Matt's Software Blog

Not the usual 'breakpoint will not be hit' solution

2011-12-06T17:54:00.000Z

I know the woes of the 'The breakpoint will not be hit' problem as I've struggled with it personally for years. After days of searching through the usual answers of check/delete your .pdb files I've found that it's often much simpler than that:

If you've got more than one instance of Internet Explorer running when trying to debug close them all and try to debug again.

The amount of times Visual Studio has attached itself to the wrong instance is both amazing and inconsistent. This simple trick has saved hours of both mine, and colleagues time.

Who tests the unit tests?

2011-10-08T18:05:00.000+01:00

With unit tests having fast become an accepted method of automating and reducing test time the question has to be asked - how are unit tests themselves tested?

A good developer can always be described as lazy because it's good developers who understand a little effort invested up front will pay off plenty in the future. It's this philosophy that has spread the wide adoption of unit-testing and specifically test driven development (TDD).

The problem is - like all code - unit tests can themselves contain bugs. A prime example in the .net framework:

[TestMethod]
        public void TestMethod1()
        {
            //
            // TODO: I'm not doing anything!
            //
        }

Even though this test clearly doesn't test anything, when executed it is a pass!

There are methods out there of how to craft a good unit test which focuses on the properties and structure of a quality test, and of-course standard re-factoring and quality control factors still apply, and here is the problem..

How can a unit test be completely trusted - when they are code themselves? Are unit tests simply "passing the buck" of responsibility?

Since unit tests are produced by developers. How can a developer absolutely know that a unit test accurately represents a requirement? Do we test it? How? If so who tests the unit tests?

Leaving router on at all times, good idea?

2011-07-14T11:15:00.000+01:00

Having recently subscribed to a new broadband service and sent the token 'free' wireless router. I was posed with the following question; should I leave the router powered on the whole time?

This particular broadband provider was nice enough to include the answer within their FAQ, and it is not at all what I expected [copied directly from their FAQ]:

FAQ: Should I leave my router switched on all the time?
Yes. Leaving your router on will make sure you get the best speed and performance from your service.

Don't switch it off at night! Regularly switching off your router can make it look like your service is disconnecting. If this happens, your broadband speed will be reduced because the exchange thinks your line is unstable and can't cope with higher speeds.

Aside from any technical reasons, I can think of a plethora of reasons why this might in fact be a bad idea:

- Security

Physical security is the best kind of security, preventing attackers getting their grubby mits anywhere near the bottom rung of the 7 layer OSI model. Physical security for a wireless, omnidirectional service can only be achieved through removing the power, stopping any would-be intruders in their tracks.

Leaving it on constantly however massively increases the attack area, which can be used to attempt to gain access. Once access is gained any kind of activities can take place, which could land the fee-paying subscriber in plenty of trouble such as; sending spam, stealing passwords, masquerading and cookie sniffing among others.

- Wasting power

Of course anything that has electricity running through it whilst not being used can be deemed a waste, hence minimising any such time is preferable.

- Fire risk

By leaving the router on all the time you are increasing the likelihood of leaving your service accessible to intruders.

There is also an active discussion: http://community.plus.net/forum/index.php/topic,80567.0.html/

Which, in addition to the other two points means I will be isolating my router for the foreseeable future and to be honest, who would want to risk those points for the sake of a possible yet temporary drop in speed?

The key to another world

2011-03-07T19:09:00.011Z

Having recently stumbled upon the World of Warcraft authenticator device I became intrigued at exactly how these work. For those of you who haven't seen one:

The authenticator provides a special code upon a pressing a button which the user needs when logging into their WoW account. The device itself is completely standalone, the code changes every few seconds and you cannot log-in without one. Surely this has got to be kind of magic? Well, no - its pretty simple really...

The devices are manufactured with a serial number known to the device that is hard coded. In addition to this it also contains a real time clock which is set during manufacture. Hence the device has two pieces of information at its disposal; the hard coded serial no, and the current time. Note how there's no connection whatsoever to anything else.

The serial number printed on the back of the Authenticator

When you first receive your device you must "synchronise" your online account with the serial no (which is reproduced on a sticker on the back). Since time is universal and the serial no never changes, the WoW server and the device both have access to the same two variables.

