
CLICK HERE and make you boring webpage a bit more live and interesting
-
Re:Awesome!
But company X making profit off of their own invention means that company Y will need to innovate and compete by arriving at a better way to solve the problem
How? Lets say that I have a patent on software that does task X via steps 1, 2, and 3. Please define how you intend to enter the market with your product that performs task X via steps alpha and omega, when I and my team of 800lb lawyer-gorillas keep your product tied up in court for so long that even you've forgotten what task X was. "Oops? You mean you don't infringe on my patent? Sorry, my bad! Couldn't tell just by looking at the binary you know!" I doubt you'd even be able to countersue, I'd just tell the jury that your software was intentionally developed to appear to perform task X in the same way, and that there was no way for me to know that it did it a different way. And with closed proprietary source, I wouldn't be lying! (now, if you used Open Source, that'd be a whole different ball of wax!)
I would think that being able to benefit from your labor and creativity is a strong incentive.
For the next what, 20 years? 10 if you spent a decade converting your patent on "Process for removing goo from the heel of your show" into "Process for buying things on the internet"? Gee, I'm glad those filesystem patents microsoft were charging fees over are driving their innovation foward. Can't wait to see their new database-driven FS... Someday. Gotta love that innovation.
who does it best gets rewarded accordingly
Huh? Come back when we're not talking about patents where its first come, first served. "Who does it best" indeed. Even if I do it better than you and file a patent, I still have to license your patent from you if my process has anything to do with yours. (IE, you have a patent on A B and C, and I can do it better with A B D and E, well, even with my own patent I infringe on A and B).
we see fantastic displays of innovation in the areas of stealing IP and technologies from those private innovators elsewhere
You mean like microsoft and doublespace? Or microsoft and FAT. Or any of the thousands of cases of killing the little guy (that patent won't do you much good if we can spend a million dollars a year litigating you into the ground) or just flat out corporate espionage (you can't patent it until you're done. Lets hire away some key people on your project at 90% and do the last 10% faster. Sure there'll be lawsuits for a year or two but the patent lasts 5 product lifetimes). -
Response to Joel
Here is Sriram Krishnan's response to Joel's advice
-
Browser wars, Darwinism, and the SlashDot effect.
-
Be ready for more of this...
... being poorly implemented. I think it takes a lot of domain knowledge, hard work, and browser testing in order to get a useable and attractive mesh between server and client code. But, despite the challenges, it will become easier moving forward, as one of the new features of ASP.NET 2.0 will be to include client callback capabilities from server-side controls. It's a cool addition if used correctly and intelligently. My hope is that it doesn't get overused in inappropriate situations or without sufficient cross-browser testing.
-
Re:You know after taking software engineering..A friend of mine pointed out Scrum Teams to me, and it seems to apply well to maintenance. It's not exactly anything new or groundbreaking, and in fact, anyone with a project management background can mix and match PMI terminology with that listed in the description, but it still seems like an effective approach.
This process uses small teams and a fixed work cycle (usuall 30 days). You have to have a couple "smart people' at the top to make it work well, the 'product manager,' who manages feature and bugfix request queues, and the 'scrum leader,' who will lead the team doing the work. The whole idea is that you pick out enough work to fill the 30 days, hack away at it, and at the end of the scrum, you have your next version.
It seems to work well for them.
-
Re:Raymond Chen in Linux source CREDITS
This blog (post) has some interesting info on this.
...This post wouldn't have been possible without Kaushik - he called me up this morning and said that he had spied a familiar name on the Linux 1.0 contributors file. And since the chances of 2 people with the name Raymond Chen and working at Microsoft were pretty slim, we got pretty interested. A bit of Googling lead us to this page (http://grumbeer.dyndns.org/ftp/mail/v5/digest363) which has an email that Raymond Chen has typed out back in 1993. The first thing that strikes you is his Microsoft id. I was taken aback - a Microsoft employee contributing to Linux code? That too kernel level stuff - not some fringe OSS project? Seems like things were a lot different back then. Here's a snippet from that mail From: raymondc@microsoft.com (Raymond Chen) Subject: New Configure script (and some console patches) Date: 05 Jun 93 20:23:30 GMT This patch kit is really *THREE* patches in one. 1. A new Configure script, hopefully easier to use and more flexible than the current one. 2. A kernel configuration switch to enable high-intensity background in lieu of blinking foreground characters. 3. A kernel configuration switch to control the destination of kernel trace messages (printk's). But the part which I really found interesting was this...the way he signs all his mails. Thanks. -- Raymond (just another linux hacker) Chen Definitely not something you would see nowadays. These days, the very mention of the word 'GPL' might get you into serious trouble in Microsoft - and contributing code is definitely unthinkable.I guess back then , Linux was considered more of a hobbyist-thing rather than a future competitor. But I'm only guessing here. An interesting question that arises is the effects of the viral nature of the GPL. If he had worked on GPL code back then, is he 'infected'? Well - I'm no expert in these issues, but its interesting all the same. Before all the Linux supporters jump to any conspiracy theory, I would just like to point out that the only thing this points out is the amazing versatility and skill exhibited by most Microsoft devs and Raymond in particular. This is a guy who knows both Windows and Linux inside out.Awesome!!! I would really like it if Raymond comes and tells us a bit about his past - especially the 'just another linux hacker' days :-) .... -
Another Paradigm Shift a-Comin'
As the cost of mass storage and processing are approaching zero, various people are predicting that soon hardware will be free. Only the software and content will cost money. But the shift towards content being the only source of profit will make copyright enforcement more and more important. This will mean tighter copyright laws and ever more draconian restrictions on consumer use of technology.
