David Cumps

It has been a long time since I posted something, but here I am again. It's a very busy time right now, some exams, loads of school tasks, some websites, etc..

And also, a talk I had to prepare for class. One that I'm going to share with you.

I'll have to dissapoint non-Dutch readers though, the slides are writting in Dutch, as it was a local session. You could always look at the code though.

The subject was 'Writing Secure ASP.NET'. Covering :

• Cross-site Scripting
• SQL Injection
• Hashing passwords
• IOPermissions by default
• Unsafe DSN (DSN with password included)

The first three demo's code should be obvious. Regarding IOPermissions I showed a file browser that could browse trough the system in default ASP.NET installation. And for the Unsafe DSN, I listed system DSNs, or used a demo DSN, showed the tables in it (MySQL only) and executed a query against it.

You can find all files here: SecureASPNET.ppt (227k) and Demo.zip (205k).

I just received the 01/2004 edition of the Codezone magazine.

If you aren't subscribed yet, go get it now! (yes, it's free)

It's written in English. And I believe it comes from Microsoft Germany (at least, that was where it came from on the enveloppe).

I started working with NUnit a couple of days ago and here is my first attempt at creating something in this new style:

Error Reporting To The EventLog - NUnit.

It's very weird to switch to Test Driven Development, still have to get the hang of it.

If anybody has any comments on what I created so far, if it's good or bad, please say so, I'd like to know if that's the way others use NUnit.

This post moved to http://blog.cumps.be/explorer-bug-long-path-damaged-directories/ with additional screenshots and reproducing it in Vista.

Currently I'm playing around with IIS and C#, and something I discovered is the following:

First, take a look at the FrontPageWeb property available in the IIS Metabase.

This says 'Setting FrontPageWeb to true causes FrontPage Manager to create the files required for FrontPage Server Extensions. Setting FrontPageWeb to false causes these files to be deleted.'.

Everything seems allright, just like every other property I set this to true and except it to work. Like this:

1// First we get the AD object representing our webserver

2DirectoryEntry iisServerRoot = new DirectoryEntry("IIS://localhost/W3SVC");

3

4// We create a new site on the specified siteId

5DirectoryEntry deNewWwwSite = (DirectoryEntry)iisServerRoot.Invoke("Create", "IIsWebServer", 10);

6

7// Takes care of FrontPage Manager providing files for FrontPage Extensions

8deNewWwwSite.Properties["FrontPageWeb"][0] = true;

9

10deNewWwwSite.Invoke("SetInfo");

11deNewWwwSite.CommitChanges();

12

13deNewWwwSite.Close();

14deNewWwwSite.Dispose();

(Most stuff left out)

Well, it didn't work. In IIS it would still say FrontPage Extensions were not present, and the directories didn't get made.

I looked everywhere to find something else involving FrontPage, without any luck.

But then I found this KB article (300543). And althou it's talking about IIS 4.0, 5.0 and 5.1, it does work on IIS 6.0 as well.

So here you go, to install FrontPage Extensions you have to run:
"C:\Program Files\Common Files\Microsoft Shared\web server extensions\50\bin\owsadm.exe" -o install -p /LM/W3SVC/SITEID -u USERNAME -sp publish

And to uninstall them:
"C:\Program Files\Common Files\Microsoft Shared\web server extensions\50\bin\owsadm.exe" -o fulluninstall -p /LM/W3SVC/SITEID -u USERNAME

.NET gave me an error... A 'Catastrophic failure'.

What's this? Did somebody ran out of inspiration? Every failure is bad! Should I now throw error messages at users stating:

• Disastrous failure.
• Terrible failure.
• Awful failure.
• Dreaded failure.

One of my hard disks crashed two days ago. That is a catastrophic failure!

To read more on error messages, check this: A Review of Error Messages. Make sure to think about your error messages you're giving your users!

Today I was looking over a project I'm working on currently, more specifically, at the SQL queries in it.

I come from a PHP background, where there is no such thing as parameterized queries. You simply build your own SQL string and make sure it doesn't contain anything harmful.

So, not having heard of such thing as parameterized queries, I created my SQL statements the same way in C#, until I read about this practice being "not done". So, I wanted to fix it.

I'm using MySQL with the MyODBC driver. But MySQL is tricky, it doesn't support named parameters, so you have to use a question mark and add parameters in the right order.

No problem I thought, this would be a one-minute fix.

This is what I had (I returned an SQL query string at first):

1return String.Format("INSERT INTO zosa_Users(UserVNaam, UserNaam, UserKlasNr, UserKlas) VALUES('{0}', '{1}', {2}, {3});", strFName, strGeslacht, intKlas, klKlas.Id);

And I changed it to:

1OdbcCommand insertCmd = new OdbcCommand("INSERT INTO zosa_Users(UserVNaam, UserNaam, UserKlasNr, UserKlas) VALUES('?', '?', ?, ?);", zosaDb); 

2insertCmd.Parameters.Add(new OdbcParameter("", strFName)); 

3insertCmd.Parameters.Add(new OdbcParameter("", strGeslacht)); 

4insertCmd.Parameters.Add(new OdbcParameter("", intKlas));

5insertCmd.Parameters.Add(new OdbcParameter("", klKlas.Id)); 

6return insertCmd;

What did this insert in my database? Well it added a question mark ;)

So, I went looking for what was wrong... Did I add my parameters in a wrong way? Is there something wrong with MyODBC? After having done about everything I could think of, it was in the middle of the night and I went to bed. But today I tried something else, remove the single quotes. And it worked!

1OdbcCommand insertCmd = new OdbcCommand("INSERT INTO zosa_Users(UserVNaam, UserNaam, UserKlasNr, UserKlas) VALUES(?, ?, ?, ?);", zosaDb); 

2insertCmd.Parameters.Add(new OdbcParameter("", strFName)); 

3insertCmd.Parameters.Add(new OdbcParameter("", strGeslacht)); 

4insertCmd.Parameters.Add(new OdbcParameter("", intKlas));

5insertCmd.Parameters.Add(new OdbcParameter("", klKlas.Id)); 

6return insertCmd;

Such a small thing, but nowhere I managed to find this, nobody ever posted to watch out for this. Having no previous experiences with parameters and the question mark, I simply thought it would safely replace the ? with my value, but still would require the quotes for string values.

Don't make the same mistake! It's a stupid one ;)

Something not .NET related, regarding VB6.

Here is some strange behaviour:

Create a new .EXE project with the following References and Components:

References : Microsoft DAO 3.51 Object Library
Components : Microsoft Data Bound Grid Control 5.0 (SP3)

Add a DBGrid to your form with it's DataSource set to datQuery (Data).

Add a textbox and a button as well, and put this code in it:

1Option Explicit

2

3Private Sub cmdExecute_Click()

4  Call LoadTable(txtquery.Text)

5End Sub

6

7Private Sub LoadTable(strQuery As String)

8  Dim Db As Database, Rs As Recordset

9

10  Set Db = DBEngine.Workspaces(0).OpenDatabase(dbPath)

11  Set Rs = Db.OpenRecordset(strQuery)

12  Rs.MoveLast

13  Rs.MoveFirst

14  Set datQuery.Recordset = Rs

15  

16  Me.Caption = "Query - Colums: " & Rs.Fields.Count & " - # Records: " & Rs.RecordCount

17End Sub

18

Run your code, and this is what it should look like:



Now, go to the Custom properties of the DBGrid, to the Layout tab and uncheck 'AllowSizing'.



Run your program again, and now your DBGrid will indicate there are results, but there will be no text, like this:



Why is it doing this? I really have no idea. But the best part is, when you check the AllowSizing property again, it isn't back to normal. It stays broken.

This 'bug' (don't know if it's a bug) was encountered some days ago, I reproduced it this afternoon, and now I installed VS6 SP6, but the bug remains.

If anyone wants a project which has the bug in it, I uploaded something small (30Kb) that got destroyed by this.

Anyone who has encountered this as well? And perhaps has an explenation of why it's doing this.

Update: Just when I posted this and looked at my post again, I noticed something, the second screenshot only had 2 columns, so I realised it did fetch the records, but didn't knew where to display the data. And when you right click and choose 'Clear Fields' it works again. But the AllowSizing is automatically checked on again. To add some value to this post, maybe anyone knows how to uncheck AllowSizing without the grid resetting it's own columns?