The server and authenticator both generate a code based on the current time and serial number. These are then concatenated together to come up with one long sequence of numbers, like so:

Sum of know values = [Current Time] + [Authenticator Serial No]

which could be:

Sum of known values = 12:37 + 1412668222

so you would end up with a number like 12371412668222 which both the authenticator and the server could generate given a specific time.

The problem with this is that this number can be captured by anyone through a variety of methods: looking at your screen, installing a keylogger, phishing, or any number of other attack.

To mitigate this the number is encrypted using either DES, 3DES or AES as supported by the device which will turn it into something meaningless, such as: 63634545.

Because both devices (the server and authenticator) generate these numbers separately, at the same time, and encrypt using the same algorithm, both will calculate the same result. This makes full use of the powerful combination of something you know - your username and password, which something you have - your authenticator. A step similarly introduced into google accounts 2-step verification.

To mitigate the user taking a while to submit their code it's likely the WoW server will accept a range of numbers, from a couple of minutes prior to the actual time.

This provides the following advantages:

The serial number is never sent over the wire in plain text so cannot be captured
The key changes with the time and whether it has been used, so being captured over the wire is useless as it must be used straight away and cannot be used again
Unless the attacker can collect a lot of keys - the serial no cannot be reverse engineered

I hope I've explained how these devices work, and shown how it's possible to manufacture these devices for pennies while thwarting a range of attack vectors.

Some sources used for this article:

Keeping it simple - stupid

2011-02-19T21:55:00.000Z

Einstein once said "Everything should be made as simple as possible, but not simpler" which couldn't apply any more to physics as it does modern software development.

You see - modern software development is brimming full of abstractions - which exist solely to provide simplification through hiding complexity.

These abstractions tend to come along with 'buzz word' names, here's just a handful:

- Web Services

- ASP.NET Web Forms

- User Controls

These are all 'cool' words to find on anyones CV, and asking a software developer about each would result in volumes spoken. However at the end of the day all of these boil down to abstracting the underlying messages being passed across a network. Imagine having to piece together each HTTP packet, adding the headers, and populating its payload - it would take an age to build anything, never mind a decent website, user control or web service - which is the problem abstraction solves.

However abstractions are very limited in their scope, and it's too easy for the non-experienced to try and abstract too much. Abstractions keep things simple, but applied too wide they make things simpler. And we know good old Einstein wouldn't be impressed with that.

To illustrate this point I'd like to describe something I recently experienced. A requirement of ours was to provide nightly backups across the internet, between two separate systems. To achieve this the following would take place:

The backup would be uploaded over FTP
A message would be sent to the recipient of the backup when complete (to allow it to process the backup)

The developer in charge decided the message after the upload was complete should be sent via a method call to a web service, which would also pass the hash of the uploaded file so it could be verified. There was a number of problems getting this set up, and while the FTP side of things worked perfectly, the web service didn't.

The point I'm making is that a web service is an abstraction over HTTP, and is complete overkill for a simple method call. A much better (and simpler) way would be to create a page who's URL allowed the hash to be passed in as a variable. Which would in turn carry out the same actions as the web service.

Doing it this way allows a number of benefits over the web service option:

Any machine connected to the internet could send the 'completed' message as there is no reliance on the .net framework
A lot of overhead has been removed
There no need to install, debug, and mess around with web service way of doing things

The developer involved had the notion that using a web service is some how more secure, which just sounds downright dangerous to me. If you've got an open web service, anyone can play around with it, but that's because I understand that its just abstracting a bunch of HTTP calls.

I therefore urge all software developers out there to think before you type anything, remember this is what a specification is for! Are you trying to abstract something which is already simple? You wouldn't nail a picture to the wall with a sledgehammer, would you?

ASP.NET ComboBox

2011-02-08T19:24:00.000Z

Want a ComboBox for your ASP.NET application? One that works? Cross browser? Well you're in luck.

A ComboBox is a control that displays a TextBox combined with a ListBox - which enables the user to either select an item from the list or type their own. They have many uses - as I'm sure most of you are aware.

