In the Heroes Happen {Here} launch events I've been doing I've been mentioning there is a new Visual C++ feature pack that will let you easily incorporate new UI elements into your MFC apps. The feature pack makes it easy to add Ribbons, docking toolbars, and the like to your UI, plus there are some new features that are part of the implementation of TR1 (read on below for details).
Visual C++ 2008 Feature Pack
If you want to get a nice comprehensive overview of Silverlight 2.0 Architecture Development and Deployment then check out this 4 part series from my colleague Bob Familiar. There's some great information here that covers a broad spectrum of integration with Silverlight - everything from WCF to DeepZoom. I'm sure you'll find something interesting and useful here, including source code and more. Read about it starting at http://blogs.msdn.com/bobfamiliar/archive/2008/04/04/rich-internet-applications-using-silverlight-2-0.aspx
The next meeting of the Augusta Developers Guild will be on Thursday, May 29th, 2008 at 6PM at Augusta State University. Karl Shifflett will be presenting Mole Visualizer For Visual Studio. It's a pretty exciting developer tool, and I guarantee you have never seen anything like what it can do! Check the guild's website below for meeting details.
My coworker Brian has written a really slick app called WorldMaps that that plots where visitors to a website hail from. After much procrastination, I'm proud to say I've implemented it on not only my site but also our geekSpeak blog as well. If you visit either geekSpeak or my blog, you'll see a thumbnail to the left. Here's a picture of the latest map:
I had a good laugh while I was incorporating WorldMaps into my site. One of the pieces of information it displays is the location of the site owner, which is entered into the WorldMaps control panel as latitude/longitude. I was working out of my home office the day I set up my WorldMaps account, so I just turned on the GPS in my Blackjack II and used a little GPS diagnostics tool to get my latitude/longitude. When I plugged in those numbers and visited the worldmap, I saw that the pin representing the site owner was right in my house:
What made me laugh was when I zoomed in on my house:
The pin is actually in the roof of my house right over where my desk is in my home office. I guess I shouldn't be so amazed at the precision of GPS but it's also interesting to note the precision of Virtual Earth. :)
In any case, it's interesting to see where my readership is from, and I look forward to the map continuing to accumulate pushpins.
Join us every Wednesday at 3 PM Eastern (Noon Pacific) in May for some great developer conversation with industry experts. Get your questions on these technologies answered live. Here are the links to register:
May 7 - WCF Strategies for Windows Mobile with Jim Wilson
May 14 - Asynchronous Programming Demystified with Gerald Walsh
May 21 - Contextual Collaboration Using Unified Communications with George Durzi
May 28 - Connecting Microsoft Silverlight with Pete Brown
During the past few weeks I've been delivering the Smart Client session at the Heroes Happen Here launch events around the southeast. Here are several good articles and videos related to that session. Also if you find any that I missed, please feel free to suggest them via a comment.
Part 1 - WPF with Visual Studio 2008
Part 2 - Using Windows Vista APIs to light up your applications
Part 3 - Workflow Services with WF and WCF
Part 4 - Occasionally connected applications (OCAs)
Don't miss your chance to see Rocky Lhotka at tonight's meeting of the .NET user group. Rocky is a fantastic speaker, and he'll be giving an overview of his CSLA framework and how it's been updated to take advantage of key .NET 3.5 features.
The meeting is at 6 PM at the Microsoft office in Alpharetta. More information is available on the home page of the Atlanta .NET user group http://atlantadotnet.org
The next Charlotte Code Camp is coming up on Saturday, May 17, 2008. They are looking for local folks to come in and present interesting sessions on developer tools, technology, business, life, whatever! Also they need lots of volunteers to help in other areas.
Code camps are held on Saturdays so you don't have to skip work, they are totally free and are an awesome way to learn about technology and give back to the developer community at the same time.
Read more about the Charlotte Code Camp at http://www.developersguild.org/Default.aspx?alias=www.developersguild.org/codecamp/2008/spring
As an alumni of the North Avenue Trade School myself, this video had me in stitches!
(For those not in the know, the "M" train in Tech vernacular means getting a degree in Management.)
Sometimes the people on my team try to just sneak stuff by the rest of us. I was just forwarded a link that's a perfect example of that. It's a whitepaper written by my co-worker right her in Atlanta, fellow DE Doug Turnure. He wrote it in December 2006, and I only just now found out about it? Shame!!!
The whitepaper talks about the reasons why, as a developer, you'd want to have your apps deployed on Windows Vista. Doug really goes in depth on the benefits of various areas like security, memory, administration, management and more. Give it a read!
MSDN White Paper: The Advantages of Running Applications on Windows Vista
I just updated the user group page that I maintain on this blog for groups in Georgia, North Carolina and South Carolina. Please check it out to see what's in your area, and send me any corrections. Next step I want to take is to add Alabama and Mississippi resources, so send some of those my way.
If you live in Gwinnett county and have been seeking developer fellowship closer to that area, there is a new user group forming.
