I was reading this article recently on InfoWorld, and even with all of the best practices and options available to avoid it, SQL injection attacks still make up 20% of the world’s hacks and are the single largest attack vector in use.  I thought of all the times I was mocking up a project and passed values straight through, only to have to go back later and cleanse the inputs.  How many people mean well, but forget to go back and address their TODOs?  There are a few ways to mitigate this:

• Only allow database access through stored procedures
• Only allow database access through a DAL that strips out injection attacks
• Cleanse all text inputs of common injection code before passing them through

I have a client whose site is was filled with myriad opportunities for an attack of this nature to proceed.  The original site architect never designed a DAL, had business logic mixed throughout the code-behind pages, and constructed most SQL commands as:

“SELECT * FROM customers WHERE customers_username = ‘” + txtUsername.Text + “’ AND customers_password = ‘” + txtPassword.Text + “’”;

Since rewriting the entire site using stored procedures was outside of the scope of the project, I created the following function to strip out possible attacks.

public class Common
{
  public static void CleanSQLInputs(ref string sToClean)
  {
    string[] blackList = {"/*","*/","--",";—",";","@@","cursor ","declare ","delete ","drop ","execute ","insert ","select ","sysobjects","syscolumns","xp_"};
    for (int i = 0; i < blackList.Length; i++)
    {
      sToClean = sToClean.Replace(blackList[i], "");
    }
    sToClean = sToClean.Replace("'", "''");
    sToClean = sToClean.Replace("\"", "''");
  }
}

Now, anywhere I need to clean an input, I just call

Common.CleanSQLInputs(sUsername);

before passing sUsername into the SQL command.  I've seen other solutions that implement this as a function returning a string, but I prefer to do it this way at the beginning of each method for any strings that are being passed in from the UI to the database so I have to keep track of what's been cleansed.

Luckily, the site in question had never been exploited.  But past precedent is no substitute for real security, and the site owner was relieved to hear that this was in place.

Have you ever been hit with a SQL injection attack?  What steps have you taken to shore up your code from attacks?

I’ve flirted with the Getting Things Done (GTD) methodology for almost two years now.  Like many theories, it works great—in theory.  What I eventually discovered was that, for me, if there’s no compelling reason to do something, I won’t do it.  When I had just a handful of clients, there was no need for this sort of organization.  But, as xramnet has grown, so have the responsibilities in terms of responsiveness, organization, and expectations—something my old “system” could not handle.

Luckily, I’m not alone in my quest for empty inboxes.  I’ve spent two weeks using Jello Dashboard, and I love it.  Built on top of the ExtJS framework, Jello finally gives me a reason to use the Home screen in Outlook.

So, now my mornings look like this:

1. Get a cup of coffee
2. Go through my inbox—not reading, but tagging—into piles to be dealt with
3. Head to work
4. Sit down (with another cup of coffee) and tackle each area that has to-do items

I’ve found that it cuts down on the distracting habit of dropping everything else when a new email comes in.  Plus, it’s an incredibly good feeling to know that new (and important) requests won’t get lost in the noise.

I’ve been hard at work designing a business directory for our neighborhood association, Newbold Neighbors, and I was enamored with the idea of not having to reinvent the wheel in terms of creating a review system.  Why do the hard work when Yelp has already done it?

I just bought another hosting plan with PowerDNN so I can begin my (slow) migration over to DotNetNuke 5.  I haven’t even gotten as far as moving my own site over, but I knew that I wanted to use some of the new features for the neighborhood site (or at least I wanted new people using it to gain the advantage of never knowing some of the hang-ups/eccentricities of DNN4…)  Moving the skins and containers over was a cinch—just update the file references in the headers.  So far, so good.

I had purchased a copy of DNNDev’s XMod a while back, and never really found a use for it.  I checked around SnowCovered and saw that for previous owners, the upgrade to XMod 5.5 was just $20!  What a deal—especially since it’s the first version to support DNN5.  After reviewing XMod’s functionality, I decided that it was definitely the right tool for the job.  Since I heart clean urls, I also went with the XMod Details View (free) which lets me show a detail view using the record id.  The only downside (actually, my biggest complaint with DNN) is the lack of slugability (I can’t do /business/details/martinos-auto-repair, but I can do /business/details/id/5).

I used their tools to create a simple database of company names, phone numbers, addresses, photos, etc, and then got the layout working.

So, here’s where the magic happens.  I use jQuery to get the phone number from the .phone in each .business and pass it off to the Yelp query.  Using the callback=? is required for jQuery to perform a cross-domain JSON query.  jQuery replaces the ? with a custom identifier transparently.

