April 2009 - Posts
Web page that is not attacked by security team or developers and testers before going to live can be considered as unsecure because nobody knows how it behaves under attacks. Unfortunately there are many web pages that are not secure and not event tested with security in mind. If some of these web pages happen to be a e-commerce sites then it is not hard to guess what kind of data attacker may find in this system about us. How can we be sure that our systems are protected against attacks?
You can see here red dudes who are actively attacking the system that is developed
and maintained by blue guys who believe their system is safe enough.
As I have found out then the best way to make systems more safe is trying to attack them. Yeah, right, you write a system, put it up and then try to hack and attack it. If you have done something like this before you will be surprised how much hidden problems you can find out.
I had some training once where we were on the side of bad guys and we attacked different systems to get some data or gain control over server or system itself. It was very good experience because I had never attacked anything under guidance of pro who knows a lot of stuff about security. I suggest this kind of training also to you – if you know how your enemy thinks and acts you have much better chances to win the battle.
Of course, take these actions *BEFORE* going to public and also warn customers about security tests so you don’t scare s*it out of them.
Those who have read Shvejk adventures may find this exercise a little bit familiar.
Take a look at these two lines copied from SharePoint log file.
Application error when access /editprofile.aspx, Error=Value does not fall within the expected range. at Microsoft.SharePoint.SPFieldCollection.GetFieldByInternalName(String strName, Boolean bThrowException) at Microsoft.SharePoint.SPFieldCollection.GetFieldByInternalName(String strName) at ProfilePages.ProfileEditPage.GetFieldId(String internalName) at ProfilePages.ProfileEditPage.saveButton_Click(Object sender, EventArgs e) at System.Web.UI.WebControls.Button.OnClick(EventArgs e) at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceCont...
...rol, String eventArgument) at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
Find the names of missing field and list from where missing field was searched. You can post a correct answer to my e-mail. :)
Another day, another lesson. This time I struggled with the following error: “The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.” This error occurs when you are on a custom form and try to save list item. I am sure that one can find many more scenarios where this error occurs. As usual, log contains error but not information.
For me it was enough to turn off form diggest settings.
// assign values to list item fields
var site = SPContext.Current.Site;
var digestSettings = site.WebApplication.FormDigestSettings;
var settingsEnable = digestSetting.Enabled;
digestSettings.Enabled = false;
Item.Update();
Item.ParentList.Update();
digestSettings.Enabled = settingsEnable;
Hope it helps somebody.
I needed a little bit customized forms that look similar to standard ones for one SharePoint solution. I have list with many fields and it is very inconvenient for users to fill these fields if they are following one after another. As there is no simple solution for this I created my own custom solution.
The following screenshot gives you an good example of one thing I wanted.
Creating such blocks for fields is not complex thing to do. To get those checkboxes after fields required a little bit dirty hack. If you want to know how to build forms that look like SharePoint default forms you may be interested in InputFormSection control.
Now look at the following mess and compare it to InputFormSection example I referred before. You can see some tables (bold text). InputFormTextBox has no <table /> around it but InputFormCheckBox does – why? Because InputFormCheckBox will be rendered so it is inside table row (<tr/>).
<table border="0" cellpadding="0" cellspacing="0" width="400px">
<wssuc:InputFormSection runat="server" id="firstNameSection" Visible="True">
<template_title>
First name <span class="ms-formvalidation">*</span>
</template_title>
<template_inputformcontrols>
<wssuc:InputFormControl runat="server" Visible="True">
<Template_Control>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<SharePoint:InputFormTextBox class="ms-input" ID="firstNameField" width="300" Runat="server" />
</td>
<td>
<table border="0" cellpadding="0" cellspacing="0">
<SharePoint:InputFormCheckBox class="ms-input" ID="showFirstNameField" Runat="server" Text="Public" />
</table>
</td>
</tr>
</table>
<asp:Label runat="server" id="firstNameErrorLabel" Visible="false" CssClass="ms-formvalidation"></asp:Label>
</Template_Control>
</wssuc:InputFormControl>
</template_inputformcontrols>
</wssuc:InputFormSection>
<wssuc:InputFormSection runat="server" Description="" id="lastNameSection" Visible="True">
<template_title>
Last name <span class="ms-formvalidation">*</span>
</template_title>
<template_inputformcontrols>
<wssuc:InputFormControl runat="server" Visible="True">
<Template_Control>
<table border="0" cellpadding="0" cellspacing="0">
<tr>
<td>
<SharePoint:InputFormTextBox class="ms-input" ID="lastNameField" Runat="server" width="300" />
</td>
<td>
<table border="0" cellpadding="0" cellspacing="0">
<SharePoint:InputFormCheckBox class="ms-input" ID="showLastNameField" Runat="server" Text="Public" />
</table>
</td>
</tr>
</table>
<asp:Label runat="server" id="lastNameErrorLabel" Visible="false" CssClass="ms-formvalidation"></asp:Label>
</Template_Control>
</wssuc:InputFormControl>
</template_inputformcontrols>
</wssuc:InputFormSection>
</table>
When using this solution one has to code also saving functionality. In my case it was just what I wanted – I have some complex logic behind my form that I want to handle so I can also control what is going on form. If you want to avoid coding you should use some other workaround.
SharePoint
Other software and development topics
Nz() function is kinky creature is Access VBA. It is called “null to zero” but it hardly has something to do with zeros. For me this function is good shortcut for gangsta rapper street name – NullZ. Well, for me was most confusing the fact that one need to provide this function with null’s replacement value if empty string is not enough for numbers.
After this assigment:
i = Nz(Rs("Size"))
the value of i is empty string. If we want Nz() to return zero, we need to write it this way:
i = Nz(Rs("Size"), 0)
I have to say that Nz() was very memory freshing experience after long time without any VBA code. :)
I am writing currently one simple web application that runs on usual hosting environment and also on Azure environment. Web application is already hosted in CodePlex and during next two months I will publish application binaries and also source code. I tested my application in Azure environment and here are some screenshots I made.
 Starting with new project |  Project dashboard | 
Deployment form |
Files are ready to upload | 
Upload is in progress | 
Package deployment |
Allocating instances | 
Initializing instances | 
Application started |
Note one thing. In 7th and 8th screenshot there is number 2 written after current activity on a grey bar. Last screenshot has number 1 there. The point is simple. On my development machine I configured my web application to use two application instances. On Azure environment only once instance is allowed for me. That’s where is the difference.
After reading the books Ship it! and The Pragmatic Programmer, I suggest you to read both of them, I got some proof that I am right and the fast way I sometimes like to move is not my personal bad behaviour but suggested way to develop software. Officially it is called tracer bullet development. This method suggest you to write some code to make system work for customer so they can see how the system is planned. But this is not a usual prototyping procedure but involves some real coding work too.
What is tracer bullet?
Shooting in the dark is harder than it may seem at first place because we cannot see where our bullets are going and what they hit. To get some idea where we are shooting we can use tracer bullets. These bullets draw lightning trace in the air when shot out from gun.
Photo made in first months of Winter War near Finland-Russia border. White traces in the
sky are traces of tracer ammonition.
Copyright of this photo belongs to Finland Defence Forces.
Tracer bullets show only the direction, they don’t show where enemy is or where they exactly fly. Now think for a moment and read the last sentence three times more. We get only idea about direction and that’s it.
Tracer bullet development
Software development is somehow similar to shooting in the dark. The less we can communicate with customer the more probable it is for us to miss the target. There are also other dangerous factors like managers who have no software development background, unrealistic time schedules etc (read Death March about how to survive projects that are your worst nightmare). Tracer bullet development is here to help us avoid the mess.
Before coding developers discuss about interfaces that different parts of system use to communicate with each other. Of course, as a result of these discussions there will be agreement about interfaces. Now can developers write system using primitive code that is enough to let customer see it and play with it. As project goes on this demo code is replaced by real code.
It may seem like overkill, specially for large systems. But as we know already the communication errors are usually the most expensive ones in the means of time and money.
By example, to show login form to customer we don’t need real code that is covered with all kinds of tests. It is enough to use some test data and dummy objects that just demonstrate how things will work. It is easy to change and modify dummy code. The real code may need design changes in object model, changes to dependent classes and tests if something changes.
Using tracer bullet development we are able to avoid communicative misunderstandings with small costs in time and money. We can be sure that all parties of project are understanding each other and customers get the system they asked for.
I had to write some ASP.NET server controls for our current SharePoint portal project. We have very nice DIV-based layout and using standard components that generate table and a lot of JavaScript seems to me like an bad idea. I found out that server controls put container tags around their mark-up. I needed my own tags around output and I found a way how to achieve it.
There are two rendering methods I needed to override: RenderBeginTag and RenderEndTag. Be default these methods create <span> and </span> tag before and after web part outout respectively. When creating web parts DIV-tags are created instead SPANs. Now let’s remove these tags. You need only these two simple overrides:
public override void RenderBeginTag(HtmlTextWriter writer)
{
}
public override void RenderEndTag(HtmlTextWriter writer)
{
}
That’s it.
When changing tables in SQL Server Management Studio 2008 you may get the following error: Saving changes is not permitted. The changes you have made require the following tables to be dropped and re-created. I was surprised when I saw this message first but there is very simple solution.
From top menu select Tools and then Options. Select Designer and Table and Database Designers.
Uncheck the box Prevent saving changes that require table re-creation. Now you can edit your tables without being stopped by re-creation limits.
Update. As mxmissile pointed out in his comment then don't use this on tables with millions of rows.
More Posts
Next page »