Doug has some links on his blog about the group, but their first meeting is May 8th, so come out and support the new group!
dougturn's WebLog : Gwinnett, Georgia Microsoft User Group
This coming Thursday, AT&T will unveil Microsoft Surface devices in some of their major stores, including in Atlanta. If you happen to be in the metro area, stop by the AT&T store at Lenox Square. I'm going to try to swing by there!
Here's how you can expect AT&T to use Microsoft Surface:
- Learn. Customers can review features of a particular mobile device by simply placing it on the display. Surface will recognize the device and provide a graphical overview of its capabilities. Customers will be able to place two devices side by side on the unit and easily compare their features.
- Explore. Customers view interactive coverage maps at the national, state, local or street level, using simple touch and hand movement to scale and move the maps, determining their coverage area.
- Customize. In the future, customers will be able to drag and drop ring tones, graphics, video and more by “grabbing” content with their hands from a menu on the display and “dropping” it into the phone.
AT&T's Surface Page: http://www.att.com/surface
Microsoft's Surface Site: http://www.microsoft.com/surface
Press Release about the event: http://www.microsoft.com/presspass/press/2008/apr08/04-01SurfaceRetailPR.mspx
note - this post pilfered from my coworker Lindsay :)
Technorati Tags:
Microsoft Surface
My colleague Brian just posted about an error page he encountered on a public ecommerce site, and the clues it gave him about how the coding of that site was wrong in a lot of ways. He gave some good tips on fighting SQL Injection attacks, but I think he wasn't as complete as he could have been on his recommendations. So I'm going to use this opportunity to clear up some common misperceptions about how best to defend against SQL injection attacks.
I know, you're thinking "Why another post on SQL injection"? But hey, think of it like the airline safety demo. Just because you know how to buckle your seatbelt and use an oxygen mask doesn't mean the person sitting next to you isn't learning about it for the first time. :)
Perception - I put a dropdown (or listbox) on my web form, which means when the user submits the form, the value for that field will be one of the items in the list, so I don't need to check it.
Reality - When you have a dropdown or list box on a web form, the value chosen is sent back in the name/value pair as part of the POST data. But that doesn't mean those are the only possibilities for the value, it just means those are the choices you provided for the user to select from on that form. Remember, the web is stateless. A postback doesn't connect directly with the form that had the inputs on it that were submitted, resulting in the postback. A hacker could put any value they want in the name/value pair of the POST data (or, for that matter, the query string) and submit it. Granted, ASP.NET's event model might choke because you come at it from the control and event perspective and not the name/value pairs. Then again, it might not. And other server side languages might let it pass through just fine. So don't assume that the only values you're going to get back are from the list you send out on the page.
Perception - I'll just write code that replaces all the single quotes in the user's input with two single quotes in a row, and I'll be fine. Also, I'll look for bad words like DROP TABLE
Reality - A lot of people are under the impression that using regular expressions to clean the input (i.e. strip extra quotes, block specific words through blacklisting, etc) means you can now take the cleansed input and continue with the same technique of concatenating string constants with user input to produce the SQL statement you want. Unfortunately, there are still ways around this, and clever hackers can send in a string that your algorithms will helpfully "clean up" back into malicious SQL code.
Perception - SQL injection attack is a SQL Server specific problem, and doesn't affect other database products.
Reality - Come on, no one really thinks *that*, do they?
Perception - I'll move all of my dynamic SQL as a stored procedure will in and of itself remove the SQL injection vulnerability.
Reality - It's just as easy to introduce SQL injection vulnerabilities with a stored procedure if you call them incorrectly from your code. Suppose you convert the dynamic SQL shown in Brian's post, for example) into a sproc called getBarcode that returns the barcode when sent a unique ID. If you then call the sproc like this, you're asking for trouble:
SqlCommand myCommand = new SqlCommand("EXEC getBarcode '" + scrambledID + "'", myConn);
You're still concatenating, so malicious SQL statements can still piggyback at the end of the parameter. Your sproc will run, and then the extra SQL statements sent in will run too.
Almost as bad (but less frequently done) is to use the EXEC statement inside the stored procedure itself. Seriously, I've worked with folks who thought this was the only way to accomplish what they wanted. Their sprocs were pages and pages of IF and CASE statements, evaluating what permutation of parameters was sent in, and building SQL on the fly. So even if you call this by using SQL Parameters, you can still pass through a string that might contain malicious SQL statements into your sproc where they could be EXECuted.
The bottom line is that the one way to most effectively guard against SQL injection attacks is to parameterize your SQL statements, be they sprocs or dynamic SQL. Never, never, never concatenate to build your SQL string. In addition, I recommend reading this article from MSDN magazine on SQL injection. Now, return your tray tables to their full upright and locked position for takeoff. :)
Thanks to all those who turned out for the meeting, despite it being basically on the heels of the Atlanta Code Camp on the 29th. I hope you got a lot out of the talk.
Here are some resources that will help out as you explore the topic:
Enjoy!
Technorati Tags:
WCF,
REST