I've always had a hard time trying to understand why Microsoft haven't provided a decent implementation of a ComboBox for ASP.NET applications. They have tried - and its included in the AJAX Control Toolkit - but its pretty darn useless if you ask me.

Don't get me wrong, there are plenty of permutations of ComboBox out there and as the adage goes "great programmers don't write what can be stolen", but the best ones aren't free and I just couldn't justify paying for something that should be. So I got to work and made my own:

Pretty nice isn't it?

Features of the control:

Nice and smooth sliding action
Its lightweight and simple
Renders in all browsers

It uses jQuery - so you'll have to include a script tag wherever you use it, I'm using this one kindly hosted at google:

<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js">

Overall it took me around 2 simple hours to create, so why after 9 years since the ASP.NET framework has been released can Microsoft not provide a decent clone of the Windows ComboBox?

By all means my version is no way finished - it was created it to make a point. However by providing the source on here I've hopefully filled a gap in the ASP.NET control selection. I know that by storing it on here I should hopefully never lose it, and also allow others to use as they wish.

A couple of things you may want to implement into this control:

Remove the unnecessary postback when selecting an element using Javascript
Allow the height of the listbox to change dynamically depending on its contents
Add a load more methods (perhaps to bring it in line with the AJAX Control Toolkit)
Ajaxify it - what isn't these days?

I'm providing it as a Visual Studio 2008 solution so you can fire it up straight away, however it's trivial to open in any version. You can grab it here. I must say I'm quite proud of it.

All in all its a simple control - but it works perfectly for what I need. Please download the source and modify as you wish, however I'd be grateful if you cited me as the source. Perhaps even Microsoft will pick up on it (I can wish).

The often underrated value of Googling skills

2011-01-22T22:15:00.001Z

I recently stumbled upon this question over at Stack Overflow:

can anyone help me find out url from given paragraph using regex c#

From reading this you can learn a few of things about the asker:

They have *some* software knowledge as they know they want to use regular expressions (regex)
They didn't use punctuation
They don't know how to use Google

Programming is is such a large area that is constantly undergoing change that it simply isn't possible to know it all, and anyone who tells you that is likely already light-years behind.

The internet however does know all of the answers, and any programmer at any level should know about and exploit this excellent resource. Of course you know this - because you're doing it right now. In fact it has been said that software developers are simply Googling machines.

Whats at the centre of the internet? Its Google of course! Google is a tool - period, and any one whos been tasked with writing even a single line of code should know how to use it and use it to its full potential. And since you're reading this that likely means you.

So why arn't educational establishments teaching Googling skills to computer science students? I graduated in 2008 and certainly didn't get any formal guidance.

Which brings me back to the question above. The asker would have got an answer instantly if they simply knew (and had the motivation) to do a search. Perhaps if all software related education taught the use Google that above question would have never been asked. Of course the asker could have simply been lazy - in which case shouldn't be developing software at all...

Assumptions in software

2011-01-17T22:22:00.003Z

Its no secret that I prefer beautiful code. I prefer code that reads like a set of comments - which provide a running commentary of the execution path with zero ambiguity and certain clarity that makes its intent crystal clear.

This makes good sense when you realise code is the only medium which allows us to communicate with machines - it allows us to speak the same language. And just as in English, if you do not directly specify each and every possible fact - assumptions get made.

Now if an assumption is not was as intended strange results may occur - some may even say exceptional results. Bill Gates famously assumed in 1981 "640K ought to be enough for anybody" and we all know how wrong that was.

Exceptional circumstances are dealt with by most modern programming languages (in particular .NET) with - you guessed it - Exceptions. These set of classes are the equivalent of the software going crazy and refusing to carry on doing anything until the assumption is resolved - this is good, as we know that assumptions at best cause ambiguity and at worst are a show-stopper.

My beef is with a certain construct that goes by the name "Else". The problem is it encourages assumptions to be made but the main problem with this is computers don't have intuition. Imagine the following scenario:

A school want to carry out a survey of the average age of students and would like to use some software to take input and perform the calculation. I know if this was paper-based and an age came back as 135 my intuition would tell me this cannot be true - so I would write the software to also discard such a condition.

