New version of Gmail is Here!

New version of Gmail is already available in some Gmail accounts. If you see a link to a “newer version” at the top of the page, click on it and enjoy the new features:

  • Prefetching messages: When you load a page that contains a list of messages, Gmail will fetch them in advance so that when you need them, they’ll be available instantly. Google said that Gmail will have a completely new JavaScript architecture that will bring a much better performance.
  • A new contact manager that will be shared with other Google apps (Google Docs, Google Calendar etc.)

Just to remind you, the previous gift from Google was a bigger mailbox’s size.

Not all accounts got the new version, but during the next days I believe it will happen.

Enjoy!!

gmail

Technorati Tags:

WPF Composite Client

After the announcement about the death of Acropolis, Glenn just announced that the patterns & practices team will develop WPF Composite Client guidance for building composite client applications for .NET Framework 3.5 and Visual Studio 2008. This is not a new version of CAB . It is an entirely new set of  libraries and guidance, built from the ground up, targeting development of new WPF Composite applications. The target is to have all of the new guidance ship before the end of 2008.

Acropolis – The end

The Acropolis team just announced today that Acropolis will not advance from CTP to a supported release. They also announced that they want to help customers who’d like to take Acropolis into production be successful until an alternative is available.
The good news is that all the great work the Acropolis team did will be rolled out in the future versions of .NET and also used for guidance and best practices for building WPF Composite Clients.

Code Analysis in VS 2008

VS 2005 introduced internal static analysis tools. This helps you to write secure and quality code.

Visual Studio 2008 has new Code Analysis features:

  • Code Metrics – This gives you the ability to dig deep to find those un-maintainable and complex hotspots. Code Metrics will ship with five metrics – Cyclomatic Complexity, Depth of Inheritance, Class Coupling, Lines of Code and Maintainability Index.
  • Analysis improvements:
    • Support for analyzing anonymous methods and lambda expressions
    • Reduced noise in existing analysis and the ability to skip over tool generated code
    • New analysis, including additional rules around security, globalization, maintainability and spelling.

To generate code metrics, simply do the following:In Solution Explorer, right-click on your solution/project and choose Generate Code Metrics

runCM

After generation you’ll get the Code Metrics Results window and a tooltip on every column that explain the result. The Maintainability Index column includes a maintainability indicator light that changes based on the maintainability of the code. Green indicates good maintainability, yellow indicates moderate maintainability, and red indicates poor maintainability.

cmResults

Technorati Tags: ,

My session at Dev Academy 2007

Do you want to know how VSTS for database professionals helps you to take control on your database change? or how you can ensure you software quality? How can you write and execute unit tests for your database objects? devAcademy

You can get the answers and even more details and great features in the next Developers Conference here in Israel – Developer Academy 2.

I will be giving a there a session about VSTS for database professionals. If you work with databases then you will want to see the new capabilities offered by the latest addition to Visual Studio Team System from Microsoft. In this session, you will learn how this product will change the way you work with databases forever; you will get a look at how Visual Studio Team Edition for Database Professionals is used to help with Database development, Database Unit Testing, Database Refactoring, Code-Analysis for Database and Database deployment.

If you want to see more, or you have a question – post a comment.

See you there!

VS 2008 VPCs will expire on Nov 1st 2007

If you are using the VPC provided by Microsoft to evaluation Visual Studio and Team Foundation Server 2008 Beta2 be aware it will expire Nov 1st.

See Jeff Beehler’s post for more details.

Open source at Microsoft

There is new open source site from Microsoft.

Microsoft opened a number of sites to host open source projects like GotDotNet, CodePlex, and now this one.  This site doesn’t replace CodePlex. This site is intended to provide information about Microsoft and open source in one place, serving as a gateway for information about open source engagements and activities across Microsoft.

Technorati Tags:

Astoria DataSource Extender

PhaniRajuYN posted a very interesting post about Astoria DataSource Extender. (You can read my Getting Started With Astoria post to get more details about Astoria). The main issue is that it’s a “Database in the cloud”, which means that your database is hosted on the Web.

PhaniRajuYN Extender helps one retrieve data and post data to a database on Astoria using JavaScript.
The Extender encapsulates its own Server-Side handler so that  you don’t have to write a Server-Side proxy to avoid Making Cross-Domain Requests from the Client browser.

You can read the post and download the source and sample from here.

How to prevent SQL injections

Many applications include code that looks like:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= '" + un + "' AND Password='" + pwd + "'";

Admit it…it’s ugly, but you constructed SQL statements like this one.

The variables un,pwd are provided by the user. The problem with this SQL string is that the attacker can piggyback SQL statements in one of them.

What if the attacker enters this:

un = maor, pwd = 123456′ OR 1=1. The following malicious statement is built:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= 'maor' AND Password='123456' OR 1=1";

The statement will return all columns for all rows…Bad!

And what if the attacker enters this:

un=maor , pwd = 123456′ DROP TABLE Users. The following malicious statement is built:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= 'maor' AND Password='123456' DROP TABLE Users";

This builds SQL statement that queries for a user and then drops the users table.

What can you do prevent these attacks?

1. Quoting the input

Quoting the input is not a remedy, but its often proposed to solve the problem.

if we use the statement of:

   1:  string pwd;
   2:  pwd = pwd.Replace("'","''");

The code replaces single quotes with 2 single quotes in the input. The single quote is escaped and its render to invalid SQL statement. However its not perfect. If the statement has a integer field the attacker can use it to attack.

2. Use stored procedures

Many of us probably believe that the application is immune to SQL injection if we use stored procedures. WRONG!

When we enter the 123456′ OR 1=1 to a parameter the sp will fail cause we cannot perform join across a stored procedure call. However, performing data manipulation is valid.

   1:  exec sp_getUser 'maor','123456' INSERT INTO Users Values('123','123')

This command will fetch data about the user and then insert a new row into the users table! What we can do? secure the stored procedure. How?

  1. Use quotename function for object names. It’s built in T-SQL function that adds delimiters to object names to help nullify invalid characters.
  2. Use sp_executesql to execute sql statements built dynamically, instead of just concatenating a string. This makes sure no malformed parameters are passed along to the database server.

3. Never connect as sysadmin

If you see that your web application connects to the database as sysadmin account – its a BUG. Most of the web applications don’t need the capabilities of a sysadmin to run; If there is a bug in the SQL statements and the application connects as sysadmin account, the attacker can: delete any database or table in the server; delete any table data; change data; alter tables; deletes log; and more… The potential damage is unlimited.

4. Build secure SQL statements

Instead of dynamically building a string, as shown in the bad examples above, use parameters. Anything placed into a parameter will be treated as field data, not part of the SQL statement, which makes your application much more secure.

Using parameterized queries is a three step process:

  1. Construct the SqlCommand command string with parameters.
  2. Declare a SqlParameter object, assigning values as appropriate.
  3. Assign the SqlParameter object to the SqlCommand object’s Parameters property.

   1:  // 1. declare command object with parameter
   2:  SqlCommand cmd = new SqlCommand(
   3:      "SELECT * FROM USERS WHERE UserName= @UN AND Password= @PWD", conn);
   4:   
   5:  // 2. define parameters used in command object
   6:  SqlParameter param1 = new SqlParameter();
   7:  param1.ParameterName = "@UN";
   8:  param1.Value = userName;
   9:   
  10:  SqlParameter param2 = new SqlParameter();
  11:  param2.ParameterName = "@PWD";
  12:  param2.Value = password;
  13:   
  14:   
  15:  // 3. add new parameter to command object
  16:  cmd.Parameters.Add(param1);
  17:  cmd.Parameters.Add(param2);

Summary

  • Don’t trust the user’s input.
  • Be strict about what represent valid input and reject everything else. RegEx are your friend!!!
  • Use parameterized queries not string concatenation.
  • Connect to the database server by using a least-privilege account, not the sysadmin account.

Code secure!!!!

Technorati Tags: , , ,

Gmail's Storage Increases to 6 GB

gmailI read at Google Operating System blog that Gmail will increase the free storage gradually in the next days. On October 23, you’ll get 4321 MB of storage, then the growth will slow down until January 4, when you’ll have 6283 MB of storage.

That’s really great.

Read more here.

Technorati Tags: ,
%d bloggers like this: