I’ve been hearing about the Less CSS framework for a while, and it always looked like a great idea—for Ruby developers.  Then I had a thought—maybe I should search “less css .net.”  30 seconds later, I’m staring at DotLessCss and wondering how hard it would be to integrate with DotNetNuke.  Turns out, it’s pretty easy.

One caveat is that you need the extension .LESS to be handled by ASP.Net.  If you have wildcard support enabled for .Net in IIS through your host, you’re set.  I already had this configured for extension-less urls, but if you don’t have it set up, ask your host.  It’s literally a 30-second modification—if they try to charge you, see if you can press them to do it as a favor for being such a great customer. :)

Once that’s completed, the following steps should get you there:

1. Copy dotless.Core.dll into your \bin folder
2. In web.config, under <system.webServer> / <handlers> (IIS 7), add
   <add name="dotLess" verb="*" path="*.less" type="dotless.Core.LessCssHttpHandler,dotless.Core" validate="false" preCondition="managedHandler" />
3. In <system.web> / <httpHandlers> (IIS 6), add
   <add verb="*" path="*.less" type="dotless.Core.LessCssHttpHandler,dotless.Core" validate="false" />
4. In the DNN root, open Default.aspx.vb, and browse down to ManageStyleSheets() (around line 340)
   Since I don’t really use the default.css file (except to paste a CSS reset into the top of the file) or the portal.css (which I delete so it doesn’t get added to the list of files to download), I only added in .Less support for the skin css files.  Look for the following:
      
If File.Exists(Server.MapPath(ctlSkin.SkinPath) & "skin.css") Then
  objCSSCache(ID) = ctlSkin.SkinPath & "skin.css"
Else
  objCSSCache(ID) = ""
End If

   which becomes
   
‘ .LESS CSS
If File.Exists(Server.MapPath(ctlSkin.SkinPath) & "skin.less") Then
  objCSSCache(ID) = ctlSkin.SkinPath & "skin.less"
Else If File.Exists(Server.MapPath(ctlSkin.SkinPath) & "skin.css") Then
  objCSSCache(ID) = ctlSkin.SkinPath & "skin.css"
Else
  objCSSCache(ID) = ""
End If

This way, if skin.less exists, DNN will disregard skin.css.  If you want to use .Less in other places, you can make the same modification above for default.css or below for portal.css.

I like the modification above because you can fit it into any DotNetNuke installation without having to recompile any of the DNN core DLLs.  What works for skins, though, doesn’t work for containers.  The container CSS injection isn’t handled from default.aspx.vb, instead being compiled as DotNetNuke.UI.Containers.Container.  Changing this would require making a similar change in the DNN source code and the recompiling.

CAUTION:  Keep in mind that upgrades will now break your sites, so you’ll have to add those lines back into default.aspx.vb every time you run anything that overwrites it.  For me, that’s a price worth paying, but it does add an extra step in your site maintenance.  Use this with caution, especially on a production site.  As always, make changes on your test server first.  Even if you only use this on your test server, you can always use .Less to emit your final skin CSS file.

I posted a while back some modifications I had made to the DNN Blog module that I found useful, namely adding the calendar-looking date to the blog entry list.  These are updated instructions for the new DNN Blog module that is now shipping with DNN 5.

Open up ViewBlog.ascx and locate <!-- Begin Blog Entry Title --> and add the following after the DIV.BlogHead (line 49)

<div class="BlogPublished" title="<%# DataBinder.Eval(Container.DataItem, "AddedDate") %>">
 <span class="BlogPubMonth">
  <%# Left(MonthName(Month(DataBinder.Eval(Container.DataItem, "AddedDate"))), 3) %>
 </span>
 <span class="BlogPubDate">
   <%# Day(DataBinder.Eval(Container.DataItem, "AddedDate"))%>
 </span>
</div>

The only change I made was to add the full date as the title of the containing DIV, so that hovering over with your mouse will give the full timestamp.

I must commend the Blog module team for making the CSS much more legible and predictable in this release, although there are still a few lingering inline styles that get in the way of fully skinning the DNN Blog.  But, if that was the cost of getting awesome tags, categories, and recent items, I can find little fault in their priorities.