But there's a much deeper shift going on. It's a transition from paying for things because we can't do them ourselves to paying because we aren't allowed to do them. Supply used to be the other side of Demand. With a limitless supply of copies easily available, Supply will be replaced by Permission. Keeping this system going requires much more granular regulation of individual behavior.
I try to put it in a historical context. Not long ago, North America was a land where if you wanted to you could walk out into the wilds with some tools, build a cabin, put up a fence and start farming. Nowadays every square inch of land is owned by somebody or something, and usually not by the people who live on it. We borrow and pay. Even after your house is paid for you still don't really "own" it, because if you don't keep paying your property taxes you can get kicked out. Sounds like rent to me.
But we've gotten used to all that. We will probably also get used to the notion that other people own everything we see and hear. Within our lifetimes most information and media content will probably be on a pay-per-view basis. It will be editable or removable at any time by the owners. History will disappear unless individual people choose to privately write things down -- paraphrasing of course, not quoting. I think people will tolerate restrictions and loss of privacy for the sake of copyright protection just as we have accepted the authority of planning commissions and building inspectors for the sake of public safety. That's what I think will happen anyway, but somehow I still don't like it. -
Re:It looks good
Ding! Wish granted.
I switched to SharpDevelop a month or so back... once you get the hang of it, it can do much of the VS.NET editing and compilations stuff. Oh and you'll need the SDK installed so you can get at the debugger DBGCLR.exe. Check out this great article on how to do it.
One thing I really miss is a viable pointy-clicky WDSL tool. -
Re:My post
Zero defects IS management-speak, but it's completely compatible with known bugs going out in a release -- IF all parties agree that it's going to happen.
ZD means an understood set of inputs (requirements) are processed (developed, coded) into an understood set of outputs (releases). Zero defects means this entire process occurs as planned.
Therefore to get software out the door, you might have to ignore the recently-discovered beta-testers' problem with your SW and his AllInWonderPro TV out, as that video card was not part of your inputs. Known bug, yes. Defect, no.
There is an interesting microsoftie's blog post trying to reconcile ZD with agile/extreme methodology: What is the Zero-Defects Mindset?. being neither an Agile addict or a M$ coder i cannot vouch for any of its contents -- read at your own risk -
Re:My post
How the parent post got +5 I have no idea....
Actually, much of the rest of the world DOES believe that "Zero defects does not mean that the product does not have bugs". Emphasis in quotations mine.
Definition of Zero-Defect. "an aspect of total quality management that stresses the objective of error-free performance in providing goods or services"
Six sigma's take on Zero Defect that states: "A practice that aims to reduce defects as a way to directly increase profits. The concept of zero defects lead to the development of Six Sigma in the 1980s."
Here's an explanation of why people are confused about the subject. Yes, it's an M$ site.
10 rules for ZDSD: "Not to be taken as meaning 'bug-free,' Zero-Defect Software Development (ZDSD) is a practice of developing software that is maintained in the highest quality state throughout the entire development process."
-
Review
I just posted a review of WMP10 over here http://dotnetjunkies.com/WebLog/sriram/archive/20
0 4/06/02/15310.aspx. Verdict - Great work - but not the best around -
Ten Microsoft Developer Community SitesI am a Microsoft employee so I might be biased but there are a number of developer communities around Microsoft technologies including
- Code Project
- SQL Server Central
.NET Weblogs, SQL Junkies- ASP.NET forums
- 4 Guys from Rolla
- ASP Alliance mailing lists
- CodeGuru discussion forums
- TopXML discussion forums - this is mostly about Microsoft XML technologies
.NET Junkies- SQL Team .