Jake Ashcraft's WebLog

Personal Web Site Starter Kit (Beta2)

2005-04-25T04:26:00Z

At first glance the Personal Web Site starter kit (PWSK) appeared to be really cool for beginners. I decided that I was going to create a site with the PWSK for my daughter. Because the starter kit boasted some nice out of the box features such as manageable photo albums.

So I got some hosting setup, created the site, and copied the files over and come to find out, Crystal Tech doesn't support SQL Express. So I reproduced the required databases for SQL 2K and got it working. Well, at least it appeared to be working. Shortly after adding photos, logging in and out, the system began to error out. I would receive the following error.

Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.

After some investigation it appears that in the PhotoManager.cs class all connections being opened are never closed. So I made some modifications to the functions and copied the new version up. Well, so far so good. Everything is working fine, connections are ok but now I have discovered another problem. I uploaded about 25 photos. In the PWSK all photos are stored in the Photos table. My 25 photos consume roughly 11MB. Well, much to my surprise, when you navigate to the main page, some initialization takes place and it loads all the photos into memory from the first photo album. This really sucks because not I have to sit and wait for all photos to download.

So in the meantime I will work around this by having my first photo album contain only 1 or 2 photos in it. Needless to say, I am a little disappointed.

I would be interested to hear in anyone else's experiences with this.

mscorcfg.msc missing in .net redist beta2

2005-04-22T22:22:00Z

If you have ever worked with partial or full trust, you are most certainly familiar with the Microsoft .NET Framework 2.0 Configuration (mscorcfg.msc) utility. However, if you install the .net 2.0 redistributable for beta2 on a machine, you will find that the utility is gone. Installing VS.NET 2005 Beta2 has this file but where has it gone in the redistributable?

If anyone has any ideas, please let me know.

Enable intellisense with for WiX using VS.NET 2005

2005-03-15T17:28:00Z

Over the past couple weeks I have been working with WiX in an attempt to convert all of our Wise built setups. Although tough at times, WiX has proven to be a very valuable toolset. If you, like my organization have already made the switch to VS.NET 2005, you know that there isn't a whole lot of support yet.

Some of you might be aware of an addin for VS.NET 2003 called Votive. This addin allows you to create WiX projects and has nice features such as intellisense. However, this application is not supported under VS.NET 2005.

If you want to have intellisense in your wxs file using VS.NET 2005, you can do a simple change to make this happen.

First, copy the wix.xsd file to the same directory location as your wxs file.

Next, open your wxs file and modify the wix node from:

That's it, open your wxs file in VS.NET 2005 and intellisense will be enabled.

Also note that this is not specific to VS.NET 2005, you can do this in 2003 as well.

I hope this proves to be useful to someone.

- jake

Voted

2004-11-03T00:36:00Z

Today was my first time voting in a presidential election and I have to say...it was so liberating! I was in and out in 10 minutes. I have heard stories about people waiting in lines for hours but I didn't have a line at all.

Needless to say, my experience during my very first presidential vote was a good one!

Coding Best Practices Using DateTime in the .NET Framework

2004-06-17T22:51:00Z

This article makes good background reading for anyone writing software which deals with time-series data:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndotnet/html/datetimecode.asp

To busy to blog

2004-03-03T23:01:00Z

Yes, I am still alive, just been busy. Between writing code and playing on the weekends, I have not had the time to blog as much as I would like.

I did run into something interesting though. The documentation for HttpContext.Cache indicates that it returns a Cache object for the current request. So, it was to my understanding that the cache object would be unique to each request. Nope, that isn't the case. So if you did something like:

string someString = “Test“;

System.Web.HttpContext.Current.Cache.Insert(”somekey”, someString);

Then from a seperate machine read the cache like:

string s = (string) System.Web.Current.Cache[”somekey”];

The string value s would in fact be the value “Test“.

Could the MS documentation be wrong? Perhaps I am missing something. I have found several sites that indicate that the HttpContext.Cache is per user and HttpRuntime.Cache is global but this doesn't seem to be accurate.

ASP.NET Road Show notes

2004-01-20T07:06:00Z

Greg was kind enough to provide some notes that he took at the ASP.NET Road Show event.