Rarely have I found a program that makes your computer feel new again.  Windows 7 was a great start, and Outlook 2010 looks promising.  But what I’ve been really hooked on the past few weeks is the Pale Moon Project—a re-compiled Firefox that brings some of the optimizations that Linux users have enjoyed for years by compiling software on their own computers.  It’s code-compatible with Firefox, and achieves its results by removing compatibility for older computers and allowing the compiler to take advantage of newer processor instructions.  Installation was incredibly straightforward—by default, it shares the same profile—which makes it a drop-in replacement for Firefox.  Almost every browser benchmark shows it to be faster than Firefox, and Pale Moon’s responsive feel back the numbers up.  As of right now, Pale Moon is up-to-date, matching Firefox at 3.6.3.  You can read more about it on their website or head straight to the Pale Moon Project download page.

I’m still haven’t seen SQL Server Management Studio (SSMS) available to install through the Visual Studio 2010 installation.  It’s such an easy and painless way to interact with SQL, but it still isn’t available as a separate download as far as I know.  A big part of me is happy Microsoft finally realized that you have to give poor developers access to the same tools that the big boys use, but there are still places for future work.

I could reinstall SQL Server Express with the Advanced Tools, but I’m in a hurry and need to connect.  To work around this, I’m attempting to connect using another machine with SSMS 2008 on it.  Unfortunately, SSMS won’t allow you to authenticate using a different computer’s users (domain users wouldn’t have this problem, I’m guessing).  This leaves me with the option to login as the superuser SA.

So what do you do when you’ve been relying on Windows authentication and you need to reset the SA password?

• Fire up the SQL Server Configuration Manager and double-click on the SQL instance you need to reset.  Click over to the Advanced tab.
• In the Startup Parameters, prepend –m; to the list to put SQL server into Single-User mode.  Click OK and then right-click on the SQL Server instance and click Restart.
• Open up a command prompt, and type:
  OSQL –S localhost –E
  The –S parameter tells OSQL what server to connect to, and the –E parameter creates a trusted connection.  Capitalization of the switches does matter.
• Inside the SQL terminal, type (substituting your new password for newPassword):
  EXEC sp_password NULL, ‘newPassword’, ‘sa’
  GO
• Once that’s complete, type exit to quit.  Go back to the SQL Configuration Manager, remove the –m; from the Startup Parameters, and restart the SQL Server instance.
• Make sure SQL Server and the browser are allowed through the Windows firewall, and try connecting from the other computer.

If it worked, you should now be able to log in using the sa user and make all the changes you need through the SSMS on the remote computer.

I was reading this article recently on InfoWorld, and even with all of the best practices and options available to avoid it, SQL injection attacks still make up 20% of the world’s hacks and are the single largest attack vector in use.  I thought of all the times I was mocking up a project and passed values straight through, only to have to go back later and cleanse the inputs.  How many people mean well, but forget to go back and address their TODOs?  There are a few ways to mitigate this:

• Only allow database access through stored procedures
• Only allow database access through a DAL that strips out injection attacks
• Cleanse all text inputs of common injection code before passing them through

I have a client whose site is was filled with myriad opportunities for an attack of this nature to proceed.  The original site architect never designed a DAL, had business logic mixed throughout the code-behind pages, and constructed most SQL commands as:

“SELECT * FROM customers WHERE customers_username = ‘” + txtUsername.Text + “’ AND customers_password = ‘” + txtPassword.Text + “’”;

Since rewriting the entire site using stored procedures was outside of the scope of the project, I created the following function to strip out possible attacks.

public class Common
{
  public static void CleanSQLInputs(ref string sToClean)
  {
    string[] blackList = {"/*","*/","--",";—",";","@@","cursor ","declare ","delete ","drop ","execute ","insert ","select ","sysobjects","syscolumns","xp_"};
    for (int i = 0; i < blackList.Length; i++)
    {
      sToClean = sToClean.Replace(blackList[i], "");
    }
    sToClean = sToClean.Replace("'", "''");
    sToClean = sToClean.Replace("\"", "''");
  }
}

Now, anywhere I need to clean an input, I just call

Common.CleanSQLInputs(sUsername);

before passing sUsername into the SQL command.  I've seen other solutions that implement this as a function returning a string, but I prefer to do it this way at the beginning of each method for any strings that are being passed in from the UI to the database so I have to keep track of what's been cleansed.