Once done the code looks like this:

private void addAge(int userInputtedAge)
        {
            if (userInputtedAge < 100)
            {
                //They've entered a valid range of ages
                calculateMean();
            }
            else
            {
                //The age wasn't less than 100
                MessageBox.Show("Please enter a valid age");
            }
        }

As you can see here using the else construct you have potentially introduced a bug if the user entered a perfectly valid int value of -10.

If I had re-written this software without using the else construct I would be forced to manually check for each expected condition:

private void addAge(int userInputtedAge)
        {
            if (userInputtedAge > 100)
            {
                //Bigger than 100
                throw new ArgumentOutOfRangeException();
            }
            if (userInputtedAge < 0)
            {
                //Less than zero
                throw new ArgumentOutOfRangeException();
            }

            calculateMean();
        }

Writing without the else has forced me to stop being lazy - and in the process I removed a potentially serious bug.

"So what?" you might be thinking. The fact of the matter is any assumptions included in your code have the scope of being manipulated and abused. Here is a real life example I found.

My conclusion is simple - if I'm expecting a particular range of inputs I should specifically test for each one. If an input is not what is expected it is therefore exceptional and hence the software should throw a tantrum rather than carry on regardless. Software should be designed in a way that causes bugs to show themselves - not hide away quietly.

So please - next time you think of writing Else stop and think "Do I really mean anything else?"

Are programmers any good without Google?

2011-01-03T15:20:00.002Z

Having recently read that apparently 199 out of 200 of applicants for programming jobs can't write code at all I thought I'd put myself to the test.

The crux of the post being the FizzBuzz problem.

My results were rather surprising, although I managed to code a solution within 10 minutes - I had to perform the following google searches:

c# if whole number
c# multiples

and finally ending up with asking a rather dumb question over at stackoverflow.

This strikes fear through me, as it has become apparent that I am one of those who have a degree but can fail when asked to carry out a basic programming task during interview.

I've often wondered about this very fundamental understanding of programming - are programmers reduced to being simple googling machines? Are our jobs simply comprised of looking up others code - and making it work for you?

I'm not so sure about the value of coding during interviews, as they tend to want you to code solo - without help. But when in the real world are you working on a computer without internet access? Now obviously I disagree with someone using the internet for hours whilst trying to solve a trivial problem, but looking up syntax or framework quirks - surely thats excusable?

There are thousands of aspects to the .NET Framework and I challenge anyone who says they "know" it all. A programmer not needing the internet I believe is the equivalent of saying a Christian doesn't need a Bible because they "know" it all.

So what are the general thoughts on this?

Is Gmail dangerous?

2010-12-20T15:01:00.000Z

To date Gmail is offering 7530+ MB of free storage space. Of course thats nothing new and is a welcome relief to those who have used e-mail services in the past which restrict your storage.

However those restrictive e-mail services have one advantage that Gmail cannot possibly hope to offer; security by forced removal of data

Don't get me wrong, I'm an avid Gmail fan and love being able to search back through the months to find past communications. My gripe is that information is needlessly kept not for a set time but essentially forever.

"Great" some people might think, now I'll never lose anything and it will always be there for me again if I need it, but take a moment to think of it this way:

Almost every single part of your online identity - for the whole of the time you've been online - is usually contained within e-mails. Thats right, those websites that e-mail you your password after registration, receipts from purchases and even notifications from social networking sites you're subscribed to (to name a few).

Not only that, but because users collect Usernames and Passwords like Pokemon, and all those are collected under your e-mail providers password, you're essentially keeping all your eggs in one big persistent security basket.

This opens a whole world of security problems such as detailed in Jeff Atwood's recent post. The best way to ensure information is secure, is to remove it. Simple! But without enforcing this, how many users will actually do it?

C# Conditional Operator ( ?: ) and Null-Coalescing Operator ( ?? )

2010-10-05T11:10:00.001+01:00

After spending a couple of years in the software industry its becoming more and more apparent to me just how little I actually know. It seems that every time I learn something new, something groundbreaking, a new world of possibilities opens up. One such event occurred today.

