Archive for the ‘Web Development’ Category
After installing MVC 4 Beta, I noticed that Visual Studio 2010 Intellisense had developed a problem in Razor views in MVC 3 projects. For example ViewBag wasn’t found and neither was Url.
I looked around for solutions and found various suggestions, but none of them worked and then (I’m not sure whether to say “Duh” or not) I found the solution in the release notes: ASP.NET MVC 4 Beta: Known Issues and BREAKING CHANGES. (See the “Required Updates” section.)
Now I know that ideally I should have looked at the release notes before installing it. Sure, and ideally I should never drive faster than the speed limit, but this is the real world and the ideal and the actual don’t always coincide.
I really think that the “Known Issues and Breaking Changes” section of the release notes should have their own link (in BIG CAPS) right next to the big green “Install ASP.NET MVC 4 Beta” button on the ASP.NET MVC 4 page, so that idiots like me will pay attention and maybe actually know ahead of time what might break and take the necessary steps.
For the other poor sods who don’t read release notes here are a couple of the searches I can remember I made and hopefully if you search on the same terms you may find this post.
- MVC 4 Beta breaks Intellisense
- MVC 3 Razor View Intellisense Not Working
PS: MVC 4 itself is good so far.
I’ve recently come across some good intro podcasts on node.js.
I’ve been listening to the .NET Rocks podcast for a while now and their latest show is a talk with Tomasz Janczuk, the guy at Microsoft who is working on porting node.js to Windows and IIS. It’s a good intro for all types of developers but is probably aimed at .NET devs more than open source or Java devs.
» .NET Rocks – Show 711: Tomasz Janczuk Builds Web Apps with node.js – As well as the basics on what node.js is and how you use it, there is some very good data on when you’d use iisnode versus basic node.exe.
I only came across the Herding Code podcast a few weeks ago, but I like it so much that I’ve already caught up on all the shows for this year and a couple of the earlier ones that covered topics I’m interested in. The four presenters are real pro devs and the discussions are always really lively, funny and interesting.
There are two node.js related shows:
» Herding Code 102: Tim Caswell on Node.js – this is an excellent intro that goes beyond the basics and explains the event loop of node and the non-blocking async programming model it uses. This gives you a good foundation.
» Herding Code 122: Bert Belder on porting Node.js to Windows – This is about more than just porting node to Windows, which is very interesting in itself, it builds on show 102, so listen to that one first.
I hope these are helpful.
The instructions I used are at WebMatrix and node.js: The easiest way to get started with node on Windows
Here’s how it went for me:
- WebMatrix Install: It took a looooong time to install, about 30 minutes. I was running quite a few things on my machine at the time, including VS2010 and SQL Mgmt Studio, but it still seemed like a heckuva long time, so be patient.
- iisnode for iis7 express (x86) Install: If you don’t have Microsoft Visual C++ 2010 Redistributable Package (x86) installed then the iisnode installer will tell you that you need it. Just click my link here and get it. It installs easily and then the iisnode install is a piece of cake. (FYI: You’ll have the same “This program is not commonly … etc.” message if you try to run after downloading in IE9 and that’ll happen on the next two also.)
- iisnode for iis7 (x86) Install: For my messing about I didn’t really need to install it but I wanted to anyway. There were no issues.
- iisnode for iis7 (x64) Install: I didn’t install this, ’cause I’m using a 32 bit machine for this messing about, but if you are installing the x64 version then I’m guessing you’ll need the C++ 2010 redistributable for x64.
- node.js templates for WebMatrix: Easy install. Thanks to Steve Sanderson (the genius behind knockout.js) for the templates
If I get some time free and I feel courageous, I might try to figure out how to use VS2010 to write node apps. If anyone out there has already done it then please leave a comment – no point in re-inventing the wheel.
I installed node.js a month or so ago and it wasn’t too much trouble, but I had to install Cygwin and other stuff with it for it to work on Windows. I wasn’t interested in taking the time to compile it myself, so I used what the node.js guys were good enough to supply.
I wasn’t looking forward to upgrading though, but Tomasz Janczuk came to my rescue! He’s been working on making node.js work on not just Windows but also in IIS AND IIS Express. All the links you need to download node.js are here: Current installation packages for node.js and iisnode for Windows.
Instructions on how to get started using it are here:
- Getting started with node.js on Windows
- WebMatrix and node.js: The easiest way to get started with node on Windows
- Node.js community wiki
I admit it – I have sinned. I’ve been proud and arrogant.
