mustcodemore.com

1.28.2008

Yay!

Striving to be #2
http://www.actionscript.org/news/314/winners-of-tutorial-competition-announced/

1.10.2008

Prototypes in Javascript

Extensibility has always been an important charastic of Object Oriented programming. In JavaScript this is accomplished by using the prototype property. Using the prototype property one can extend both JavaScript's intrinsic object classes, as well as your own. Once a class is extended all instances of said class will inherit whatever additional properties (or overridden properties) you create in your prototype.

Its a handy feature, especially for tracking activities. Heres a simple example to extend a click event of an object in the DOM.

SomeObject.prototype.click = function(e) { 
//perform activity tracking here
}

Basically your object "SomeObject" now has a modified click event, which (if you put some code in there) would perform your click tracking on a simple DTHML DOM element. This can include a call to server side scripts to perform a database insert or write to a log file.

Here is a link to a great multi-part article on prototyping in JavaScript :

http://www.webreference.com/js/column34/index.html

The Anatomy of Clickbot.A

Interesting article on both the impact of the ClickBot.A Botnet as well as source code from the botnet admin tool. This is a relatively low noise Botnet however it does have some interesting features that make it a bit more "interesting" than other BN's out there.

Labels: , ,

12.18.2007

IIS 7 + Access Control Error (HRESULT: 0x80070005)

IIS 7 was working fine, then it stopped working. I was unable to debug sites running on IIS 7, furthermore i was not able to change any settings in IIS 7. For some reason my folders were set back to read only.

http://blog.crowe.co.nz/archive/2007/08/24/IIS7-Access-Denied-when-using-the-IIS-7-Manager.aspx

11.28.2007

Tutorial on Actionscript.org

i have just submitted my first tutorial on Actionscript.org. Its called :

Basic Activity Tracking with Flash, Actionscript 2.0 and ASP.NET 2.0.

It shows the user how to interoperate between flash and ASP.NET in order to track activities like button clicks or roll overs in a flash movie. In this example i store these activities in a SQL Server Database.

The article touches on basic OOP Principals as well as creating a C# Application to house your flash movies.

http://www.actionscript.org/resources/articles/703/1/Basic-Activity-Tracking-with-Flash-Actionscript-20-and-ASPNET-20/Page1.html

11.27.2007

Mixing Forms and Windows Authentication in ASP.NET

This blog posts shows how a user enabled Single Sign On (SSO) for two web apps that mixed both Forms Authentication and IIS Integrated Security. Its a pretty good solution for this problem.

http://www.pluralsight.com/blogs/craig/archive/2004/07/24/1699.aspx

mcm

Labels: , , , , ,

10.01.2007

Session State in a Handler File

For a project we're working on we need to use HttpHandlers to do a lot of the heavy lifting when a user first comes to a site. The handlers help us determine what "type" of user it is and help us fork off processes and objects to different pages or applications based on a number of inputs (which the handler gets).

Working with this was going well until i needed to supply a constructor a sessionId. No problem i gave it a bit of the old :

context.Session.SessionId;

To my dismay i realized that the entire sessioin object was null. Because the handler file intercepts the request before the asp.net frameword processes it there is no session information available (see ISAPI Extensions). What to do? What to do?!?!

Of course i sent a post out to a forum and then minutes after posting it figured it out myself. The key is to make your HttpHandler implement the IRequiresSessionState interface. This interface allows the Handler to write or read from the Session state.

There are two options for this interface (and it needs no construct)

IRequiresSessionState - Read and Write access to session object
IReadOnlySessionState - Read only access to session object.

Implementation is quite simple. Take a simple Handler Code class and add the following using statement:

using System.Web.SessionState;

Then inherit the class from the Interface (as well as your handler interface)

 public class BaseHandler : IHttpHandler, IRequiresSessionState  
{
public virtual void ProcessRequest(HttpContext context)
{

}

public bool IsReusable
{
get
{
return false;
}
}
}


Pretty easy huh? And now its session enabled so i can pass my objects to my page.

Labels: , , ,

9.26.2007

SQLSafe Method for C#

We created this utility method a while back to help us provide another layer of security for SQL Injection attacks. Basically its a tiny little method that takes up to three parameters. It is used to trim a string to a specified length (generally the length of your database field) and throw an error if you want it too.

Parm 1. The string to evaluate and trim if necessary
Parm 2. The max length of the string
Parm 3. Thow an exception or not.

Heres the two methods (one with an override)

        /// <summary>
/// Returns a string with single quotes escaped to protect against SQL injection attacks
///
/// This method will throw an exception if the supplied string's length is greater than maxlen
/// </summary>
/// <param name="s"></param>
/// <param name="maxlen"></param>
/// <returns></returns>
public static string SqlSafe(string s,int maxlen)
{
return SqlSafe(s,maxlen,false);
}
/// <summary>
/// Returns a string with single quotes escaped to protect against SQL injection attacks
///
/// </summary>
/// <param name="s"></param>
/// <param name="maxlen"></param>
/// <param name="ThrowExceptionOnTruncate"></param>
/// <returns></returns>
public static string SqlSafe(string s,int maxlen,bool ThrowExceptionOnTruncate)
{
if(s==null)
{
return "";
}
if(ThrowExceptionOnTruncate && s.Length>maxlen)
{
throw new Exception("StringTools.SqlSafe string exceeds maximum length");
}
//replace apostrophies AFTER truncation
//(the doubles don't count for field length)
return Truncate(s,maxlen).Replace("'","''");
}


So this method is called from anywhere (usually i put it right in a parameter going to a SQL DataSource or some Object Data source right before insert or update).
Just call it like this

SBX.StringTools.SqlSafe(HttpContext.Current.Request.UserAgent.ToString(), 255);


In this example i have the SqlSafe method in a static class called SBX.StringTools. If you are going to use this put it in whatever framework class libraries you utilize in your web or forms apps. That way you can re-use it quickly and easily.

mcm.

My Goodness - Blogger Code Formatting!

And its IN a Blogger Blog! Doesn't that just blow your mind?

http://formatmysourcecode.blogspot.com/

How to tell if a posted file is really an image

This is a useful method to determine if a file posted for upload (via HTTP) is actually an image. This was created in .net 1.1 but also works in 2.0 without any modifications.

Heres a bit of background. Anyone can change the content type of a file before posting it. Its as simple as changing an extension of a file to something your looking for. So if someone wanted to upload a malicious program or file they could simply change the extension to an images extension (in this case) and upload something that .net initially thinks is an image but really is not.

All this method does is read the first 64 bytes of data from the posted file and compares the data in the header to determine if its an image. It takes a byte array as an input and returns either true or false to the calling method.

public bool IsImage(byte[] data)
{
//read 64 bytes of the stream only to determine the type
string myStr = System.Text.Encoding.ASCII.GetString(data).Substring(0, 16);
//check if its definately an image.
if (myStr.Substring(8, 2).ToString().ToLower() != "if")
{
//its not a jpeg
if (myStr.Substring(0, 3).ToString().ToLower() != "gif")
{
//its not a gif
if (myStr.Substring(0, 2).ToString().ToLower() != "bm")
{
//its not a .bmp
if (myStr.Substring(0, 2).ToString().ToLower() != "ii")
{
myStr = null;
return false;
}
}
}
}
myStr = null;
return true;
}


Thats really all there is to it. Once this is in place you can actually add more if statements to look for more image types (like .tiff, etc). The reason we dont use a switch statement for this is because for different image formats the "identifying byte(s)" are located in different index positions. So to add more images you will have to dig around the net a bit finding out about what header bytes identify different images.

hope this helps someone out,
mcm.

ASP.NET 2.0 Roles and Memberships

ASP.NET's Role management and membership providers are really, really easy to use and configure (once you figure out how to set up the database)

This article from 4Guys really helped me set it up properly and now that its up its quite easy to port and use for other applications. The design of it actually lets you use one Database to manage security and roles for several applications.

The only unfortunate part about these Roles and membership things is that the default web controls (specifically LoginView) are not really scalable. If you plan on having an ever growing list of roles and users you may not want to use these types of controls and instead programmaticlly control access to pages and page elements (see gridviews / formviews). This can be done pretty easily with the use of a secured page base class that you can inherit from.

Anyways, check the article http://aspnet.4guysfromrolla.com/articles/120705-1.aspx

mcm.

Image Uploading to a UNC Share w/ Impersonation

This topic has helped me countless times. Think about full separation of an admin area from a front-end site. If you have to upload images this is a good way to go about it. It's really either this way or some sort of service that copies uploaded images to the other app directory.

http://aspalliance.com/336

GROUP BY in a DataTable

this one helped me out a while back
http://weblogs.sqlteam.com/davidm/archive/2004/05/20/1351.aspx

The Expressions that can be formulated for a calculated column in a DataTable are a very handy thing. The problem is the aggregation operators only work for a parent-child relationship.

Optimizing ASP.NET 2.0 Web Project Build Performance (VS 2005)

This posts covers how to best optimize the build performance with Visual Studio 2005 when using web projects. If you are experiencing slow builds or want to learn how to speed them up please read on.

http://weblogs.asp.net/scottgu/archive/2006/09/22/Tip_2F00_Trick_3A00_-Optimizing-ASP.NET-2.0-Web-Project-Build-Performance-with-VS-2005.aspx