A little known operator (??) can do away with bulky if...else statements and tidy up the source code. Suppose you want to assign something to a variable, but only want to do so if that value isn't null? Its something I know I do pretty much every day, usually with code such as:

   1:  if (x != null)

   2:       {

   3:         y = x;

   4:       }

   5:       else

   6:       {

   7:         y = "";

   8:       }

This can be completely replaced with:

   1:  y = x ?? "";

How cool is that?

In addition a single (?) can be used as a boolean conditional operator, so instead of testing for null it can test for any boolean to be true. For example:

   1:  y = x != null ? x : "";

This article was written because of inspiration from both here and here

I'm going to be using these quite a bit I think.

Preventing Arrow Code

2010-09-13T22:41:00.000+01:00

One of my pet hates in software is arrow code, that is code that contains excessive nesting of conditional statements and loops.

Take a look at this unwieldy mess:

   1:  Private Sub returnCodes()

   2:          code.Items.Clear()

   3:          If IsNothing(mycls.Dates) = False Then

   4:              If mycls.Dates.Rows.Count <> 0 Then

   5:                  Dim myrow As DataRow

   6:                  Dim myindex As Integer

   7:                  For Each myrow In mycls.Dates.Rows

   8:                      If getId(Input.Text) = Trim(myrow("id")) Then

   9:                          For myindex = 0 To code.Items.Count - 1

  10:                              If Trim(code.Items(myindex)) = Trim(myrow("year")) Then

  11:                                  Exit For

  12:                              End If

  13:                          Next

  14:                          If code.Items.Count - 1 < myindex Then

  15:                              code.Items.Add(myrow("year"))

  16:                          Else

  17:                              If String.Compare(Trim(code.Items(myindex)), Trim(myrow("year")), True) <> 0 Then

  18:                                  code.Items.Add(myrow("year"))

  19:                              End If

  20:                          End If

  21:                      End If

  22:                  Next

  23:                  code.Sorted = True

  24:                  If code.Items.Count > 0 Then setCode(code.Items(0))

  25:              End If

  26:          End If

  27:      End Sub

Pretty ugly huh? A couple of problems with this:

There are a high number of distinct paths through the code

The amount paths through a section of code is directly correlated to the chance of it containing a bug. You can't realistically test every single possible scenario on your code - its simply not possible, therefore the only answer is to reduce the possible paths your code can take.

Excessive looping
Loops use up resources - fact. A piece of code that loops 5 times is quicker than a piece that loops 500. It is therefore important to use looping carefully to efficiently use resources.

Its hard to debug
Chances are you won't be the only person who will have to read and understand your code. You might understand it fully when you write it, but what about a year down the line? What about your colleagues when you aren't about?

Coding like this will only contribute to a slower, harder to debug, error prone software.

So that I could ultimately understand and subsequently modify, I had to simplify it whilst also keeping in mind the above points.

Now:

   1:  Private Sub returnCodes()

   2:          code.Items.Clear()

3:

   4:          If IsNothing(mycls.Dates) Then Exit Sub

5:

   6:          Dim myrow As DataRow

7:

   8:          For Each myrow In mycls.Dates.Rows

   9:              If getId(Input.Text) = Trim(myrow("id")) Then

  10:                  If Not code.Items.Contains(myrow("year")) Then

  11:                      code.Items.Add(myrow("year"))

  12:                  End If

  13:              End If

  14:          Next

15:

  16:          code.Sorted = True

17:

  18:          If code.Items.Count > 0 Then setCode(code.Items(0))

19:

  20:      End Sub

Not only is the code easy to understand, I actually increased performance dramatically. This process reduced loops from 2480 to 509

The most important lesson I've learnt is that there is simply no excuse for any good developer to submit code without removing the unnecessary crap. See this article for some of the hints on cleaning up your own code.

The difference between validation and verification

2010-08-31T22:21:00.000+01:00

This one is kind of a rant. There is a subtle difference between the two key words validation and verification. They are not the same thing, and the difference is taught as low as GCSE IT level.

I just felt like I needed to say that as there is a lot of "validate this" and "validate that" knocking around when in fact verification is what is required. Don't know the difference?