Oh, the justifications for my arrogance. It’s embarrassing now to look back and realize that I was daring to use a language that I knew virtually nothing about.
Well all that has changed. I repent. I have seen the light. (Praise dee Lord. Hallelujah. Etc., etc., etc.)
And (until just a few days ago): I don’t really know how to program with it.
So read the book and watch the videos and you too will see the light. Hallelujah!
I know that software has to be gotten out and on time, thus we have to triage bugs and sometimes leave a bug in a product because it doesn’t crash it and there is a workaround, but I don’t agree with leaving this one in IE8 Developer Tools.
Here’s the story:
I try to open the IE8 Developer Tools (F12 or “Tools > Developer Tools”) and nothing happens.
I hunt around and find that the app appears in the taskbar and in the Alt-Tab list but when I select it, nothing happens.
I Google the issue and find this IE 8 Developer Tools not working In Windows?
Some of the suggestions don’t work. Here is what worked for me in Windows 7:
- Select IE in the taskbar
- Right-Click on the Developer Tools icon and select “Maximize”
- Click on the title bar and pull the app down so that it changes its size to a non-maximized window (It doesn’t work to double-click the title bar, it just minimizes again)
- Now close the tools and close IE8
- When you open IE8 again open the tools and the app should be a window and not minimized.
- I had to do this a few times to get it to work so it’s possible step 4 should be “close IE8 and then close the tools”.
If you find that the tools are somehow off your screen then try this:
- Select IE in the taskbar
- Select the tools app
- Press Alt-tab and then “M” (this opens the application menu and activates “Move”.
- Use your keyboard arrow keys to move the app into view.
- I haven’t had that problem with the tools, but have with other applications
Sheesh! What a pain in the butt!
If Microsoft wants to persuade web developers that IE is not the anti-Christ they are not going about it in a very smart way.
I’ve never had to deal with a SQL Injection attack before, mainly because in all the sites I’ve ever created I pass any input from the site to the database in parametrized form. I have never built SQL statements on the fly by adding user supplied values in strings.
But this week a new client received such an attack which brought down the corporate web site. So I had to get involved and figure out what to do.
When I looked into the database I found all character fields were filled with “”. (BTW, if you Google that string you will find it all over the place, so the incompetent programmer who created my client’s site is not alone.)
The attacker managed to inject the script because:
1. The guy who created the site put inline sql all over the place. Here is a sample:
sql = "select * from content where id = '" & Request.QueryString("id") & "'"
2. He never checked any user input or any query string for dangerous content.
3. When he set up the database he gave admin privileges to the database userid the web site used.
That was his side of the story. The attackers side went like this. They used the query string to inject a huge sql statement that they hid in a hex encoded number.
page.aspx?id=29;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44 ... 200%20AS%20NVARCHAR(4000));EXEC(@S);--
I cut out the full number because it was almost 2k digits long. This huge string of hex digits was cast into a very clever set of sql statements that opened a cursor on the sysobjects and syscolumns tables and updated every character type column by adding that script tag to it.
One clever thing about this is that all of the articles I read when I was researching what to do mentioned looking out for strings such as “select”, “drop”, “insert” and “update” but not one mentioned “declare”, “set” or “cast”. Of course catching the “;” would have prevented the attack and most articles did mention that.
So, how were the attacks handled?
I created a function that handled the single quote issue and nuked the naughty words(like “declare”, “select”, etc.). Then me and two other developers went through the 500+ locations in the code where the !@#%$^ who created the site had built his sql statements by concatenating strings with variables and we wrapped every variable and every Request.QueryString(“paramname”) in a call to the function. Tedious in the extreme, but necessary.
And it worked. I know that because they have tried the attack several times since (robots never give up) and it has not succeeded. So when you do a Google search for that script tag you won’t find my client’s web site in the results.
So, how do you avoid SQL Injection Attacks?
- Never build sql statements by concatenating strings and variables.
- Use parameters (such as SQLParameter or OLEDBParameter or whatever the equivalent is in your language of choice) in your database calls.
- Validate user input and URL query strings so you detect and reject potentially dangerous entries.
- Limit how much a user can enter in text boxes so they can’t add on a bunch of sql statements.
- If you are stuck with an existing site that is wide open to attack, then wrap every variable and every use of the URL query string in a call to a sanitizing method.
- Get educated on SQL Injection Attacks. Read the resources below and anything else you need to until you get the idea.
Some resources on SQL Injection Attacks: