selected topics asp.net2
TRANSCRIPT
Tips and Tricks in Tips and Tricks in ASP.NET 2.0 ASP.NET 2.0 DevelopmentDevelopment
Talal Abdullah AlsubaieProgrammerIT DepartmentSaudi Food and Drugs Authority
1Talal A. Alsubaie SFDA
Tips and Tricks in ASP.NET 2.0 Tips and Tricks in ASP.NET 2.0 DevelopmentDevelopment This presentation aims to give us (Developers) better
knowledge in development in MS ASP.NET 2.0 environment.
Knowing some tips and tricks in ASP.NET 2.0 programming.
The main goal is to enhance:◦ Security.◦ Availability.◦ Integrity.◦ Usability.◦ Performance.
2Talal A. Alsubaie SFDA
Tips and Tricks in ASP.NET 2.0 Tips and Tricks in ASP.NET 2.0 DevelopmentDevelopment We will cover some topics in this presentation such
as:◦ N-Tier Architecture.◦ CSS (Cascading Style Sheets)Pages.◦ Database Programming◦ Exception Handling.
3Talal A. Alsubaie SFDA
N-Tier N-Tier ArchitectureArchitecture
4Talal A. Alsubaie SFDA
N-Tier ArchitectureN-Tier Architecture• An N-Tier architecture is a development method that user interface, functional process logic, data storage, and data access are developed and maintained as independent model. (http://en.wikipedia.org/wiki/N_tier).•The N-Tier architecture is based on the concept of separating a system to different layers (usually 3) Each layer interacts with only the layer directly below, and has specific function that it is responsible for.•It is considered as a Software Design Pattern. •N-Tier provides reusability, scalability, maintainability.•Web development often use the 3-Tier model.•A Three-Tier model has.
Presentation Tier.Business Tier.Data Tier.
5Talal A. Alsubaie SFDA
6Talal A. Alsubaie SFDA
DatabaseDatabase
Get Salary Total
Get Last Year Salaries
Query
Salary 1
Salary 2
Salary 3
Add Salary Together
Display Total
N-Tier ArchitectureN-Tier Architecture• One of the common mistakes is tightly coupling layers, and writing business logic in presentation tier.
7Talal A. Alsubaie SFDA
Database Database ProgrammingProgramming
8Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
• You Have Many Things to Think About
9Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
•Things to put in mind:•Keep the connection string in web.config.•Never store sensitive data in clear-text within a database.•Do not rely on Client Side validation.•Validate input for length, range, format, and type.•Validate un trusted input passed to your data access methods.•When constructing SQL queries, use type safe SQL parameters.•Avoid Dynamic SQL that accepts user input.•Be aware of SQL Injections.
10Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming•Keep the connection string in web.config:
•Web.config is a XML file that stores configuration settings for an ASP.NET application.
•Why would you want to keep your database connection strings in the Web.config file?
•Easier maintenance and deployment.
•Use CustomErrors and keep the mode = “On”.•Disable trace for production; else take a look at “trace.axd”.•Disable Debugging.
•The Web.Config is not accessible by the server. “You can read it using
the file system”.•The .NET framework will take care of web.config security.
11Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
•Never store sensitive data in clear-text within a database:
•No application is 100% secure.•The attacker can enter your database without using your application.
•The attacker can use MS SQL Server Management Studio or use his own application to enter your database.
12Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
•Do not rely on Client Side validation:•Client side validation can easily bypassed.•What if the user disables JavaScript?!•Use client side validation plus server side validation.
13Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
•Validate input for length, range, format, and type:
•Do not trust user input.•Attacker can pass malicious input. i.e. SQL Injections.
•Use Regex class to validate input. (Regular Expressions).
•For example an E-mail regular expression is:
•[A-Za-z]+[A-Za-z0-9_.-]*@[A-Za-z0-9-]+.[A-Za-z]{2,3}
•Take a look at:•http://regexlib.com
14Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
•What is a SQL Injection Attack?•Many web applications take user input from a form.•Often this user input is used literally in the construction of a SQL query submitted to a database. For example:
SELECT productdata FROM products WHERE productname = ‘user input product name’;
•A SQL injection attack involves placing SQL statements in the user input.
15Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
•SQL Injections:•Database layer vulnerability.•Characters like ’ and ; have special meaning to SQL engine.•Attacker can benefit of:
•Unauthorized data access.•Execute arbitrary commands.
• RFID Injections:•What if a clever person doctored a tag to include extra characters in that item number?