------------------------

ASP.NET EXPOSED 01/15/04

Part I: A Brief Intro to ASP.NET

ASP.NET Tips and Tricks

Part II: Preventing attacks, ASP.NET "Whidbey"

Wait page

Uploading files and to SQL Server

Cross-site scripting attacks

SQL Script injection attack

Whidbey=.NET 2.0 & VS.NET 2.0

Contact: rhoward@microsoft.com

rhoward@devadvice.com

http://weblogs.asp.net/rhoward

Http://www.asp.net/forums

http://www.asp.net/whidbey

http://www.asp.net/roadshow

Classic ASP: Bad

Way too much code required

Applications contain spaghetti code

Limited language support

weak tools

Deployment can be difficult

Components were a disaster: to update a component: stop web service, unregister components, register new component, restart IIS.

ISAPI Filters & ISAPI Extensions

ASP.NET:

Dramatically easier to build dynamic web pages: validation, data manipulation, PostBack, State Better support for different clients: rich support for devices Cleaner code organization: code no longer has to be mixed with HTML Declarative server-side UI control model: great way to encapsulate functionality Rich extensibility model: Extend ASPNET for your custom solutions

ASP.nET worker process:

ASP.NET runs inside a dedicated worker process - it's not part of IIS other than request/response.

Modules-like an ISAPI filter

Page Handler-gets the page off the disk or cache ASPX Engine - takes files, DLLs assemblies and code-behind and makes a single class file and puts it into cache. The page class is JIT compiled based on the processor architecture (Centrino, Athlon) compile in memory and then generate the response.

On 2nd request it goes straight into the class instance in memory.

Strong-typing variables are key to performance of asp.net vs. asp classic.

It's not necessary to use VS.NET

Remember the ASP.NET Trace object that allows the trace.write method. It won't write to the page unless you turn the tracing on.

<%@ page trace="true" %>

Cross-site scripting attacks (XSS): these occur when someone enters data that includes angle brackets, with and without the percent signs. It is possible to turn off the XSS catcher, look at the notes later.

Development Tips & Tricks:

File Uploading: Built-in file upload support - No posting acceptor required & no third party components required.

Request.PhysicalApplicationPath

Path.GetFileNam(MyFile.PostedFile.Filename)

Exception!! Because the directory hasn't been created yet!

By default ASp.NET cannot write to your file system!!

You have to grant asp.net the privilege to write to your disk.

The maximum upload size is 4megs because a large file can serve as a denial of service attack.

<system.web><maxlengh can be changed in global.asax.

Don't make your directories accessible because it's possible for someone to upload to that directory executable code, some of which may be able to grab database passwords, etc.

FTP is better for huge upload files.

Otherwise some asp.net threads will e waiting around doing nothing. If you get a ton of uploads, threads will be taken up doing that work while other work stacks up in a queue. Not good.

Use a dedicated server to do file uploads is a good solutions - get it out of your main application path.

Or, you could have it run in its own process, so that the regular threads can process regular web requests.

enctype="multipart/form-data" is important to use in the form attribute for an upload form.

It's possible to upload files into SQL server. You can get the content type. This way, you can tell the browser what type of data is being sent back down. So something like IE can open its version of Excel or Word, etc.

This way, you man never need to write anything out to the disk, you can just write it to SQL server.

You can get an inputstream.length and the content-type and then dynamically construct a parameterized SQL statement.

response.contenttype

and response.outputstream.write()

Use of stored procedures is recommended whenever possible. Otherwise people can put escape statements into the SQL being run.

Less secure are those queries that are built dynamically from text statements.

Small/Large object mapping if under

ASP.NET Exposed #2

Image Generation

Rich server image generation

Read/write any standard IO Stream

System.Drawing

Dynamically generate GIFs/JPGs from .aspx Use ASP.NET Page Sets content type to image/fig

Keep in mind output caching when you're making dynamic images.

output Cache

<%@ OutputCache Duration="60" VaryByParam="none" %>

Page Output Caching

Cache contents of page to memory

Reused cached page on subsequent requests.

Microsoft Application enter Test ships with Enterprise or you can use Web Stress Tool from MSDN.

You can set up a test script and then run it, it will start throwing load against the application. You can see that it's doing the # of requests per second. Here's how you can test output caching.

The difference in performance is absolutely phenomenal.

IIS 6 also has kernel caching - which is even faster than before. In tests they're more likely to bump into NIC or bandwidth ceilings than in web server performance ceilings.

You could set the duration very low - like one second, which forces the page to run fully from code, the performance gains are still nearly as impressive as when using duration=60

Browser progress Page:

Expedia style "searching" page

Implementation: intermediate PageLoading.aspx page

Thread.sleep(10000) can simulate a work process.

Using JavaScript.....

has no server-side code:

body onLoad

frame1.document.location=pleasewait.htm - a moving image that says "please wait"

(you can also get this code from the road show website in case you forget to type in something)

Whidbey has asynchronous thread work. It can start a process, then free up the thread while the process is running, then it can start up again.

Two types of attacks

system level attacks

Exploit vulnerabilities in web servers

ISAPI DLL buffer overflows (code red/Nimda) IIS Unicode directory traversal (SadMind)

Solution: Up-to-date security patches

Application-level attacks

Exploit vulnerabilities in your code

Solution: code against them

SQL Injection Attacks

Exploits unfiltered inputs

Input from <form> tags

i.e. a login scenario:

Don't run your connection as the SA account Make sure only one record is matched for the login, not many.

If they know you're using dynamic SQL they can pass in OR statements that will make your statement evaluate to TRUE!!!

'"--- could halt a SQL statement

a') union select l:-- could also work..

Maybe even an exception or a lot of detail.

asp.net's website ran as the SA account! Hahahaha!!

Any situations in your app where you can dynamically create SQL statements, make sure it can't be attacked via the form and OR, or UNION statements.

You could have JavaScript entered into the form, then you could open an activex control that could pick up the user's cookies, or make a call to YOUR (the hacker's ) server for assistance.

This can be prevented in .net 1.1

by using request validation. Page validation="true" is the default and checks for brackets i.e. <script> etc.

You can capture the exception message and keep track of what someone is trying to do to you.

Always do your own checks on the input. <script><embed><object> tags are dangerous, but if you can, just code for what you'll allow - now what you intend to disallow.

Credential Storage: Salted hash passwords - look at the slides for this info - he's passing over it.

Overview Whidbey:

Firstly, it's backward-compatible with asp.net 1.1

Overview: rich data edition against business objects output caching....

Themes:

Developer productivity: reduce code by 2/3rds Enable rich scenarios not easily possibly today.

Better administration and management.

File-based and SQL data caching. Asp.net takes data from db and runs it from memory until there's a change in the database.

There are also new templates of apps.

Cassini is included so that you don't need IIS however you can't serve outside the local box, however, you can start building and debugging.

The new building block APIs:

Membership objects, Rolemanager, Personalization objects.

Partial classes: part of a class can be defined in one assembly or file and in another which is

ASP.NET Exposed #3

Site navigation database caching, management. So no having to go through the global.asax file.

The provider model design pattern connects the new objects to the data stores: SQL, Oracle, Active Directory.

There is the new *.master page

in addition to the intellisense, there's the statement completion feature.

sqldependency property to outputcaching.

----------------------------------

Greg was obviously not sleeping during the presentation!

ASP.NET Road Show

2004-01-19T22:44:00Z

I attended the ASP.NET Road Show this past Thursday so I thought I would give my 2 cents.

First of all, Rob Howard is awesome. He is a very good presenter and very knowledgeable. However, I was a little bored at the presentation. The first part which lasted a little over an hour was specifically on the basics of ASP.NET. After the first part the content got a little better but still wasn't what I had expected. Rob covered a great deal about security holes and how to use .NET to help plug these holes. Some of the content didn't even have anything to do with .NET specifically. For example, Rob showed a sample app on how to build a progress screen using JavaScript. Not sure where that came from but it was cool.

After the second bit, the good stuff came...Whidbey! This was the most exciting portion of the whole event and probably the only reason why I went in the first place. There were lots of cool features built into the new version but one of the cool things that I enjoyed seeing was the page inheritance that is built into ASP.NET 2.0. I have read a lot about it but actually seeing it work was much better. That is definitely going to save me time in the future.

All in all, the event was good. Everyone got a free book that Rob co-authored and a chance to win a Pocket PC.

The advertisement for the event stated it as “This is not going to be high-level marketing fluff!” I should have read a little further though because below that it says “We've designed a 3.5 hour workshop that delivers the technical knowledge you need to start developing secure, next generation Web applications with ASP.NET and Visual Studio .NET”. So I guess it was targeted at people who maybe aren't as familiar with .NET.

And that's my 2 cents!

Server.MapPath()

2004-01-14T00:09:00Z

This always bites me in the ass. When you need to call Server.MapPath from a standard class, you must call it from the current context.

Example:

System.Web.HttpContext.Current.Server.MapPath(“somefile.xml“);

This is more of a note for my future reference.