Thursday, June 10, 2010

Implicitly Typed or Named Types

An Implicitly Typed Local Variable, var, is “new” and it is subject to restrictions:

    • The declarator must include an initializer.
    • The initializer must be an expression.
    • The initializer expression must have a compile-time type which cannot be the null type.
    • The local variable declaration cannot include multiple declarators.
    • The initializer cannot refer to the declared variable itself

Beyond the obvious use of var with LINQ, you may also clear the code for readability:

var d = new Dictionary<string, Dictionary<string, List<SomeClass>>>();

The entire debate around using the var is founded on readability.

Another pair of eyes see differently so the code has to self explain. That being said, using the var for just about anything is also an exageration. A method that returns a “hairy” type (like List<string>) would be easier to digest in a var but that would not tell those other pair of eyes anything about the purpose and the intention behind. So you would not know how that specific return was “intended to be used”. Just compare List<string> list = MyMethod():

  • var list = MyMethod()
  • IEnumerable<string> list MyMethod()

The second one is actually saying “I am not going to change this, use an index to access list members or modify members.”. It’s quite a lot to say in that few words. But it’s not over because it is also saying “I am going to use this list simply to iterate across it”.

The intention is what you are giving up if you use var. You are not giving anything up where the usage is obvious through the declaration.

var i = 5;
var s = "Hello";
var d = 1.0;
var numbers = new int[] {1, 2, 3};
var orders = new Dictionary<int,Order>();

are equal to

int i = 5;
string s = "Hello";
double d = 1.0;
int[] numbers = new int[] {1, 2, 3};
Dictionary<int,Order> orders = new Dictionary<int,Order>();

I' would write a LINQ query like:

var rows = from DataRow r in parentRow.GetChildRows(myRelation)
           where r.Field<bool>("Flag")
           orderby r.Field<int>("SortKey")
           select r;

But the debate is in the use of var, not in Anonymous Types, Object and Collection Initializers and Query Expressions, but everywhere in your code, for readability.

Here is Eric Lippert’s take on it:

All code is an abstraction. Is what the code is “really” doing is manipulating data? No. Numbers? Bits? No. Voltages? No. Electrons? Yes, but understanding the code at the level of electrons is a bad idea! The art of coding is figuring out what the right level of abstraction is for the audience.

In a high level language there is always this tension between WHAT the code does (semantically) and HOW the code accomplishes it. Maintenance programmers need to understand both the what and the how if they’re going to be successful in making changes. read more ..

Friday, April 09, 2010

LinX BoX

This Friday’s Top 3 interesting sites visited this week:


This list is published every Friday and values originality. Submit your suggestions for next week as comments.

And don't forget my web templates shop at Bynapse.com - the easy web.

Reciprocal link of the week : Volunteer to Nepal

Friday, April 02, 2010

LinX BoX

This Friday’s Top 3 interesting sites visited this week:

 

This list is published every Friday and values originality. Submit your suggestions for next week as comments.

 
And don't forget my web templates shop at Bynapse.com - the easy web.

 
Reciprocal link of the week : Termic

Wednesday, March 31, 2010

PDF and E-book creation

pdf iconEvery now and then, someone tries to edit a PDF file and the old Acrobat and Distiller question pops back. What are the roles of those two and why still use Word to edit? Why is Acrobat still important in e-book creation?

First the basics. Adobe Acrobat only reads PDF files. It does not create PDF files, nor can it be used to create content of any kind. It allows setting of certain attributes and anchors, such as creating hyperlinks and setting document security settings.

Distiller is a print driver that outputs PDF files. It is not a reader, nor an application used to create any content.

Adobe Acrobat (not Acrobat Reader) does not edit files, you create your content in a applications like Word, Photoshop.. then print to Distiller (some applications have a “Save as PDF” functionality like Word does in an optional add-on) and save the resulting file as PDF. All word, spreadsheet or image editing or viewing applications should be able to print.

You may open the PDF in Acrobat for fine tuning:

1) create hyperlinks (see Tools/Locate Web Addresses)
2) create title and author (see File/Document Properties)
3) set your desired security level (see File/Document Security)
4) File SAVE AS whatever.pdf. It is important not to just SAVE but to use SAVE AS because this eliminates unused fonts and makes a smaller PDF.

An important decision is to embed fonts in your PDF, or use system fonts. This impacts the size of your PDF but embedding your fonts guarantees that your reader will see the exact page layout you designed. The better system fonts seem to be the small common ones such as Times Roman or Arial. You should know that embedding fonts is a Distiller option (Printer/Preferences/Adobe PDF Settings/General Conversion Settings).