16Talal A. Alsubaie SFDA
DemoDemo
17Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming•When constructing SQL queries, use type safe SQL parameters :
•Use type safe SQL parameters to avoid possible SQL injection attacks that can occur with unfiltered input.•You can use type safe parameters with stored procedures and with dynamic SQL statements.•Parameters are also checked for type and length.
using System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand =
new SqlDataAdapter(“LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myCommand.Fill(userDataset);
} 18Talal A. Alsubaie SFDA
Database ProgrammingDatabase Programming
•Avoid Dynamic SQL that accepts user input:•Avoid constructing SQL queries in code that include user input.•instead, prefer parameterized store procedures that use type safe SQL parameters.•If you construct queries dynamically using user input, your code is susceptible to SQL injection.
19Talal A. Alsubaie SFDA
// Use dynamic SQLSqlDataAdapter myCommand = new SqlDataAdapter( "SELECT au_lname, au_fname FROM authors WHERE au_id = '" + SSN.Text + "'", myConnection);
SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE HR--'
Database ProgrammingDatabase Programming
•Conclusion:•Do not trust any input data.•Use Regular Expressions to validate data.•Use parameterized SQL input. •Don’t interact with database directly; instead use stored procedures.
20Talal A. Alsubaie SFDA
Cascading Style Cascading Style SheetsSheets
CSSCSS
21Talal A. Alsubaie SFDA
Cascading Style Sheets Cascading Style Sheets (CSS)(CSS)
•CSS stands for Cascading Style Sheets. •Styles define how to display HTML elements.•Styles are normally stored in Style Sheets. •External Style Sheets can save you a lot of work. •External Style Sheets are stored in CSS files. •Multiple style definitions will cascade into one. •Separating the content and presentation.
22Talal A. Alsubaie SFDA
Cascading Style Sheets Cascading Style Sheets (CSS)(CSS)selector {property: value;}
Selector:
The HTML element you wish to define.
Property:
Attribute you wish to change.
Value:
Value the property takes.
23Talal A. Alsubaie SFDA
Cascading Style Sheets Cascading Style Sheets (CSS)(CSS)
•What style will be used when there is more than one style specified for an HTML element?
•Generally speaking we can say that all the styles will "cascade" into a new "virtual" style sheet by the following rules, where number four has the highest priority:
1. Browser default.
2. External style sheet.3. Internal style sheet (inside the <head> tag). 4. Inline style (inside an HTML element).
24Talal A. Alsubaie SFDA
DemoDemo
25Talal A. Alsubaie SFDA
Cascading Style Sheets Cascading Style Sheets (CSS)(CSS)
•How can you use CSS files?•Create a .CSS file.•Enter your CSS code.•In your .HTML or .ASPX page add:
•<link rel="stylesheet" href=“css_file_path.css" type="text/css"/>
inside your head tag.•For example:
•<head>• <title>My Title</title>• <link rel="stylesheet" href="MyStyle.css" type="text/css" />•</head>
26Talal A. Alsubaie SFDA
Cascading Style Sheets Cascading Style Sheets (CSS)(CSS)
•Benefits of Cascading Style Sheets: Separate content from presentation. Look and feel consistency. Web site maintenance.
27Talal A. Alsubaie SFDA
Exception Exception HandlingHandling
28Talal A. Alsubaie SFDA
Exception HandlingException Handling
•Exceptions are:• Error that occurs at execution time.•Abnormal termination of program.• Wrong execution result.
•Exception handling: is a programming language construct mechanism designed to handle the occurrence of some condition that changes the normal flow of execution.
29Talal A. Alsubaie SFDA
Exception HandlingException Handling
30Talal A. Alsubaie SFDA
•Syntax:
Try {
//Code that may raise exception.
}
Catch (Exception1 e){
//Case Exception1 occurs.
}
Catch (Exception2 e){
//Case Exception2 occurs.
}
Else
{
//Case other exception occurs.
}
Finally {
//Code to be executed after exception occurs.
}
Exception HandlingException Handling
•In Exceptions:•Plan for the worst.•Don’t trust external data.•Don’t trust other systems:
•Databases, or other applications.
•The only reliable devices are: the screen, the mouse and keyboard.•Writes can fail, too. (Space, Privileges, Physical fault…).
•Don't put important exception information on the Message field. (Security).
•Don't ever swallow exceptions.•Cleanup code should be put in finally blocks.
31Talal A. Alsubaie SFDA
Exception HandlingException Handling
•Objectives:•Making safer program by providing special mechanism.•Keeps your program running.•Don’t scare the user with technical errors.
32Talal A. Alsubaie SFDA
DemoDemo
33Talal A. Alsubaie SFDA
Q & AQ & A
34Talal A. Alsubaie SFDA
Thank youThank you
35Talal A. Alsubaie SFDA
Talal Abdullah [email protected] DepartmentSaudi Food and Drugs Authority