For MSDN subscribers, you can now download VS Team System 2008 RTM on the MSDN site (x86 and x64 WoW – DVD).
Have fun!
For MSDN subscribers, you can now download VS Team System 2008 RTM on the MSDN site (x86 and x64 WoW – DVD).
Have fun!
I had forgotten to add SQL Injection prevention logic when I integrated and implemented a SQL search function for my employer’s internal ASP.NET app. So in this post, I’m adding it for archival and sharing purposes.
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.
BTW, here’s an excellent article about SQL Injection on the MSDN site.
1. The first thing you’ll need to do is grab the user’s input from the search textbox; for example:
<font size="2"><span style="color: rgb(0,128,0)">// Get user search input </span><span style="color: rgb(0,0,255)">string</span> requestString = txtSearch.Text.Trim(<span style="color: rgb(0,0,255)">null</span>);</font>
2. Next, you’ll need to add logic to see if the user input contains any of the following:
I added something like this:
<p><font size="2"><span style="color: rgb(0,0,255)">if</span> ((requestString.Contains(<span style="color: rgb(163,21,21)">";"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"'"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"--"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"/*"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"*/"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"xp_"</span>))) </span>{ </font><font size="2"><span style="color: rgb(0,128,0)">// Stop processing and notify user </span>} </font><font size="2"><span style="color: rgb(0,0,255)">else </span>{ </font><font size="2"><span style="color: rgb(0,128,0)">// Continue processing and show results </span>}</font></p>
3. Build/compile your app then test it out. If all goes well, you should not get any errors and your web app’s search function should now be SQL Injection-proof.
In the first release of Microsoft Visual Studio 2005, Microsoft introduced a new web application model called the Web Site Project for C#, which had many differences with the old model. Riots ensued, and in VS 2005 SP1 they were forced to introduce the Web Application Project for C# that worked much the way the old ones did. Go here for more details.
Web Application Projects provide a companion web project model that can be used as an alternative to the built-in Web Site Project in Visual Studio 2005. This new model is ideal for web site developers who are converting a Visual Studio .Net 2003 web project to Visual Studio 2005.
So just an FYI to .NET developers: In any future C# Web Services you build (in VS 2005), you should be using the new Web Application Projects model. (Thanks to Anton Sipos for reminding me.)
Cheers!
I was debugging an inherited multi-project WinForms application (from my co-worker and friend, Genaro Quismorio) today and came across this error twice (below), which was frustrating, annoying and very unproductive. This error occurred while stepping through a breakpoint [Debug.Break] in my WinForms code while looking for a bug.
One fix I found on Google was to go to Debug > Exceptions > Managed Debug Assistants (MDA), and then unchecking the ContextSwitchDeadlock option; I didn’t have this option under VS.NET 2005 Team Edition for Software Testers. Unfortunately, this setting is not global across projects, which means that I have to set it every time for each project.
Managed debugging assistants (MDAs) are debugging aids that work in conjunction with the common language runtime (CLR) to provide information on runtime state. The assistants generate informational messages about runtime events that you cannot otherwise trap.
A little more research around the Internet spectrum landed me on this article (on the MSDN website), which basically shows you how to globally turn off MDA. There are apparently two-and-a-half ways to do it: registry key, an environment variable, or application configuration settings.
Registry Key
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework] "MDA"="0"
1. Add COMPLUS_MDA (this overrides the registry key).
If there are conflicting settings, the most recent settings override previous settings:
Application Configuration Setting
To enable the use of an application configuration file for configuring MDAs, either the MDA registry key or the COMPLUS_MDA environment variable must be set (this is why I said two-and-a-half ways). Simply create a .config file of format ApplicationName.mda.config; for example, notepad.exe.mda.config.
<mdaConfig> <assistants> <marshaling> <methodFilter> <match name="*"/> </methodFilter> <fieldFilter> <match name="*"/> </fieldFilter> </marshaling> </assistants> </mdaConfig>
I was tasked to develop a proxy-like web interface wherein our company’s Marketing group didn’t have to go to Fogbugz directly. To facilitate this, I wrote an ASP.NET Web Application that submits/POSTs to Fogbugz’s supplied ScoutSubmit.asp.
FogBugz is a complete project management system for software teams. Designed by Joel Spolsky of Joel on Software fame, FogBugz helps you make better software by tracking, prioritizing, and coordinating the thousands of small tasks a development team has to do. FogBugz is web based, so everyone on the team always sees the whole picture. Feature requests, customer email, bugs, even high level design discussions are instantly searchable and trackable.
Just in case you need to develop one yourself, here’s the link [on Fogbugz’s website] on how to do it.