WCF Load Test

Just published on CodePlex  –WCF Load Test tool.

Project Description from the project home page on CodePlex:

This tool takes a WCF trace file and a WCF client proxy, or a WCF interface contract, and generates a unit test that replays the same sequence of calls found in the trace file. The code generated is easily modifiable so that data variation can be introduced for the purpose of doing performance testing.
The tool generates code for both Visual Studio 2005 and Visual Studio 2008. It also installs a wizard into both editions of Visual Studio for creating the trace and processing it from inside Visual Studio. If both editions are present the tool is installed into both editions. The source code is a Visual Studio 2005 project.

Latest Release June 2009

A new beta was released in June 2009 adding support for ASMX web services. Download it from here.

Features

The tool has the following main features:

  • Replay of captured scenario in a unit test that can be included in a load test.
  • Support for the DataContractSerializer.
  • Support for message contracts.
  • ASMX support (beta)
  • Support for proxies generated using svcutil.
  • Support for clients that create proxies at run time from contract interfaces.
  • Supports calls to multiple services in a single scenario.
  • Supports multiple calls to the same service operation.
  • Filtering by SOAP action of which messages in the trace to replay.
  • Readable and modifiable code is generated.
  • Automatic association of trace message with proxy method (requires all operations to have a unique SOAP action).
  • Support for client and server side traces.
  • A command line tool for processing traces and generating code.
  • Visual Studio 2005/2008 integration (Team Developer, Team Test, Team Suite and for 2008 also Professional)) that can be used instead of the command line tool.

VB.NET and C# Comparison

Sometimes we need a simple VB.NET & C# side by side comparison. This sheet doesn’t include all features, but its great place to start with.

Visual Studio 2008 and .NET Framework 3.5 Training Kit

Microsoft released a nice training kit (~126MB) (it’s a real treasure!) for the latest technologies.

This package covers a bunch of technologies and includes presentations, hands-on labs, and demos. This content is designed to help you learn how to utilize the Visual Studio 2008 features and a variety of framework technologies vs2008 training kitincluding:

  • Visual Studio Tools for Office
  • Visual Studio Team System
  • Application Lifecycle Management
  • C# 3.0
  • VB 9.0
  • LINQ
  • WPF
  • WCF
  • WF
  • Silverlight
  • ASP.NET
  • AJAX
  • CardSpace
  • Mobile

Download here.

WPF Composite Client

After the announcement about the death of Acropolis, Glenn just announced that the patterns & practices team will develop WPF Composite Client guidance for building composite client applications for .NET Framework 3.5 and Visual Studio 2008. This is not a new version of CAB . It is an entirely new set of  libraries and guidance, built from the ground up, targeting development of new WPF Composite applications. The target is to have all of the new guidance ship before the end of 2008.

Acropolis – The end

The Acropolis team just announced today that Acropolis will not advance from CTP to a supported release. They also announced that they want to help customers who’d like to take Acropolis into production be successful until an alternative is available.
The good news is that all the great work the Acropolis team did will be rolled out in the future versions of .NET and also used for guidance and best practices for building WPF Composite Clients.

How to prevent SQL injections

Many applications include code that looks like:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= '" + un + "' AND Password='" + pwd + "'";

Admit it…it’s ugly, but you constructed SQL statements like this one.

The variables un,pwd are provided by the user. The problem with this SQL string is that the attacker can piggyback SQL statements in one of them.

What if the attacker enters this:

un = maor, pwd = 123456′ OR 1=1. The following malicious statement is built:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= 'maor' AND Password='123456' OR 1=1";

The statement will return all columns for all rows…Bad!

And what if the attacker enters this:

un=maor , pwd = 123456′ DROP TABLE Users. The following malicious statement is built:

   1:  string sqlStmt = "SELECT * FROM USERS WHERE UserName= 'maor' AND Password='123456' DROP TABLE Users";

This builds SQL statement that queries for a user and then drops the users table.

What can you do prevent these attacks?

1. Quoting the input

Quoting the input is not a remedy, but its often proposed to solve the problem.

if we use the statement of:

   1:  string pwd;
   2:  pwd = pwd.Replace("'","''");

The code replaces single quotes with 2 single quotes in the input. The single quote is escaped and its render to invalid SQL statement. However its not perfect. If the statement has a integer field the attacker can use it to attack.

2. Use stored procedures

Many of us probably believe that the application is immune to SQL injection if we use stored procedures. WRONG!