I have three different views – small, regular, and details.  I want basic data displayed on the small, a bit more for regular, and some custom stuff for the details (adding in trends, individual reviews, etc).

Download yelp-api-business-directory.js

I am pretty pleased with how it came out.  If you want to take a look, it can be found over at www.NewboldNeighbors.org/Businesses.  As someone who fancies himself a .Net programmer, getting back into Javascript is made so much easier by jQuery.  Hope this saves someone a few hours of coding.  Enjoy!

I found a very useful guide for installing .Net 3.5 into a Vituozzo container.  I am still not impressed by Virtuozzo, but for the purposes of the site being hosted on it, it works.  Luckily, .Net frameworks can be installed on a per-container basis, so moving to 3.5 (LINQ!) was pretty easy.  There was 3 minutes of downtime scattered throughout the installation—not too shabby.

As .Net has matured, did Microsoft ever tell us what’s been up with the numbering?  We went from 1.0 to 1.1 to 2.0.50727 to 3.0 to 3.5 to 4.0.  Why was version 2.0’s revision code included everywhere it’s used?  Were they planning on releasing a 2.0.50728 at some point?  I like the cleanliness that 4.0 will bring back to web.config.  Visual Studio 2010β2 crashed today while saving web.config to a website, which knocked it down for a few minutes…  It seems to have escaped notice, but that’s what happens when you get lazy and decide that not every site needs a staging server.

I work on a website that needs updates every once in a while, and isn’t large enough to warrant setting up a staging server.  I need a good way to connect in Visual Studio without using FrontPage Server Extensions or FTP.  From the sound of it, WebDAV over SSL is the way to go.

Setting Up The Server

Obviously, I don’t want anyone that shouldn’t be connecting to be connecting, so I created another site in IIS that only I can see.  I accomplished this by binding it to an unused IP but giving a header value of somethingrandom.mainsite.com.  Since that DNS entry doesn’t exist, I added it to my hosts file.  This way, only my machine knows that name resolves to the correct IP.  Anyone else going to that name or IP won’t see it.

Also, something I didn’t realize: if you’re setting this up on Windows Server 2003 x64, and you’ve configured the site to run using 32-bit ASP.NET binaries (for compatibility reasons), then WebDAV will not work—unless you explicitly specify the 32-bit WebDAV service as well.  You can do this by running

IIsExt /AddFile %systemroot%\syswow64\inetsrv\httpext.dll 1 WEBDAV32 1 "WebDAV (32-bit)"

Since there’s no native support for WebDAV in Visual Studio, and no support for WebDAV over SSL native to Windows, it looks like some software will be needed.

I was able to find 4 different pieces of software:

• Novell NetDrive – Old, unsupported, unlicensed, and non-functional.
• WiseTodd NetDrive – Free for personal use, connects fine without SSL, not with
• IT Hit Map Drive – The most promising of the bunch, connects fine without SSL, but still won’t connect securely
• South River WebDrive – The grandfather of the WebDAV clients, it’s a tad pricey at $60.  But, it works perfectly!

Set-up of WebDrive was a snap, once I got things working properly on the server end.  Finally—updates can be made quickly and securely.

Why not FTP?

If you’ve tried working in Visual Studio using FTP, the question quickly becomes “Why FTP?” (or “Do I have time to finish Anna Karenina while waiting for Visual Studio to respond?”).  When all you want to do is exit the program and you find that it takes more than 5 minutes to gracefully quit, it’s more than a little frustrating.

I’ve been playing with RocketDock for two weeks now, and even with the stacks plugin, it just wasn’t cutting it.  I don’t know what it is about docks, but I can’t seem to get used to them.  The concept is fantastic, but after living with ctrl-alt shortcuts since Windows 3, the start menu paradigm since 95, and especially since Vista’s start menu search debuted, getting used to such a mouse-centric control just doesn’t click in my brain.  Oh well—there are many other cool programs to play with.  Like…

Synergy+ (and the original Synergy).  I’ve started to use my laptop as the left screen in a 3-monitor setup, and it’s money.  Being able to control everything via one keyboard and mouse is a great way to stop wasting time going from one machine to the other.  The only problem so far is the mouse intermittently forgetting to come back, but swapping out my old switch for a gig-e switch helped immensely.

Speaking of Newegg, CamelCamelCamel (sounds like a Balmerism!) now has a Firefox plugin that automagically gives you a price history graph for Amazon, Newegg, and some other stores.  Very cool.  Almost as cool as…

Personas!  This nifty plugin makes changing Firefox skins as easy as it should have been a long time ago.  With Chrome getting into the skinning game, it’s about time I can change the look of Firefox without needing to restart.  It reminds me of the old Winamp skins, and I especially love the ability to preview a new persona via mouseover.  Great implementation, Mozilla!  I found this via a new blog I’m reading, FireFoxFacts.com.  Which I’m reading using…

Brief!  This is the first RSS reader I’ve found that works with Firefox’s built-in Live Bookmarks and displays the posts the way I’d like to see them.  I guess I have no excuse now for not staying up to date on my friends’ blogs.  I might hate checking twitter and facebook updates, but I love reading blogs.  Something about people putting actual time into communicating…

And, ASP.NET 4.0 is going to be great.  I’m already looking forward to “clean client-side ‘id’ names (no more ctrl_ mangled names – ASP.NET 4 gives you complete control over the client id), and CSS based rendering instead of table based rendering for the built-in server controls.”  What?  Maybe this also means no more random “Microsoft-knows-best” CSS to override either…

The best part about all of these programs?  You guess it: FREE.  Enjoy!

I thoroughly enjoyed reading Charlie Brooker’s scarily accurate take on Macolytes and their constant attempt to woo PC users to the dark side.  He does a fair bit of Microsoft bashing at the same time, trashing the horrible Windows 7 House Party ad.  I really prefer the Censored Version—because we all know what they’re really talking about.

At least it’s not the typical rehashed Mac vs. PC bashfest we’ve all come to know and despise.  As someone who gets to fix both, when asked which one I recommend, my question is, “Which one are you more productive on?”  They both do the same things.  Differently, but computers aren’t supposed to be ends in and of themselves.  They are means to an end.  Can you produce a completed TPS report faster on a PC?  If your job is to make TPS reports, GREAT—you should definitely use a PC.  If you can write CSS faster on a Mac and your job is to design websites, then guess what: I see a Mac in your future.

For the record, I applied to be a Windows 7 Party host, mostly because you get a free copy of Windows 7 Ultimate.  It seems as though the accepted hosts have already been notified, so I guess I’ll have to settle for a $30 copy of Wi7 Pro…

Out of the box (err, zip file), DotNetNuke 5 is a no-go if you’re running it as a subdirectory in a site that’s running ASP.NET 3.5.  A little looking around the DNN forums indicated this was a known problem, with users posting errors such as:

Adding <clear /> entries to the top of each section in web.config didn’t help.  But what about that annoying message that pops up in Visual Studio 2008 every time I load a .Net 2.0 app asking me if I want to upgrade it to 3.5?  Maybe…  Yes.  It took all of 4 seconds for VS to rewrite web.config using all 3.5 components, and everything started working fine.

Active Directory Authentication

After getting DNN5 up and running, it was time to get it integrated into our Active Directory.  One of the things I was really looking forward to in upgrading to DNN5 was to be able to use the AD provider without needing to run the AppPool in Classic pipeline mode or needing to register 32-bit .Net DLLs (since it’s running on Windows 2008 x64).  The provider works, but it still gives the same error message that I got running 4.9.5:

Oh well.  There are worse things in life than an error message that only I’ll be seeing.  It still lets users log in, so I can’t complain.

From Jim Jarmusch, but in keeping with the spirit of the quote, I’ve stolen it.  It fits pretty well with my feelings towards copyright and IP law.  I have the utmost respect for those who release significant portions of their work into the public domain and are still able to keep a roof over their heads and bread bacon on their tables.

Are you running DotNetNuke on your own IIS install?  If you are and have been trying to eek the most performance out of it as you can, you may very well run into the problem I’ve come across.

I can’t begin to describe what kind of a headache it has been.  For the longest time (so long my original DNN forum posts regarding the issue are gone), making any changes to a page on any of our DNN 4.9.x sites would show up half of the time you refresh, and half of the time it would show the original content.  Restarting the web app synced the two random out-of-sync views up, but that’s obviously not a long term solution.

I finally ran across this article on DNN’s support pages talking about scheduler issues in multi-threaded IIS configurations and it hit me: running DNN in a web garden with two or more worker processes AND having the module caching set to memory meant that whichever worker process was told to make or delete a page or change content had the correct data in its cache.  The other worker processes, though, were left in the dark and weren’t being told to flush their cache!  Refreshing the browser would cause IIS to randomly assign a worker process to serve up the page, so half of the time it got it right, and half of the time, it got it wrong.  Restarting the web app flushed the caches, which is why that worked.

The solution?  Either turn module caching to disk or turn off the web gardening by setting the maximum number of worker processes back to 1.  The users are much happier now that the ghost in the machine has been exorcized.  Any other performance issues have you uncovered?  I’ll be moving to DNN 5.1 soon, so any suggestions would be greatly appreciated.