.NET – Page 2 – Tech.It.2.Me

Visual Studio Team System 2008 now available

For MSDN subscribers, you can now download VS Team System 2008 RTM on the MSDN site (x86 and x64 WoW – DVD).

Have fun!

SQL Injection-proof your integrated SQL search in ASP.NET 2.0

I had forgotten to add SQL Injection prevention logic when I integrated and implemented a SQL search function for my employer’s internal ASP.NET app. So in this post, I’m adding it for archival and sharing purposes.

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.

BTW, here’s an excellent article about SQL Injection on the MSDN site.

1. The first thing you’ll need to do is grab the user’s input from the search textbox; for example:

<font size="2"><span style="color: rgb(0,128,0)">// Get user search input
</span><span style="color: rgb(0,0,255)">string</span> requestString = txtSearch.Text.Trim(<span style="color: rgb(0,0,255)">null</span>);</font>

2. Next, you’ll need to add logic to see if the user input contains any of the following:

I added something like this:

<p><font size="2"><span style="color: rgb(0,0,255)">if</span> ((requestString.Contains(<span style="color: rgb(163,21,21)">";"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"'"</span>)) ||
    (requestString.Contains(<span style="color: rgb(163,21,21)">"--"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"/*"</span>)) ||
    (requestString.Contains(<span style="color: rgb(163,21,21)">"*/"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"xp_"</span>)))
</span>{
    </font><font size="2"><span style="color: rgb(0,128,0)">// Stop processing and notify user
</span>}
</font><font size="2"><span style="color: rgb(0,0,255)">else
</span>{
    </font><font size="2"><span style="color: rgb(0,128,0)">// Continue processing and show results
</span>}</font></p>

3. Build/compile your app then test it out. If all goes well, you should not get any errors and your web app’s search function should now be SQL Injection-proof.

VS.NET 2005 Web Application Projects vs. Web Site Projects

In the first release of Microsoft Visual Studio 2005, Microsoft introduced a new web application model called the Web Site Project for C#, which had many differences with the old model. Riots ensued, and in VS 2005 SP1 they were forced to introduce the Web Application Project for C# that worked much the way the old ones did. Go here for more details.

Web Application Projects provide a companion web project model that can be used as an alternative to the built-in Web Site Project in Visual Studio 2005. This new model is ideal for web site developers who are converting a Visual Studio .Net 2003 web project to Visual Studio 2005.

So just an FYI to .NET developers: In any future C# Web Services you build (in VS 2005), you should be using the new Web Application Projects model. (Thanks to Anton Sipos for reminding me.)

Cheers!

CLR has been unable to transition from COM context for 60 seconds

I was debugging an inherited multi-project WinForms application (from my co-worker and friend, Genaro Quismorio) today and came across this error twice (below), which was frustrating, annoying and very unproductive. This error occurred while stepping through a breakpoint [Debug.Break] in my WinForms code while looking for a bug.

One fix I found on Google was to go to Debug > Exceptions > Managed Debug Assistants (MDA), and then unchecking the ContextSwitchDeadlock option; I didn’t have this option under VS.NET 2005 Team Edition for Software Testers. Unfortunately, this setting is not global across projects, which means that I have to set it every time for each project.

Managed debugging assistants (MDAs) are debugging aids that work in conjunction with the common language runtime (CLR) to provide information on runtime state. The assistants generate informational messages about runtime events that you cannot otherwise trap.

A little more research around the Internet spectrum landed me on this article (on the MSDN website), which basically shows you how to globally turn off MDA. There are apparently two-and-a-half ways to do it: registry key, an environment variable, or application configuration settings.

Registry Key

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFramework]
"MDA"="0"

Environment Variable

1. Add COMPLUS_MDA (this overrides the registry key).

0 – Deactivates all MDAs.
1 – Reads MDA settings from ApplicationName.mda.config.
managedDebugger – Explicitly activates all MDAs that are implicitly activated when a managed executable is started under a debugger.
unmanagedDebugger – Explicitly activates all MDAs that are implicitly activated when an unmanaged executable is started under a debugger.

If there are conflicting settings, the most recent settings override previous settings:

COMPLUS_MDA=0 disables all MDAs including those implicitly enabled under a debugger.
COMPLUS_MDA=gcUnmanagedToManaged enables gcUnmanagedToManaged in addition to any implicitly enabled under a debugger.
COMPLUS_MDA=0;gcUnmanagedToManaged enables gcUnmanagedToManaged but disables those MDAs that would otherwise be implicitly enabled under a debugger.

Application Configuration Setting

To enable the use of an application configuration file for configuring MDAs, either the MDA registry key or the COMPLUS_MDA environment variable must be set (this is why I said two-and-a-half ways). Simply create a .config file of format ApplicationName.mda.config; for example, notepad.exe.mda.config.

&lt;mdaConfig&gt;
  &lt;assistants&gt;
    &lt;marshaling&gt;
      &lt;methodFilter&gt;
        &lt;match name="*"/&gt;
      &lt;/methodFilter&gt;
      &lt;fieldFilter&gt;
        &lt;match name="*"/&gt;
      &lt;/fieldFilter&gt;
    &lt;/marshaling&gt;
  &lt;/assistants&gt;
&lt;/mdaConfig&gt;

That’s it. You can read more about it here. Hope this helps you somewhat.

Submitting bugs through BugzScout

I was tasked to develop a proxy-like web interface wherein our company’s Marketing group didn’t have to go to Fogbugz directly. To facilitate this, I wrote an ASP.NET Web Application that submits/POSTs to Fogbugz’s supplied ScoutSubmit.asp.

FogBugz is a complete project management system for software teams. Designed by Joel Spolsky of Joel on Software fame, FogBugz helps you make better software by tracking, prioritizing, and coordinating the thousands of small tasks a development team has to do. FogBugz is web based, so everyone on the team always sees the whole picture. Feature requests, customer email, bugs, even high level design discussions are instantly searchable and trackable.

Just in case you need to develop one yourself, here’s the link [on Fogbugz’s website] on how to do it.