When we enter the 123456′ OR 1=1 to a parameter the sp will fail cause we cannot perform join across a stored procedure call. However, performing data manipulation is valid.

   1:  exec sp_getUser 'maor','123456' INSERT INTO Users Values('123','123')

This command will fetch data about the user and then insert a new row into the users table! What we can do? secure the stored procedure. How?

  1. Use quotename function for object names. It’s built in T-SQL function that adds delimiters to object names to help nullify invalid characters.
  2. Use sp_executesql to execute sql statements built dynamically, instead of just concatenating a string. This makes sure no malformed parameters are passed along to the database server.

3. Never connect as sysadmin

If you see that your web application connects to the database as sysadmin account – its a BUG. Most of the web applications don’t need the capabilities of a sysadmin to run; If there is a bug in the SQL statements and the application connects as sysadmin account, the attacker can: delete any database or table in the server; delete any table data; change data; alter tables; deletes log; and more… The potential damage is unlimited.

4. Build secure SQL statements

Instead of dynamically building a string, as shown in the bad examples above, use parameters. Anything placed into a parameter will be treated as field data, not part of the SQL statement, which makes your application much more secure.

Using parameterized queries is a three step process:

  1. Construct the SqlCommand command string with parameters.
  2. Declare a SqlParameter object, assigning values as appropriate.
  3. Assign the SqlParameter object to the SqlCommand object’s Parameters property.

   1:  // 1. declare command object with parameter
   2:  SqlCommand cmd = new SqlCommand(
   3:      "SELECT * FROM USERS WHERE UserName= @UN AND Password= @PWD", conn);
   4:   
   5:  // 2. define parameters used in command object
   6:  SqlParameter param1 = new SqlParameter();
   7:  param1.ParameterName = "@UN";
   8:  param1.Value = userName;
   9:   
  10:  SqlParameter param2 = new SqlParameter();
  11:  param2.ParameterName = "@PWD";
  12:  param2.Value = password;
  13:   
  14:   
  15:  // 3. add new parameter to command object
  16:  cmd.Parameters.Add(param1);
  17:  cmd.Parameters.Add(param2);

Summary

  • Don’t trust the user’s input.
  • Be strict about what represent valid input and reject everything else. RegEx are your friend!!!
  • Use parameterized queries not string concatenation.
  • Connect to the database server by using a least-privilege account, not the sysadmin account.

Code secure!!!!

Technorati Tags: , , ,

What is "Acropolis"?

Literally means the edge of a town or a high city; The Acropolis of Athens is the best known acropolis (high city, The “Sacred Rock”) in the world. (From Wikipedia)

Microsoft announced their Acropolis:

“Acropolis” is a set of components and tools that make it easier for developers to build and manage modular, business focused, client .NET applications.

Acropolis is a framework that fosters the separation of UI from business logic. It allows an application to be composed of UI Agnostic parts that provide specific pieces of user functionality and services that support those parts. In addition to all of this, the framework is declarative with XAML and designer support.

 

The key to Acropolis is its modular approach.

Acropolis lets you divide your application into various functional pieces – components – that each encapsulates some specific pattern, strategy or piece of business or presentation logic. Acropolis then provides the ‘glue’ to let you easily recombine these components to make a fully functional application.

What can you do with Acropolis?

  • Quickly create WPF enabled user experiences for your client applications.
  • Build client applications from reusable, connectable, modules that allow you to easily create complex, business-focused applications in less time.
  • Integrate and host your modules in applications such as Microsoft Office, or quickly build stand-alone client interfaces.
  • Change the look and feel of your application quickly using built-in themes, or custom designs using XAML.
  • Add features such as workflow navigation and user-specific views with minimal coding.
  • Manage, update, and deploy your application modules quickly and easily.

Acropolis Team blog: http://blogs.msdn.com/acropolis/

Acropolis July CTP release download: http://www.microsoft.com/downloads/details.aspx?FamilyId=44977885-86B5-4AA0-9F20-DB365BFB9D10&displaylang=en

del.icio.us Tags:

Technorati Tags:

Save datagrid changes in the database

Once you want edit a recore, add new or deleted a recored in your data grid you may want to save it in the database.

How do we do it?

