MCTS

Hi,
On Tuesday 27th November, I would be sitting for MCTS first exam thats 70-536. The other one (70-528) is on 29th Nov. but most probably I would reschedule it to 4th Decmber as thats the original date on which I wanted to give the exam but as company was getting some discount for 29th Nov....so we went for it.

Once I am done with it , I would surely share my experience. Uptill now, its fantastic, I get to know many things regarding which my concepts were not very good such as App Domains, Serialization, Application Security etc. So its a very informative journey.

If you want to know, how did it went then look out for the next post.

Bye,
Beenish

obout.com

During one of my projects I stumbled across ‘obout.com’ their component set is not very rich but their quality is great. Their Flyout and ‘Show’ components are completely free, even for commercial use. Highly recommended.

Some small things

Hello, This is second of my back-to-back two blogs. It would be short and I would say just a few things.
1. A lot of people ask that how we can get Server IP address/Client IP Address, that’s quite simple, use
Request.ServerVariables[“LOCAL_ADDR”] for Server IP Address
Request.ServerVariables[“REMOTE_ADDR”] for Client IP Address
2. Although I would like to write a detailed blog on it, but just a short note for you people, if you want your data tier to be pluggable, that is you can use it for Oracle/SQL Server/MySQl etc. use IDB…. Interface. The Microsoft application namely “WeFly247” gives a very nice implementation of it. In the mean time you may wait for my blog on it.
Enjoy Programming!
Beenz

A "MUST-DO" LISt for an ASP.Net programmer

These days I’m working on a job portal namely NaukriJunction (mainly porting the9yards.com from PERL to .Net, infact not only porting but adding new functionalities too.) Few days back, I made a ‘Login Report,’ finished it up, everything was working fine but somehow every time the page draw itself, it was showing me a message box saying “System Error.” I thought there might be some problem with JavaScript but the thing was that the page wasn’t using any JavaScript written by me. In the mean time my manager gave me a visit, I showed him that the feature is complete and sheepishly added that a small error is coming but I’ll fix it shortly. That wise man looked at the error, and after looking here and there, he said, have a look at the user input and then I realized that a user was giving his name as “(<)script language=”javacript(>)”system Error(<)/script(>).”(Angle brackes were not in parenthesis :( I'm using it just to keep my blogs free from errors) Aaaaaaaahhhhhh…well that’s a very simple and a very good example of malicious input. On our part we’ve done everything right but in the web world this is nothing but a false sense of security.
That’s the beauty of web, its opened to everyone, attack can come from anywhere, and such a simple and innocent looking input can turn a programmer’s life into a dog’s life. You are wondering that why I’m calling it a ‘beauty,’ well I think its giving us programmers a tailor made situation to show our skills :D.
I won’t be talking about web application security, as its detailed discussion will be out of the scope of this blog. I would just list down some very basic steps, which an ASP.Net programmer should take in order to make their applications less vulnerable. Infact I would advice you to add them to your “MUST DO” list.

1. Every ASP.Net page have a property namely “validateRequest,” by turning it on, you asks ASP.Net to keep a check that no user would be able to give anything like “(<)ABC(>)” as input. If you want to apply it to all pages, you may define it in web.config’s page tag (inside system.web tag.) Now, if you turn it on, ASP.Net catches the input but do not give the control to the page(so you won’t be able to catch the error,) ASP.Net shows an ugly error(to developer) saying that there’s some malicious input. With normal web.config settings, your site user won’t see this detailed error message, but he would see that an error has occurred on the system. You don’t want to show that ‘not-so-beautiful’ error page, so better handle server error “500” in web.config and redirect your user to a page saying that such and such input is not allowed.
2. Now, for some reasons best known to yourself, you don’t want to turn “validateRequest.” That would be fine too. But now you’ll have to add some extra checks. Wherever you are showing user entered data, you’ll have to make sure that it is HtmlEncoded. asp:boundfield shows data in htmlencoded form, so one less thing for you to think about, and hence details view and datagrid will take care of their data, but if you are showing data, eg. in a label, you’ll have to apply “Server.HtmlEncode” on it. Even if in a datagrid/deatilsview you are defining a label in a template column,, you’ll have to apply Server.HtmlEncode on its text.
3. Another thing to care about, which you might’ve heared is “SQL Injection.” You are taking login information and performing e.g. the following query ,
String.Format(“SELECT * FROM [USER] AS U WHERE U.LOGIN= ’{0}’ AND U.PASSWORD=’{1}’”,login,password),
Where login=”bee’nish” and password=”*******”(;))
When the query will execute , it will simply throw an sql exception as ‘ is an special SQL character. Now some of you might want to escape it with ‘. But you never know what other character might cause the problem, so never go for dirty ways, always go for the right one, even if it requires more code. So always use parameterized values+command objects.

