Sasha Sydoruk

Do you need to build a website, but cannot come with a decent design? Are you more of a developer than a designer?

Don’t panic! Just following these links

1. Free design templates at MS ASP.NET Developer Center – link
2. A collection of 40 layouts - ready to be downloaded. Every layout is valid CSS and HTML and works in major browsers – link
3. Still don’t understand what is the big deal with CSS? Just go here for inspiration – link. Just be careful - it might blow your socks off.
4. Do you want a fancy design but don’t know where to start? Just go here. Open Web Design is a community of designers that is making Internet a prettier place. 1700+ designs just waiting for you…
5. Web Design From Scratch – is wonderful source of everything you might possibly want to know about web design.

One of the really nice features in Visual Studio 2005 is the IntelliSense support in xml files including web.config. No longer do you have to copy some snippets from other web sites just because you don’t quite remember the exact spelling of something like this:

        < membership>
< providers>
< add name=“AspNetSqlMembershipProvider“ type=“System.Web.Security.SqlMembershipProvider,                         System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a”
connectionStringName=“LocalSqlServer”
enablePasswordRetrieval=“false”
enablePasswordReset=“true”
requiresQuestionAndAnswer=“true”
applicationName=“/”
requiresUniqueEmail=“false”
passwordFormat=“Hashed”
maxInvalidPasswordAttempts=“5”
minRequiredPasswordLength=“7”
minRequiredNonalphanumericCharacters=“1”
passwordAttemptWindow=“10”
passwordStrengthRegularExpression=“” />
providers>
membership>
But from time to time you will notice that IntelliSense in web.config disappears. It just does not work anymore. You restart Visual Studio, reload the solution but it still does not work.

What is the problem? What caused this? Web Site Administration Tool is the culprit. WSAT is a great tool and allows to jumpstart the application but when the changes to web.config are saved, the following change is made:
< configuration>

Will be changed to this:
< configuration xmlns=“http://schemas.microsoft.com/.NetConfiguration/v2.0“>

Once the namespace information has been added to the configuration tag, the IntelliSense no longer works. The only way to make it work is to remove xmlns attribute.

Here is a great way to create some really nice looking bars without images. Just follow this link.

Nothing but pure CSS goodness.

Nice. Right when I am getting ready to move up to Visual Studio 2005, they release a service pack for Visual Studio 2003.

Great news. It looks like IE 7 will be a lot more CSS friendly than initially expected. If you remember, in the beginning IE 7 was supposed to be just a security update. But because of growing Firefox pressure, more customer and developer featured were thrown in.

The full post and the list of all the CSS issues that were fixed is here. IE 7 still does not pass ACID test, but neither does Firefox. Right now, only Opera and Safari pass the ACID test.

If only plug-in development was as easy in IE as it is in Firefox, that would be a great day!

If you work on a library of custom server controls for ASP.NET, you might have noticed that when you drag your custom server control onto design surface, cc1 is used to prefix your control. It is getting pretty boring after a while. If you take a close look at the ASP.NET controls, you will notice that they are always prefixed by asp automatically.

How can your library enjoy this little but really nifty feature? Just use TagPrefix attribute. It is an assembly level attribute, so make sure you stick it in the AssemblyInfo.cs of your project.

Here is an example usage:
[assembly: TagPrefix(”SashaSydoruk.PDX.Web.UI.WebControls”, “pdx”)]

To find out more - MSDN article

SQL injection is a very dangerous thing. An experienced hacker can break your site open in the matter of minutes, if the SQL injection opportunity exists. To demonstrate how quickly things can happen watch this video:

[youtube]MJNJjh4jORY[/youtube]

As you can see, once the hole has been found, you application is fully open to data theft and vandalism.

What is the best way to prevent SQL injection? Never and I repeat never, concatenate together your SQL queries. One common mistake that I see quite often – “We are safe because we are using stored procedures”, but when you look inside that stored procedure you see the same string concatenation; usually this concatenation happens with ordering and sorting clauses. It is very important to realize that you are still vulnerable even if you concatenate your strings in the stored procedures.

What is the right way to do it? Use SqlParameters or any other implementation of IDataParameter that works with your database. So, instead of this:

string sqlBadQuery = “SELECT * FROM User WHERE FirstName = ‘” + tbxFirstName.Text + “‘”;

use this:

SqlParameter spFirstName = new SqlParameter(“@FirstName”, SqlDbType.VarChar, 50);
spFirstName.Value = tbxFirstName.Text;
string sqlQuery = “SELECT * FROM User WHERE FirstName = @FirstName”;

In this example we created SqlParameter spFirstName. In the constructor we are providing the name, data type and length of the parameter. Notice that because we specified the data type as VarChar, we didn’t have to use single quotes in our query. SQL Server will do it for us.

A couple of times I was told that even when you use parameters, you are still vulnerable to SQL injection. I am not sure how correct this statement is. I looked for supporting information and I could not find anything. When you execute an inline, parameterized query in SQL Server with profiler running you will notice that this call is handled by sp_executesql. sp_executesql provides the same benefits as stored procedure does – security and execution plan caching. So, even if you pass some bad input like this – “’ or 1 = 1 –”, it will be properly enquoted and 0 rows will be found. To find out more about sp_executesql - go here.

Now, if you have stored procedures available, by all means use them. But sometimes you just have to revert to dynamic SQL, and when you do, make sure you use it correctly. Here is a really good article by Erland Sommarskog - The Curse and Blessings of Dynamic SQL. This article describes in a great detail why you would use dynamic SQL and how to do it in a safe manner.

Wikipedia has a really good description of what a SQL Injection is. You can find it here. Also here is a general list of links that discuss the issue and the remedies to SQL Injection:

• http://www.unixwiz.net/techtips/sql-injection.html
• http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf
• http://www.ngssoftware.com/papers/advanced_sql_injection.pdf

New version of Streamlined v0.0.4 has been released. Streamlined is an excellent way to create admin portions for your Ruby on Rails applications. What does one get by using Streamlined? Well, one will get list, detail and edit pages for all the models in your application and also an admin facility to manage relationships between the models.

To get latest version of “Streamlined” go here. To see a screencast highlighting great features go here.

Another proof that Firefox is awesome - Firefox Crop Circle

Web Developer Firefox Extension is definitely one of my favorites. It is quite an amazing tool; I simply cannot imagine doing web development and debugging without it.

To use it you will need Firefox. Firefox is a great browser, especially for web developers, and if you still don’t have it, shame on you. Once you have Firefox installed, you need to install the web developer extension. You get it at Firefox Add-ons site or at the developer’s site. Once the extension is installed, you will see a toolbar, right under your address or links bar, and it will look like this:

The toolbar provides a lot of functionality, but right now I will concentrate on the features I use the most:

1. Outline tables and/or table cells. This is a great feature, which let’s you examine the structure of the layout, if you use tables for the site’s layout. To access the feature go to “Outline / Outline Table Cells” or “Outline / Outline Tables”. For XHTML purists, there is “Outline / Outline Block Level Elements” and “Outline / Outline Custom Elements”. One thing to keep in mind – if you want to keep the elements highlighted, make sure that “Persist Styles” option is checked. You can find it at “Options / Persist Styles”.
Here is an example of Google’s home page with table, tr and td tags outlined in red, green and blue colors accordingly.

2. Display form details. I use this feature a lot when I debug the rendering of my custom server controls or when I write WATIR functionality tests. When this is enabled, all form and input tags will be shown along with their ids and other attributes. You can find this feature here – “Forms / Display Form Details”. Here is an example of Google’s homepage with form details shown.

3. Show Passwords. Changes all “password” input tags to “text” input tags. In other words, you can see the actual passwords instead of asterisks. You can find this feature here – “Forms / Show Passwords”.
4. Make Form Fields Writeable. If the input tag has attribute of “readonly” set to true, the text box is still shown in the browser, but you cannot enter or change any data. Well, with Web Developer toolbar you can change that. When you select this item from “Forms / Make Form Fields Writeable”, suddenly, all write-only fields become available for editing. Many times, lazy developers don’t validate information submitted in read-only fields assuming that data from those fields is always correct and never changes, but a resourceful user can now change these fields. So, don’t get caught with your pants down, always validate all the input.
5. Edit CSS. This feature is great for CSS debugging. When you select this feature at “CSS / Edit CSS”, a side bar text editor will appear. All the applicable CSS will be shown there. Now you can change your CSS and see your changes in real-time on the site. The nice thing is that it works with all the sites. This is a nice way to figure out how search engines see your site and also see which part of the CSS screws up the layout.
6. Edit HTML. The same thing as “Edit CSS” only in this case you can edit HTML. Pretty handy if you want to try out some ideas on already existing sites. You can find it here – “Miscellaneous / Edit HTML”
7. Populate Form Fields. This one is great when I test my forms. If the form gets to be pretty long, and I need to fill it out many times, I use “Populate Form Fields” feature. This will fill out the input elements with random data, including radio buttons and check boxes. You can find it here – “Forms / Populate Form Fields”.
8. View Document Size. This feature will make sure that your ViewState does not get out of hand. Size will be shown for HTML, image, CSS and javascript files. You can find this feature here – “Information / View Document Size”. Here is the size information for the Google’s homepage.

These are just some of the features that the extension offers. It is a wonderful tool and it makes me a lot more productive. Give it a try and you won’t be able to live without it!