  1. Create UpdateCommand handler for the data grid
  2. Identify what DataGrid row was updated by getting the ItemIndex property of the row (Item object) passed in the event object. Then use the index value to get the corresponding value out of the grid’s DataKeys collection:
    • string key = DataGrid1.DataKeys[e.Item.ItemIndex].ToString();
  3. Get the changed values out of the DataGrid row. How?
    • From the item passed in the event object, get the appropriate cell (zero-based) out of the Cells collection from the item passed in the event object. For example, the left-most column in the grid is Cells(0).
    • For each cell, get its Controls collection, which contains all the elements that appear in the cell.
    • Get the first (and only) control out of the collection — for this example, a TextBox control. To get the TextBox, declare a local variable of type TextBox and cast the object in the Controls collection to it.
    • Get the TextBox control’s value (its Text property).
  4. Find the corresponding row in the data table. The dataset contains a special FindBy method — that locates a row by its primary key and returns a reference to it.
  5. Update the row by changing values in the row you located in Step 4.
  6. Send changes from the dataset to the database by calling the data adapter’s Update method.
  7. Switch the current row in the grid out of editing mode.
  8. Data-bind the DataGrid control.

Code example:

private void myDataGrid_UpdateCommand(object source, System.Web.UI.WebControls.DataGridCommandEventArgs e)
{
string productName, productDescription;
// Gets the value of the key field of the row being updated
string key = myDataGrid.DataKeys[e.Item.ItemIndex].ToString();
// Gets get the value of the controls (textboxes) that the user
// updated.
// Each cell has a collection of controls. In this case, a TextBox control.
// The first column — Cells(0) — contains the Update and Cancel buttons.
TextBox tb;
// Gets the value the TextBox control in the third column
tb = (TextBox)(e.Item.Cells[2].Controls[0]);
productName = tb.Text;
// Gets the value the TextBox control in the fourth column
tb = (TextBox)(e.Item.Cells[3].Controls[0]);
productDescription = tb.Text;
// Finds the row in the dataset table that matches the
// one the user updated in the grid. This example uses a
// special Find method defined for the typed dataset, which
// returns a reference to the row.
dsProducts.CategoriesRow r;
r = dsProducts.Categories.FindByProductID(int.Parse(key));
// Updates the dataset table.
r.ProductName = productName;
r.ProductDescription = productDescription;
// Calls a SQL statement to update the database from the dataset
sqlDataAdapter1.Update(dsProducts);
// Takes the DataGrid row out of editing mode
myDataGrid.EditItemIndex = -1;
// Refreshes the grid
myDataGrid.DataBind();
}

For more information about DataSet updates, navigate to: http://msdn2.microsoft.com/en-US/library/y2ad8t9c(VS.71).aspx

ASP.NET 2.0 – Web Site vs Web Application project

A common question by asp.net developers is what project model should I use for asp.net application? Web Site project (which introduced with VS 2005) or Web Application project (which delivered as add-in for VS 2005 and built-in within VS 2005 SP1)?

There is no thumb rule. Every project model has it’s own advantages (and diss-advantages off course…). I hope this post will help you to understand better the differences between 2 of them.

Web Application project model

  • Provides the same Web project semantics as Visual Studio .NET 2003 Web projects.
  • Has a project file (structure based on project files).
  • Build model – all code in the project is compiled into a single assembly.
  • Supports both IIS and the built-in ASP.NET Development Server.
  • Supports all the features of Visual Studio 2005 (refactoring, generics, etc.) and of ASP.NET 2.0 (master pages, membership and login, site navigation, themes, etc).
  • Using FrontPage Server Extensions (FPSE) are no longer a requirement.

Web Site project model

  • No project file (Based on file system).
  • New compilation model.  (Read here or here for more details) and …
  • Dynamic compilation and working on pages without building entire site on each page view.
  • Supports both IIS and the built-in ASP.NET Development Server.
  • Each page has it’s own assembly.
  • Different code model.  (Read here for more details)

Ok, all is great, but you want to create your web site now. Which model should you use?

  • You need to migrate large Visual Studio .NET 2003 applications to VS 2005? use the Web Application project.
  • You want to open and edit any directory as a Web project without creating a project file? use Web Site project.
  • You need to add pre-build and post-build steps during compilation? use Web Application project.
  • You need to build a Web application using multiple Web projects? use Web Application project.
  • You want to generate one assembly for each page? use Web Site project
  • You prefer dynamic compilation and working on pages without building entire site on each page view? use Web Site project
  • You prefer single-page code model to code-behind model? use Web Site project.

Secure your application

Worried about security? Microsoft has published patterns & practices Security Checklists Index for .NET framework 1.1 & 2.0.

You can find there:

  • Architecture and Design Review Checklists
  • Code Review Checklists
  • Deployment Review Checklists

Take care…

%d bloggers like this: