My Software Notes

Useful things I discover

Archive for the ‘Web Development’ Category

MVC 4 Beta Major Gotcha

leave a comment »

After installing MVC 4 Beta, I noticed that Visual Studio 2010 Intellisense had developed a problem in Razor views in MVC 3 projects.  For example ViewBag wasn’t found and neither was Url.

I looked around for solutions and found various suggestions, but none of them worked and then (I’m not sure whether to say “Duh” or not) I found the solution in the release notes: ASP.NET MVC 4 Beta: Known Issues and BREAKING CHANGES.  (See the “Required Updates” section.)

Now I know that ideally I should have looked at the release notes before installing it.  Sure, and ideally I should never drive faster than the speed limit, but this is the real world and the ideal and the actual don’t always coincide.

I really think that the “Known Issues and Breaking Changes” section of the release notes should have their own link (in BIG CAPS) right next to the big green “Install ASP.NET MVC 4 Beta” button on the ASP.NET MVC 4 page, so that idiots like me will pay attention and maybe actually know ahead of time what might break and take the necessary steps.

For the other poor sods who don’t read release notes here are a couple of the searches I can remember I made and hopefully if you search on the same terms you may find this post.

  • MVC 4 Beta breaks Intellisense
  • MVC 3 Razor View Intellisense Not Working

PS: MVC 4 itself is good so far.

Written by gsdwriter

March 5, 2012 at 10:49 am

Podcast Introductions to node.js

leave a comment »

I’ve recently come across some good intro podcasts on node.js.

I’ve been listening to the .NET Rocks podcast for a while now and their latest show is a talk with Tomasz Janczuk, the guy at Microsoft who is working on porting node.js to Windows and IIS. It’s a good intro for all types of developers but is probably aimed at .NET devs more than open source or Java devs.

» .NET Rocks – Show 711: Tomasz Janczuk Builds Web Apps with node.js – As well as the basics on what node.js is and how you use it, there is some very good data on when you’d use iisnode versus basic node.exe.

I only came across the Herding Code podcast a few weeks ago, but I like it so much that I’ve already caught up on all the shows for this year and a couple of the earlier ones that covered topics I’m interested in. The four presenters are real pro devs and the discussions are always really lively, funny and interesting.

There are two node.js related shows:

» Herding Code 102: Tim Caswell on Node.js – this is an excellent intro that goes beyond the basics and explains the event loop of node and the non-blocking async programming model it uses. This gives you a good foundation.

» Herding Code 122: Bert Belder on porting Node.js to Windows – This is about more than just porting node to Windows, which is very interesting in itself, it builds on show 102, so listen to that one first.

I hope these are helpful.

Written by gsdwriter

November 2, 2011 at 10:14 am

Installing nodejs and iisnode on Windows

with 7 comments

The instructions I used are at WebMatrix and node.js: The easiest way to get started with node on Windows

Here’s how it went for me:

  1. WebMatrix Install:  It took a looooong time to install, about 30 minutes.  I was running quite a few things on my machine at the time, including VS2010 and SQL Mgmt Studio, but it still seemed like a heckuva long time, so be patient.
  2. node.js for Windows Install:  If you save to the default downloads folder in IE9 you’ll get the “This program is not commonly downloaded and could harm your computer” message.  Click on “Actions” > “More actions” and “Run anyway”. Or you can open the folder in Windows explorer and double-click the file.  Once you get that far the rest is easy.  It installs to “C:\Program Files\nodejs”  Add it to your path so you can play with the REPL and can run .js scripts.  Once it’s in your path, just type “node” at the command prompt and there you have a JavaScript REPL!  Or type “node myfile.js” and run JavaScript directly on Windows.  Nice!
  3. iisnode for iis7 express (x86) Install: If you don’t have Microsoft Visual C++ 2010 Redistributable Package (x86) installed then the iisnode installer will tell you that you need it. Just click my link here and get it. It installs easily and then the iisnode install is a piece of cake. (FYI: You’ll have the same “This program is not commonly … etc.” message if you try to run after downloading in IE9 and that’ll happen on the next two also.)
  4. iisnode for iis7 (x86) Install: For my messing about I didn’t really need to install it but I wanted to anyway. There were no issues.
  5. iisnode for iis7 (x64) Install: I didn’t install this, ’cause I’m using a 32 bit machine for this messing about, but if you are installing the x64 version then I’m guessing you’ll need the C++ 2010 redistributable for x64.
  6. node.js templates for WebMatrix: Easy install.  Thanks to Steve Sanderson (the genius behind knockout.js) for the templates

So that’s all it took.  After that I fired up WebMatrix and created a “Hello World” type app, by using the “Node.js Express Site” template.  Then I plowed around in the packages that come with it: express and jade, etc.  It’s just amazing what you can get open source these days.  There is a fabulous community out there in JavaScriptland.