Luckily, the site in question had never been exploited.  But past precedent is no substitute for real security, and the site owner was relieved to hear that this was in place.

Have you ever been hit with a SQL injection attack?  What steps have you taken to shore up your code from attacks?

I’ve flirted with the Getting Things Done (GTD) methodology for almost two years now.  Like many theories, it works great—in theory.  What I eventually discovered was that, for me, if there’s no compelling reason to do something, I won’t do it.  When I had just a handful of clients, there was no need for this sort of organization.  But, as xramnet has grown, so have the responsibilities in terms of responsiveness, organization, and expectations—something my old “system” could not handle.

Luckily, I’m not alone in my quest for empty inboxes.  I’ve spent two weeks using Jello Dashboard, and I love it.  Built on top of the ExtJS framework, Jello finally gives me a reason to use the Home screen in Outlook.

So, now my mornings look like this:

1. Get a cup of coffee
2. Go through my inbox—not reading, but tagging—into piles to be dealt with
3. Head to work
4. Sit down (with another cup of coffee) and tackle each area that has to-do items

I’ve found that it cuts down on the distracting habit of dropping everything else when a new email comes in.  Plus, it’s an incredibly good feeling to know that new (and important) requests won’t get lost in the noise.

I’ve been hard at work designing a business directory for our neighborhood association, Newbold Neighbors, and I was enamored with the idea of not having to reinvent the wheel in terms of creating a review system.  Why do the hard work when Yelp has already done it?

I just bought another hosting plan with PowerDNN so I can begin my (slow) migration over to DotNetNuke 5.  I haven’t even gotten as far as moving my own site over, but I knew that I wanted to use some of the new features for the neighborhood site (or at least I wanted new people using it to gain the advantage of never knowing some of the hang-ups/eccentricities of DNN4…)  Moving the skins and containers over was a cinch—just update the file references in the headers.  So far, so good.

I had purchased a copy of DNNDev’s XMod a while back, and never really found a use for it.  I checked around SnowCovered and saw that for previous owners, the upgrade to XMod 5.5 was just $20!  What a deal—especially since it’s the first version to support DNN5.  After reviewing XMod’s functionality, I decided that it was definitely the right tool for the job.  Since I heart clean urls, I also went with the XMod Details View (free) which lets me show a detail view using the record id.  The only downside (actually, my biggest complaint with DNN) is the lack of slugability (I can’t do /business/details/martinos-auto-repair, but I can do /business/details/id/5).

I used their tools to create a simple database of company names, phone numbers, addresses, photos, etc, and then got the layout working.

So, here’s where the magic happens.  I use jQuery to get the phone number from the .phone in each .business and pass it off to the Yelp query.  Using the callback=? is required for jQuery to perform a cross-domain JSON query.  jQuery replaces the ? with a custom identifier transparently.

I have three different views – small, regular, and details.  I want basic data displayed on the small, a bit more for regular, and some custom stuff for the details (adding in trends, individual reviews, etc).

Download yelp-api-business-directory.js

I am pretty pleased with how it came out.  If you want to take a look, it can be found over at www.NewboldNeighbors.org/Businesses.  As someone who fancies himself a .Net programmer, getting back into Javascript is made so much easier by jQuery.  Hope this saves someone a few hours of coding.  Enjoy!

I found a very useful guide for installing .Net 3.5 into a Vituozzo container.  I am still not impressed by Virtuozzo, but for the purposes of the site being hosted on it, it works.  Luckily, .Net frameworks can be installed on a per-container basis, so moving to 3.5 (LINQ!) was pretty easy.  There was 3 minutes of downtime scattered throughout the installation—not too shabby.

As .Net has matured, did Microsoft ever tell us what’s been up with the numbering?  We went from 1.0 to 1.1 to 2.0.50727 to 3.0 to 3.5 to 4.0.  Why was version 2.0’s revision code included everywhere it’s used?  Were they planning on releasing a 2.0.50728 at some point?  I like the cleanliness that 4.0 will bring back to web.config.  Visual Studio 2010β2 crashed today while saving web.config to a website, which knocked it down for a few minutes…  It seems to have escaped notice, but that’s what happens when you get lazy and decide that not every site needs a staging server.