Currently, High speed internet access is becoming the norm and PDF files are generally small. As I was saying in a previous post, content is King.

Monday, March 29, 2010

LinX BoX

This Friday’s Top 3 interesting sites visited this week: 
This list is published every Friday and values originality. Submit your suggestions for next week as comments.
And don't forget my web templates shop at Bynapse.com - the easy web.
Reciprocal link of the week : Smartbyte

Friday, March 26, 2010

Web application security

msgConfirmationIt's a real possibility that the web server is locked down and secured.

Web application hacking requires the attacker to understand application logic.

A website may be ripped entirely and stored locally. While this does not give out the code behind, it shows how input is passed, what types of error messages are returned, and the types of input that various fields will accept.

Here is a list of vulnerabilities and possible attacks to add to your list. Also check this list that Microsoft put out:

http://msdn.microsoft.com/en-us/library/ms998372.aspx#pagpractices0001_indexofpractices

Check out this article: http://msdn.microsoft.com/en-us/library/ms998375.aspx

Hidden Fields

Hidden fields used for obscuring values are poor coding. The theory is that if end users cannot see it, it is safe from tampering. Many sites use these hidden value fields to store the price of the product that is passed to the web application. An example pulled from a website is shown here:

<INPUT TYPE=HIDDEN NAME="name" VALUE="Mens Ring">

<INPUT TYPE=HIDDEN NAME="price" VALUE="$345.50">

<INPUT TYPE=HIDDEN NAME="sh" VALUE="1">

<INPUT TYPE=HIDDEN NAME="return" VALUE="http://www.vulnerable_site.com/cgi-bin/cart.pl?db=stuff.dat&category=&search=Mens-Rings&method=&begin=&display=&price=&merchant=">

<INPUT TYPE=HIDDEN NAME="add2" VALUE="1">

<INPUT TYPE=HIDDEN NAME="img"

VALUE="http://www.vulnerable_site.com/images/c-14kring.jpg">

Here is an example tampering with a poorly written shopping cart:

1.

Save the page locally and open the source code.

2.

Modify the amount and save the page. As an example, change $345.50 to $5.99:

<INPUT TYPE=HIDDEN NAME="name" VALUE="Mens Ring">

<INPUT TYPE=HIDDEN NAME="price" VALUE="$5.99">

3.

Refresh the local HTML page and then click Add to Cart. If successful, you'll be presented with a checkout page that reflects the new hacked value of $5.99.

This is an extreme example for illustration purposes that an application should never rely on the web browser to set the values for sensitive data. Even without changing the price, an attacker might just try to feed large amounts of data into the field to see how the application responds. Values from hidden fields, check boxes, select lists, and HTTP headers might be manipulated by malicious users and used to make web applications misbehave if the designer did not build in proper validation.

If you think that there is a shortage of sites with these types of vulnerabilities, think again. A quick Google search for type=hidden name=price returns hundreds of hits.

Cookies

Cookies have a legitimate purpose. Security by obscurity is never a good idea. Cookies used with forms authentication or other remember me functionality might hold passwords or usernames and cookies can be viewed with cookie viewers. Example:

Set-Cookie: UID= bWlrZTptaWtlc3Bhc3N3b3JkDQoNCg; expires=Fri, 06-Jan-2010

The UID value appears to contain random letters, but more than that is there. If you run it through a Base64 decoder, you end up with mike:mikespassword. It's never good practice to store sensitive information, encrypted, in a cookie, a hash should be preferred.

Cross-Site Scripting

Cross-site scripting (XSS) is a computer security exploit that occurs when a web application is used to gather data from a victim. Here is an example of a possible entry in a text field:

<A HREF="http://example.com/comment.aspx?mycomment=<SCRIPT> malicious code</SCRIPT>">Click here</A>

XSS can be prevented by HtmlEncoding displayed data and the input from a form is validated. Prevention also requires that the users remain leery of embedded links.

Interception, Inspection, Modification

A web proxy allows interception, inspection, and modification the raw contents of the traffic, as explained in the following:

  • Intercept Allows you to see under the hood and watch the traffic move back and forth between the client and the server.
  • Inspect Allows you to enumerate how applications work and see the mechanisms they use.
  • Modify Allows you to modify the data in an attempt to see how the application will respond; for instance, injection attacks.

These tools make it possible to perform SQL injection, cookies subversion, buffer overflows, and other types of attacks.