Hopefully, this would be of some help to you.
I have a lot of other topics in my mind, and I remember that I have to write things about Membership control, but I think this topic was more important.
Best of luck to you!
Beenz

ASP.Net FileUpload Size Problem

Hi,
Few months back, I was in my office enjoying my green tea and reading an article about Brad Pitt ad Angelina Jolie, suddenly my mIRC window started blinking, I opened it and to my horror, it was a personal message from one of the QA guys (who was testing my application), he was asking me that ‘is there any size limit on attachments?’ As I hadn’t placed any size constraint, I replied in negative, but I started to have a feeling that a bug is just around the corner and so it happened. He went excited and informed me with great enthusiasm that when he tries to upload a 5 MB file, application shows him a ‘Page Not Found’ error. I asked him to post the bug, then closed the article on the two Hollywood stars and in order to find the reason/solution I turned to my old buddy , ‘Google.’
Within 15 minutes I realized that every second ASP.Net programmer has faced this problem and still there is no good solution to it.
The problem was that by default ASP.Net ‘FileUpload’ control allows files of size 4 MB or less, anything bigger then that size will redirect you to a DNS error. The main rason behind this constraint is to prevent denial of service attack incase users posts files of extremely large sizes.
The solution was quite simple, in web.config’s element; you just need to set the value of ‘maxRequestLength’ to your desirable maximum file size. easy!
But, it’s not that easy, anything greater then that size will still redirect you to DNS error page. We certainly don’t want to let our users see that page, instead we would like to show them a good error message saying something like ‘files size should be less then {0}.’ For your disappointment, I must confess that there is simply no solution to it. You just don’t have any control on the process; no implementation of IHttpHandler can help you in this regard. One of our friend’s on this link tried to provide a solution but it just doesn’t work for about 90% of the people (including me). Whenever the file size was too large, the Reques.Files.Count was somehow ‘0.’ All I can say is that a solution, which does not work for everyone, is just not a solution.
Microsoft provides a little bit of help, which you may access at,
http://support.microsoft.com/default.aspx?scid=kb;en-us;295626

Now, that’s not all, there is something more to this problem, ASP.Net uses physical memory to upload a file and whenever ASP.Net process uses 60% of RAM, .Net services restarts. Tests have proved that a 200 MB file can crash a system with 512 MB RAM. Hopefully, you can appreciate the magnitude of the problem. And to make it a bit more convoluted, IIS has its own file size limit of 4 GB.

If you’ve visited the MS link, then you can see that MS knows about the DNS thing, still they are trying to become oblivious to it, so we should read between the lines, that they want us to go for a third part control. Yes, if your expected file size is small then go for this control, otherwise I would recommend you to go for a 3rd party control. These days I am writing one for myself and will soon upload it.

That’s all I have to say on this topic, for the next post I have quite a few topics in my mind like Custom Membership provider/ Inheriting GenericIdentity , but not sure when I will be able to write them, a lot of things to do including my ASP.Net’s MCP paper, IELTS test and a project at office. I will try to come back soon.

Happy New Year to you all,
Beenz

Whats it all about?

Hi Friends,
This is another software engineer. For the last two years, I am working on Dot Net, journey started with 1.0 but surely its not yet ended at whidbey.
My relationship with Dot Net is that of love ad hate.
........
ASP.Net controls are great, I love u dot net.
ADO.Net is a champ, I love you Dot Net.
..
.
.
System.Transactions....wow..I just love you Dot Net.
but then...
Using FileUpload, I can't upload a file of size greater then 4 MB..whats going on...Dot Net is so *********
Dot Net 2.0 applications are not compataible with 1.x, WHAT...what the MS is thinking...can somebody give them a kick from my side
.
.
.
My trasactions are acting as distributed transactions, and I don't even know it.....I HATE DOT NET, WHO THE HELL DEVELOPED IT.

Thats sum it all up.
Some times I love it, sometimes I hate it, but somehow I have learned to live with its shortcomigs.
For may problems I researched alot on internet, always needing a page where I can get a confirmed and researched answer that whether ABC is possible in Dot Net or not, many times I found the solution but scattered on mutiple web pages and sites, and sometimes I was simply unable to find a solution.
Now I have decided to share this knowledge with others, Each of my post will try to discuss a Dot Net related issue. It won't necessarily be a solution, but it surely will be the result of my research, ad will give you a final ad decided aswer, hopefully it will also save your precious time.
First in the list is the infamous 'UploadFile Size issue,' which I will InshaAllah post on 1st january 2005.
bye for now,
Beenz