I work on a website that needs updates every once in a while, and isn’t large enough to warrant setting up a staging server.  I need a good way to connect in Visual Studio without using FrontPage Server Extensions or FTP.  From the sound of it, WebDAV over SSL is the way to go.

Setting Up The Server

Obviously, I don’t want anyone that shouldn’t be connecting to be connecting, so I created another site in IIS that only I can see.  I accomplished this by binding it to an unused IP but giving a header value of somethingrandom.mainsite.com.  Since that DNS entry doesn’t exist, I added it to my hosts file.  This way, only my machine knows that name resolves to the correct IP.  Anyone else going to that name or IP won’t see it.

Also, something I didn’t realize: if you’re setting this up on Windows Server 2003 x64, and you’ve configured the site to run using 32-bit ASP.NET binaries (for compatibility reasons), then WebDAV will not work—unless you explicitly specify the 32-bit WebDAV service as well.  You can do this by running

IIsExt /AddFile %systemroot%\syswow64\inetsrv\httpext.dll 1 WEBDAV32 1 "WebDAV (32-bit)"

Since there’s no native support for WebDAV in Visual Studio, and no support for WebDAV over SSL native to Windows, it looks like some software will be needed.

I was able to find 4 different pieces of software:

• Novell NetDrive – Old, unsupported, unlicensed, and non-functional.
• WiseTodd NetDrive – Free for personal use, connects fine without SSL, not with
• IT Hit Map Drive – The most promising of the bunch, connects fine without SSL, but still won’t connect securely
• South River WebDrive – The grandfather of the WebDAV clients, it’s a tad pricey at $60.  But, it works perfectly!

Set-up of WebDrive was a snap, once I got things working properly on the server end.  Finally—updates can be made quickly and securely.

Why not FTP?

If you’ve tried working in Visual Studio using FTP, the question quickly becomes “Why FTP?” (or “Do I have time to finish Anna Karenina while waiting for Visual Studio to respond?”).  When all you want to do is exit the program and you find that it takes more than 5 minutes to gracefully quit, it’s more than a little frustrating.

I’ve been playing with RocketDock for two weeks now, and even with the stacks plugin, it just wasn’t cutting it.  I don’t know what it is about docks, but I can’t seem to get used to them.  The concept is fantastic, but after living with ctrl-alt shortcuts since Windows 3, the start menu paradigm since 95, and especially since Vista’s start menu search debuted, getting used to such a mouse-centric control just doesn’t click in my brain.  Oh well—there are many other cool programs to play with.  Like…

Synergy+ (and the original Synergy).  I’ve started to use my laptop as the left screen in a 3-monitor setup, and it’s money.  Being able to control everything via one keyboard and mouse is a great way to stop wasting time going from one machine to the other.  The only problem so far is the mouse intermittently forgetting to come back, but swapping out my old switch for a gig-e switch helped immensely.

Speaking of Newegg, CamelCamelCamel (sounds like a Balmerism!) now has a Firefox plugin that automagically gives you a price history graph for Amazon, Newegg, and some other stores.  Very cool.  Almost as cool as…

Personas!  This nifty plugin makes changing Firefox skins as easy as it should have been a long time ago.  With Chrome getting into the skinning game, it’s about time I can change the look of Firefox without needing to restart.  It reminds me of the old Winamp skins, and I especially love the ability to preview a new persona via mouseover.  Great implementation, Mozilla!  I found this via a new blog I’m reading, FireFoxFacts.com.  Which I’m reading using…

Brief!  This is the first RSS reader I’ve found that works with Firefox’s built-in Live Bookmarks and displays the posts the way I’d like to see them.  I guess I have no excuse now for not staying up to date on my friends’ blogs.  I might hate checking twitter and facebook updates, but I love reading blogs.  Something about people putting actual time into communicating…

And, ASP.NET 4.0 is going to be great.  I’m already looking forward to “clean client-side ‘id’ names (no more ctrl_ mangled names – ASP.NET 4 gives you complete control over the client id), and CSS based rendering instead of table based rendering for the built-in server controls.”  What?  Maybe this also means no more random “Microsoft-knows-best” CSS to override either…

The best part about all of these programs?  You guess it: FREE.  Enjoy!