  

Thursday, June 10, 2010

Implicitly Typed or Named Types

An Implicitly Typed Local Variable, var, is “new” and it is subject to restrictions:

    • The declarator must include an initializer.
    • The initializer must be an expression.
    • The initializer expression must have a compile-time type which cannot be the null type.
    • The local variable declaration cannot include multiple declarators.
    • The initializer cannot refer to the declared variable itself

Beyond the obvious use of var with LINQ, you may also clear the code for readability:

var d = new Dictionary<string, Dictionary<string, List<SomeClass>>>();

The entire debate around using the var is founded on readability.

Another pair of eyes see differently so the code has to self explain. That being said, using the var for just about anything is also an exageration. A method that returns a “hairy” type (like List<string>) would be easier to digest in a var but that would not tell those other pair of eyes anything about the purpose and the intention behind. So you would not know how that specific return was “intended to be used”. Just compare List<string> list = MyMethod():

  • var list = MyMethod()
  • IEnumerable<string> list MyMethod()

The second one is actually saying “I am not going to change this, use an index to access list members or modify members.”. It’s quite a lot to say in that few words. But it’s not over because it is also saying “I am going to use this list simply to iterate across it”.

The intention is what you are giving up if you use var. You are not giving anything up where the usage is obvious through the declaration.

var i = 5;
var s = "Hello";
var d = 1.0;
var numbers = new int[] {1, 2, 3};
var orders = new Dictionary<int,Order>();

are equal to

int i = 5;
string s = "Hello";
double d = 1.0;
int[] numbers = new int[] {1, 2, 3};
Dictionary<int,Order> orders = new Dictionary<int,Order>();

I' would write a LINQ query like:

var rows = from DataRow r in parentRow.GetChildRows(myRelation)
           where r.Field<bool>("Flag")
           orderby r.Field<int>("SortKey")
           select r;

But the debate is in the use of var, not in Anonymous Types, Object and Collection Initializers and Query Expressions, but everywhere in your code, for readability.

Here is Eric Lippert’s take on it:

All code is an abstraction. Is what the code is “really” doing is manipulating data? No. Numbers? Bits? No. Voltages? No. Electrons? Yes, but understanding the code at the level of electrons is a bad idea! The art of coding is figuring out what the right level of abstraction is for the audience.

In a high level language there is always this tension between WHAT the code does (semantically) and HOW the code accomplishes it. Maintenance programmers need to understand both the what and the how if they’re going to be successful in making changes. read more ..

Friday, April 09, 2010

LinX BoX

This Friday’s Top 3 interesting sites visited this week:


This list is published every Friday and values originality. Submit your suggestions for next week as comments.

And don't forget my web templates shop at Bynapse.com - the easy web.

Reciprocal link of the week : Volunteer to Nepal

Friday, April 02, 2010

LinX BoX

This Friday’s Top 3 interesting sites visited this week:

 

This list is published every Friday and values originality. Submit your suggestions for next week as comments.

 
And don't forget my web templates shop at Bynapse.com - the easy web.

 
Reciprocal link of the week : Termic

Wednesday, March 31, 2010

PDF and E-book creation

pdf iconEvery now and then, someone tries to edit a PDF file and the old Acrobat and Distiller question pops back. What are the roles of those two and why still use Word to edit? Why is Acrobat still important in e-book creation?

First the basics. Adobe Acrobat only reads PDF files. It does not create PDF files, nor can it be used to create content of any kind. It allows setting of certain attributes and anchors, such as creating hyperlinks and setting document security settings.

Distiller is a print driver that outputs PDF files. It is not a reader, nor an application used to create any content.

Adobe Acrobat (not Acrobat Reader) does not edit files, you create your content in a applications like Word, Photoshop.. then print to Distiller (some applications have a “Save as PDF” functionality like Word does in an optional add-on) and save the resulting file as PDF. All word, spreadsheet or image editing or viewing applications should be able to print.

You may open the PDF in Acrobat for fine tuning:

1) create hyperlinks (see Tools/Locate Web Addresses)
2) create title and author (see File/Document Properties)
3) set your desired security level (see File/Document Security)
4) File SAVE AS whatever.pdf. It is important not to just SAVE but to use SAVE AS because this eliminates unused fonts and makes a smaller PDF.

An important decision is to embed fonts in your PDF, or use system fonts. This impacts the size of your PDF but embedding your fonts guarantees that your reader will see the exact page layout you designed. The better system fonts seem to be the small common ones such as Times Roman or Arial. You should know that embedding fonts is a Distiller option (Printer/Preferences/Adobe PDF Settings/General Conversion Settings).

Currently, High speed internet access is becoming the norm and PDF files are generally small. As I was saying in a previous post, content is King.

Monday, March 29, 2010

LinX BoX

This Friday’s Top 3 interesting sites visited this week: 
This list is published every Friday and values originality. Submit your suggestions for next week as comments.
And don't forget my web templates shop at Bynapse.com - the easy web.
Reciprocal link of the week : Smartbyte

Friday, March 26, 2010

Web application security

msgConfirmationIt's a real possibility that the web server is locked down and secured.

Web application hacking requires the attacker to understand application logic.

A website may be ripped entirely and stored locally. While this does not give out the code behind, it shows how input is passed, what types of error messages are returned, and the types of input that various fields will accept.

Here is a list of vulnerabilities and possible attacks to add to your list. Also check this list that Microsoft put out:

http://msdn.microsoft.com/en-us/library/ms998372.aspx#pagpractices0001_indexofpractices

Check out this article: http://msdn.microsoft.com/en-us/library/ms998375.aspx

Hidden Fields

Hidden fields used for obscuring values are poor coding. The theory is that if end users cannot see it, it is safe from tampering. Many sites use these hidden value fields to store the price of the product that is passed to the web application. An example pulled from a website is shown here:

<INPUT TYPE=HIDDEN NAME="name" VALUE="Mens Ring">

<INPUT TYPE=HIDDEN NAME="price" VALUE="$345.50">

<INPUT TYPE=HIDDEN NAME="sh" VALUE="1">

<INPUT TYPE=HIDDEN NAME="return" VALUE="http://www.vulnerable_site.com/cgi-bin/cart.pl?db=stuff.dat&category=&search=Mens-Rings&method=&begin=&display=&price=&merchant=">

<INPUT TYPE=HIDDEN NAME="add2" VALUE="1">

<INPUT TYPE=HIDDEN NAME="img"

VALUE="http://www.vulnerable_site.com/images/c-14kring.jpg">

Here is an example tampering with a poorly written shopping cart:

1.

Save the page locally and open the source code.

2.

Modify the amount and save the page. As an example, change $345.50 to $5.99:

<INPUT TYPE=HIDDEN NAME="name" VALUE="Mens Ring">

<INPUT TYPE=HIDDEN NAME="price" VALUE="$5.99">

3.

Refresh the local HTML page and then click Add to Cart. If successful, you'll be presented with a checkout page that reflects the new hacked value of $5.99.

This is an extreme example for illustration purposes that an application should never rely on the web browser to set the values for sensitive data. Even without changing the price, an attacker might just try to feed large amounts of data into the field to see how the application responds. Values from hidden fields, check boxes, select lists, and HTTP headers might be manipulated by malicious users and used to make web applications misbehave if the designer did not build in proper validation.

If you think that there is a shortage of sites with these types of vulnerabilities, think again. A quick Google search for type=hidden name=price returns hundreds of hits.

Cookies

Cookies have a legitimate purpose. Security by obscurity is never a good idea. Cookies used with forms authentication or other remember me functionality might hold passwords or usernames and cookies can be viewed with cookie viewers. Example:

Set-Cookie: UID= bWlrZTptaWtlc3Bhc3N3b3JkDQoNCg; expires=Fri, 06-Jan-2010

The UID value appears to contain random letters, but more than that is there. If you run it through a Base64 decoder, you end up with mike:mikespassword. It's never good practice to store sensitive information, encrypted, in a cookie, a hash should be preferred.

Cross-Site Scripting

Cross-site scripting (XSS) is a computer security exploit that occurs when a web application is used to gather data from a victim. Here is an example of a possible entry in a text field:

<A HREF="http://example.com/comment.aspx?mycomment=<SCRIPT> malicious code</SCRIPT>">Click here</A>

XSS can be prevented by HtmlEncoding displayed data and the input from a form is validated. Prevention also requires that the users remain leery of embedded links.

Interception, Inspection, Modification

A web proxy allows interception, inspection, and modification the raw contents of the traffic, as explained in the following:

  • Intercept Allows you to see under the hood and watch the traffic move back and forth between the client and the server.
  • Inspect Allows you to enumerate how applications work and see the mechanisms they use.
  • Modify Allows you to modify the data in an attempt to see how the application will respond; for instance, injection attacks.

These tools make it possible to perform SQL injection, cookies subversion, buffer overflows, and other types of attacks.