Finally I wrote a quick testme.js file and ran it from the command line.  You can use straight JavaScript and all the “console” object methods you get in a browser.  When you want to test out node’s built-in objects and cool async methods, you’ll need to check out the node.js documentation and maybe the node.js wiki.

If I get some time free and I feel courageous, I might try to figure out how to use VS2010 to write node apps.  If anyone out there has already done it then please leave a comment – no point in re-inventing the wheel.

Happy hunting!

Written by gsdwriter

September 29, 2011 at 8:36 am

Nodejs for Windows and IIS

with 2 comments

I’ve been programming a lot of JavaScript recently. I’m really enjoying it as a language. It’s spoiling me for the static languages like C#. (But only a little, after all C# 4 has plenty of dynamic features. In fact, if you use the ExpandoObject you can – to some degree – almost write C# like JavaScript).

Anyway, in expanding my JavaScript horizons I’ve started to dabble with node.js, a server-side implementation of JavaScript.  I’ve been using it mainly for the REPL so I can try out stuff to make sure I’m doing it right.

I installed node.js a month or so ago and it wasn’t too much trouble, but I had to install Cygwin and other stuff with it for it to work on Windows.  I wasn’t interested in taking the time to compile it myself, so I used what the node.js guys were good enough to supply.

I wasn’t looking forward to upgrading though, but Tomasz Janczuk came to my rescue!  He’s been working on making node.js work on not just Windows but also in IIS AND IIS Express.  All the links you need to download node.js are here: Current installation packages for node.js and iisnode for Windows.

Instructions on how to get started using it are here:

The ability to use JavaScript on both the client and the server has tremendous potential for making our lives simpler.  Imagine programming both areas using a single language.  It seems like it’s a ways in the future, but who knows in this industry?

Written by gsdwriter

September 27, 2011 at 2:32 pm

JavaScript: I Repent

leave a comment »

I admit it – I have sinned.  I’ve been proud and arrogant.  

For years now I’ve had “JavaScript” listed on my resumé as one of the languages I know.  I listed it because, you know, JavaScript “isn’t really a language anyway” and I can “get by” with what I need to do with it because “nobody really develops with JavaScript” and anyway “JavaScript sucks”.  

Oh, the justifications for my arrogance.  It’s embarrassing now to look back and realize that I was daring to use a language that I knew virtually nothing about.

Well all that has changed.  I repent.  I have seen the light. (Praise dee Lord.  Hallelujah.  Etc., etc., etc.)

I will now admit the truth:  JavaScript is a real programming language.

And (until just a few days ago): I don’t really know how to program with it.

I think Douglas Crockford says it best in his brilliant book “JavaScript: The Good Parts“:

JavaScript is most despised because it isn’t some other language. If you are good in some other language and you have to program in an environment that only supports JavaScript, then you are forced to use JavaScript, and that is annoying. Most people in that situation don’t even bother to learn JavaScript first, and then they are surprised when JavaScript turns out to have significant differences from the some other language they would rather be using, and that those differences matter.

I just read that book from cover to cover and I can now honestly say for the first time that I actually understand JavaScript.  It IS a language and (when you use only the “good” parts) it’s quite an amazing language and (other than its syntax) it is NOTHING LIKE Java or C or C#.

How I program  JavaScript has changed dramatically – there is just no comparison to what I was doing before.

I’ve been regarding jQuery as the “solution” to JavaScript, but now I realize that jQuery is the solution to the DOM and that understanding JavaScript vastly improves my ability to use jQuery well.

If you haven’t read the book “JavaScript: The Good Parts” or watched the video series “Douglas Crockford JavaScript Master Class” then you don’t understand JavaScript well enough to use it correctly and you will be using it as if it is some other language and  making dumb mistakes (just like I did) that will be driving you crazy and making you curse JavaScript and wishing it would be cast into the pit along with whoever came up with it.  

So read the book and watch the videos and you too will see the light. Hallelujah!

Written by gsdwriter

December 19, 2010 at 12:04 pm

Internet Explorer Developer Tools Not Visible

with one comment

I know that software has to be gotten out and on time, thus we have to triage bugs and sometimes leave a bug in a product because it doesn’t crash it and there is a workaround, but I don’t agree with leaving this one in IE8 Developer Tools.

Here’s the story: 

I try to open the IE8 Developer Tools (F12 or “Tools > Developer Tools”) and nothing happens.

