Web Server Attacks From the Washington Post, April 25, 2008:

Quote... Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. Unquote...

Apparently there have been an estimated half-million attacks on different Web sites this week alone. There seems to have been a rush to judgement in trying to point the finger of blame at a recent Microsoft Security Advisory (951306). According to Bill Staples, Product Unit Manager for IIS, "Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."

These attacks are not related to said security advisory but are aimed at sites, on any platform, that are open to SQL Injection. What we are really seeing is a growth in SQL Injection over other types of attack. Although around for a long time now, this technique has been gaining in popularity among hackers over the last couple of years, and seems to be more popular now than cross-site scripting or buffer overflow exploits. I would argue that this would not be the case for ASP.NET sites if basic input validation and SQL parameters in combination with stored procedures were employed, as is the recommended practice.

At the very least, even if you are still using ASP and haven't time to convert to stored procedures, check your input data! All input data is evil and when designing your application you should take time to consider where else that input may be coming from, such as query parameters, cookies, etc. Watch this space...

 



What are C# Generics - Part III

by agrace 24. April 2008 18:57

Panama Hat Personally, I think I am still in the process of making the final paradigm leap to generics. It will probably be some time yet before I am satisfied that I am applying the concept creatively enough in the early design phase. The end goal is to become comfortable enough with the new syntax to "genericize" my code and make it more type-safe and reusable overall.

Right now, a lot of people are overly-occupied with the latest 3.5 toys. If it ain't SilverLight or MVC it ain't worth talking about. It pays to concern oneself with the basic building blocks that make up the language of your choice. In my case, it is C# although I used C++ right through college and spent some time with Java. The point is that in an object-oriented world, such concepts as generics travel quite well across languages and underpin the development of a strong object view of things overall. The "drag and drop brigade" frequently have a problem grasping this.

Generic IL and Metadata


Nitty Gritty

Generics operate at the compiler level. It was necessary to change the metadata, compiler and IL instructions to make it all posssible. The upshot is that generics work across different .NET managed languages. This means that we can define a generic class in C# and consume it in VB. Score another one for code reuse :-)

Under the hood, the compiler generates the intermediate language (IL) which contains placeholders for the actual types which will be substituted at runtime. In other words, the generic types are "instantiated" at runtime. This is known as "lazy" specialization or "just-in-time". The accompanying metadata is used for compile-time type-checking and intellisense.

It is possible that code could try to use types which are not compatible with what was intended and "contraints" are provided as a measure of protection to prevent this happening. Remember, a generic class or method knows nothing about the arguments being passed to it. The compiler needs to know something more. Each type parameter can have a different set of constraints, expressed using a where clause. A parameter can have multiple constraints, separated by commas.

class Guitar < T1, T2, T3>
    where T1: Fender
    where T2: Gibson
    where T3: Martin
{
    ...
}

 

To recap, you will most likely find a use for generics with collections. It is well worth the time invested. Right now, I'm working my way through a copy of Professional .NET 2.0 Generics by Tod Golding. It's about the best book on the topic of Generics that I have come across. Happy coding!

 

Tags: ,

C#




Windows Live SkyDrive I just noticed a new link when checking my hotmail this morning, to "Windows SkyDrive". Microsoft are offering 5GB worth of free online storage. It works with Windows or Mac with Firefox or Internet Explorer.

There are personal, shared and world folder options. File transfers are SSL-protected. What I found particularly interesting is that you can use the shared folders to colloborate with colleagues and set permissions for each person on a folder level. Nice angle :-)

I'm getting tired of emailing stuff between work and home. I'm also tired of getting down under my desk fumbling with a flash stick, so I think I'll give this a test drive for a while.

You can learn more here.