June 2003 - Posts
via Scoble:
"Stephen Forte has a weblog..."
Stephen Forte is a Microsoft Regional Director and one of the "well known experts" who moderate the NYC .NET Developers Group, which so far has been the best out of the three .NET user groups I attend. Subscribed.
Speaking of the NYC .NET Developers Group, Ken Getz, another Microsoft Regional Director, is speaking at the next meeting which is this Thurs, Jun 19th. His talk is entitled Taking Advantage of Inheritance in Windows Forms. Ken Getz also is featured in an interview in the July 2003 issue of MSDN magazine. His talk with Paul Sheriff at TechEd on Real-World Tips for Real-World Web Applications had some excellent content. Plus as an added bonus I believe they are giving out an copy of Inside Windows Server 2003 to the first 100 attendees.
It's not often I like to display my ignorance in public but in this case it's worth it. I've been using ASP.NET Validator controls for a while now with the knowledge that they provided me with an easy way to do both client-side and server-side validation in one step. I never bothered to get to deeply involved in the documentation about them because I thought how difficult can they possibly be to use. Well the truth is not difficult at all, if you know how to use them. The implicit client-side validation that they cause fooled me into believing that the validation occured the same way on the server-side as well. In other words, a page will not submit until the data is verified. Then I read this today in Fritz Onion's Essential ASP.NET book:
"As soon as you place a validation control on a page, it is imperative that you check the IsValid flag of the Page class before using any of the data posted by the client. It is a common misconception that if validation fails on a page, the code for that page will not execute. On the contrary, the only thing that happens when server-side validation fails is that the IsValid flag of the Page class is set to false, and each validation control that failed renters itself as a visible span so that the error indicator shows up when the page is redisplayed to the user."
I was under that misconception. Well sort of. I thought that the page would execute but as soon as an invalid control was hit, the page would rerender to the user and the proper messages would be displayed. Fritz Onion explains that if the client browser does not support JavaScript or a malicious user removes your JavaScript, no client side validation will occur and therefore you must ensure that IsValid == true on the server-side. Please also be congnizant of the fact that you must wait until the Page class calls it's Validate() method, which occurs after the Page.Load event fires, or explicitly call Validate() on the page yourself prior to checking the Page.IsValid property.
I hope I help to dispel this misconception. It's a trap that is all too easy to fall into.
Several people have
commented on my post about updating my "Which Blogs do I read?" section thanking me. No no you have it all wrong. I learn a lot from the blogs I read and I greatly appreciate you taking the time out to share your experiences and tips. So to clarify, Thank you guys.
A very common feature of password-protected Web sites is the ability to request that the password be e-mailed to you. The idea is simple: people forget their passwords and need to be reminded of them. It's a reasonable security assumption that the e-mail address of the person is secure, so it is reasonable to e-mail the password to them. (You can argue about the wisdom of e-mailing the password unencrypted, but I don't think eavesdropping is the attack we're worried about here.)
Here's a clever attack to exploit this feature. Step 1: Buy an expired domain. Step 2: Watch all the spam come in, and figure out what e-mail accounts were active for that domain's previous owner. Step 3: Go to an account-based site -- eBay, Amazon, etc. -- and request that the password be sent to those accounts. If the people with those accounts didn't bother to change their e-mail address when the domain expired, you can collect their passwords.
Someone tried that with an expired domain and eBay accounts, and found that -- if he wanted to -- he could have collected a few passwords. Moral: when an e-mail address deactivates, everything associated with that address should be deactivated as well.
[Crypto-Gram]
via Anil John
Wow... that is scary. Brilliant but scary.
I finally got around to updating my "Which Blogs do I read?" section to reflect the actual blogs I am now subscribed to in SharpReader. I encourage you to take a look at some of these and see if you like the content. There have been some deletions and many additions since I last updated this section. Yes, there are a lot there now. Just imagine what it's like catching up after a week at TechEd. (I'm not even done catching up yet.) The blogs I have in SharpReader are somewhat volatile. Blogs that become too inactive or under perform, at least in my eyes, are quickly deleted and new blogs are quickly added as interesting individuals enter the blogging world.
As an aside this was miserable to sit down and enter manually. I hope someday Scott gives us a way to upload a OPML to populate a section like this.
And as a way off topic thing... I was looking at the main feed today and I was noticed I was up to 99 posts as of earlier today so this is my 100th post!!! Special thanks to Scott for giving me a place to blog and to you for reading.
| |
 |
Restaurant Week 2003
June 23-27 & June 30-July 4
NYC & Company has 180 great places to enjoy a great summer meal,
without ever packing a basket. New York’s best restaurants are offering three-course lunches for $20.03
and three-course dinners for $30.03. (Beverages, gratuities, and tax additional.)
This is your chance to savor the cuisine of the city’s most talented chefs, and your opportunity to experience the quality, variety, and hospitality that makes New York
the best restaurant city in the world.
|
It's that time of year again so if you're interested check it out here.
Since I noticed a lot of people love these quizes, here's one courtesy of Jalil.
You are Neo, from "The Matrix." You
display a perfect fusion of heroism and
compassion.
What Matrix Persona Are You?
brought to you by Quizilla
Update: sorry about all the updates but the WYSIWYG editor was eating my HTML.
My favorite session thus far has been a presentation by
Nikhil Kothari on server controls. Tons of great information. I haven't gotten a chance to read his book because I'm backed up with other reading. If you are like me and want a quick and powerful start on server controls and haven't gotten a chance to read his book, check the January version of the presentation out
here. Hopefully he'll put up the new slides and code soon.
As expected, not everyone is pleased with how TechEd is going. I have received comments on one of my blog entries from people who are unhappy with the way things are going here in Dallas. I have been lucky enough to not have had as many problems as they seem to be expressing. The shuttles to and from my hotel have been leaving more frequently than scheduled and arriving at the convention center in very reasonable time. For the most part, seating has been more than ample at the sessions I've attended. The one exception was a session that I myself did not even expect to have as many attendees as it did. Maybe it's just that the IT Professional session have not been as accommodating as the Developer sessions but I do agree with my readers that MS should look into this. At the price of TechEd everyone who wants to attend a session should be given an opportunity to do so.
The complaints on CommNet are definitely valid. It's been very difficult to get on a computer and when I have been able to the connection has been disguistingly slow. (In fact when I was writing this entry the connection timed out and I lost the entire thing, not fun.) I don't know how much if that is in Microsoft's hands however. My other complaint is that the level of the material presented in the classes has many a time not reflected the level of material that should have been presented. For example, many of the "400 level" session where more like 200-300 level and 300 where 100-200 and sometimes below that even. It's a real shame to go to 400 level sessions for ASP.NET and when the speaker asks questions like "who here has used ASP.NET" to have less than half the class be able to raise their hands. If you are going to spend money on something like TechEd please prepare to get the most out of it. What is really more upsetting to me is that when the presenters see the lack of knowledge in the class the material is scaled back. I believe that a 400 level session should present 400 level material regardless of how many people have never wrote a single line of code in their entire life. That's not my problem and that's not fair to those of us who are here to get an edge. Find 100-200 level sessions instead.
Scott Guthrie just did a presentation that I thought was great but deserved more time and should have been a Part I of II. The talk was about ASP.NET Performance Best Practices. You can find the slides and demos on his personal website.
More Posts
Next page »