I hunt around and find that the app appears in the taskbar and in the Alt-Tab list but when I select it, nothing happens.

I Google the issue and find this IE 8 Developer Tools not working In Windows?

Some of the suggestions don’t work.  Here is what worked for me in Windows 7:

  1. Select IE in the taskbar
  2. Right-Click on the Developer Tools icon and select “Maximize”
  3. Click on the title bar and pull the app down so that it changes its size to a non-maximized window (It doesn’t work to double-click the title bar, it just minimizes again)
  4. Now close the tools and close IE8
  5. When you open IE8 again open the tools and the app should be a window and not minimized.
  6. I had to do this a few times to get it to work so it’s possible step 4 should be “close IE8 and then close the tools”.

If you find that the tools are somehow off your screen then try this:

  1. Select IE in the taskbar
  2. Select the tools app
  3. Press Alt-tab and then “M” (this opens the application menu and activates “Move”.
  4. Use your keyboard arrow keys to move the app into view.
  5. I haven’t had that problem with the tools, but have with other applications

Sheesh!  What a pain in the butt!

If Microsoft wants to persuade web developers that IE is not the anti-Christ they are not going about it in a very smart way.

Written by gsdwriter

November 18, 2010 at 6:14 am

Posted in Rant, Tools, Web Development

SQL Injection Attacks

with one comment

I’ve never had to deal with a SQL Injection attack before, mainly because in all the sites I’ve ever created I pass any input from the site to the database in parametrized form.  I have never built SQL statements on the fly by adding user supplied values in strings.

But this week a new client  received such an attack which brought down the corporate web site.  So I had to get involved and figure out what to do.

The intention of the attack was to insert a call to some JavaScript on a remote server into the html of the site, but all they managed to do was make every page fail.  They would have succeeded if it were not for the ineptitude of the web site builder.  He had the content of each page in a table with an integer id, but he used a varchar as the data type of the id.  The text that the attacker injected into all varchar fields made the ids invalid and the select statement trying to get the page failed and return a null. (What do you call that?  Double Ineptity?)

When I looked into the database I found all character fields were filled with “”.  (BTW, if you Google that string you will find it all over the place, so the incompetent programmer who created my client’s site is not alone.)

The attacker managed to inject the script because:
1. The guy who created the site put inline sql all over the place.  Here is a sample:

sql = "select * from content where id = '" & Request.QueryString("id") & "'"

 

2. He never checked any user input or any query string for dangerous content.
3. When he set up the database he gave admin privileges to the database userid the web site used.

That was his side of the story. The attackers side went like this.  They used the query string to inject a huge sql statement that they hid in a hex encoded number.

page.aspx?id=29;DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x44 ... 200%20AS%20NVARCHAR(4000));EXEC(@S);--

I cut out the full number because it was almost 2k digits long. This huge string of hex digits was cast into a very clever set of sql statements that opened a cursor on the sysobjects and syscolumns tables and updated every character type column by adding that script tag to it.

One clever thing about this is that all of the articles I read when I was researching what to do mentioned looking out for strings such as “select”, “drop”, “insert” and “update” but not one mentioned “declare”, “set” or “cast”.  Of course catching the “;” would have prevented the attack and most articles did mention that.

So, how were the attacks handled?

I created a function that handled the single quote issue and nuked the naughty words(like “declare”, “select”, etc.).  Then me and two other developers went through the 500+ locations in the code where the !@#%$^ who created the site had built his sql statements by concatenating strings with variables and we wrapped every variable and every Request.QueryString(“paramname”) in a call to the function.  Tedious in the extreme, but necessary.

And it worked.  I know that because they have tried the attack several times since (robots never give up) and it has not succeeded.  So when you do a Google search for that script tag you won’t find my client’s web site in the results.

So, how do you avoid SQL Injection Attacks?

  • Never build sql statements by concatenating strings and variables.
  • Use parameters (such as SQLParameter or OLEDBParameter or whatever the equivalent is in your language of choice) in your database calls.
  • Validate user input and URL query strings so you detect and reject potentially dangerous entries.
  • Limit how much a user can enter in text boxes so they can’t add on a bunch of sql statements.
  • If you are stuck with an existing site that is wide open to attack, then wrap every variable and every use of the URL query string in a call to a sanitizing method.
  • Get educated on SQL Injection Attacks.  Read the resources below and anything else you need to until you get the idea.

Some resources on SQL Injection Attacks:

Written by gsdwriter

July 2, 2009 at 12:21 pm

Posted in Database, Design, Web Development

Tagged with , ,