Lets clear this up:

Validation: The process of checking of data to ensure that it is acceptable for it or not.
Verification: The process of checking of data to ensure that it is the correct value

So when you go down to the ATM and enter your PIN to get cash out its important to understand that any four digit number you type on the keyboard is in fact valid, whereas after checking it is actually yours means it has been verified.

Just so that no one gets this mixed up here are some more examples:

	Validation	Verification
Password	Any text at least 7 characters	Comparison with actual password
Phone number	Correct amount of numbers between 0 - 9	Dialling gets through to the right person
Television channel	Any number of correct length	Selecting the channel you wanted

For those who should know better Regular Expressions are for validation (thats all they do) and not verification!

I finally have somewhere to point those people who mean one thing, but say another...

Internet Explorer window.close(); does not work after print preview

2010-05-25T10:29:00.000+01:00

It appears that a call to window.close(); or self.close(); doesn't do a single thing after opening print preview in Internet Explorer. Apparently this bug goes from versions 6 - 8 (9 has yet to be released). If anyone has any work arounds for this bug I would be very greatful. It astounds me that such a simple bug can span multiple releases.

Overlooking the security aspect of the query string

2010-05-24T11:14:00.000+01:00

Recently whilst debugging a mission critical, public facing, financial web application I uncovered a very serious security hole.

As one of its features the application contained a content management system so that relevant departments can upload and change content which appears on carefully selected parts of the site. This meant that certain folders must be open to the departments which are available to be edited through the system. The folder currently being worked on was contained in the query string.

For those that do not know what the query string is here is an example. When you google something, for example 'blog' the page you are sent to is http://www.google.co.uk/search?q=blog. That bit after the ? is called the query string (in this case q=blog) which contains my search. I can do what I want with this string and resubmit it. So if I change the query string to q=blogspot and submit it, I am returned the google results for 'blogspot'. Anyone can manipulate the query string.

In the web application this meant that anyone could simply change the query string, and that would change the folder currently being worked on. Only a few guesses are needed to view the contents of restricted folders. Doing this I managed to download the full source code for the application, something which would be very valuable to an attacker...

So if in doubt use server side variables instead.

Validatation for Custom User Controls

2010-01-19T11:02:00.000Z

Recently I stumbled across the problem of needing to validate user input supplied to a Custom User Control. Usually validation is simply the case of dragging one of the excellent validation controls onto the page and pointing it towards the control you wish to validate.

Custom User Control's however are a different story. These are controls written by a developer to carry out a function which no other existing controls can. As they have been written from the ground up, they cannot be simply associated to a validation control without further work.

To allow a Custom User Control to be validated the first thing which is required is the addition of <ValidationPropertyAttribute("value")>. This specifies the property which supplies the string to be validated, where "value" is the name of the property.

Secondly the ControlToValidate="" property of validation control on the page should be the ID of the user control, colon(:), then the ID of the control to which 'value' is associated.

For example I had a control named cboTask which had <ValidationPropertyAttribute("value")> defined within it where value was a property which returned the current value of a DropDownList (DropDownList1) which was contained within cboTask. In order to validate that the user selected an option I used the RequiredFieldValidator with the ControlToValidate="cboTask:DropDownList1".

   1:  <ValidationPropertyAttribute("value")> _

   2:  Partial Public Class ctlDropDownList

   3:      Inherits System.Web.UI.UserControl

4:

5:

   6:   Public Property value() As String

   7:          Get

   8:              Return DropDownList1.SelectedValue.Trim()

   9:          End Get

  10:          Set(ByVal value As String)

  11:              Dim llistitem As ListItem

  12:              DropDownList1.ClearSelection()

  13:              For Each llistitem In DropDownList1.Items

  14:                  If RTrim(llistitem.Value) = RTrim(value) Then

  15:                      llistitem.Selected = True

  16:                      Exit For

  17:                  End If

  18:              Next

  19:          End Set

  20:      End Property

21:

  22:  End Class

   1:  <asp:RequiredFieldValidator ID="rfvTask"

   2:         runat="server"

   3:         ErrorMessage="Task cannot be blank"

   4:         InitialValue=""

   5:         ControlToValidate="cboTask:DropDownList1"

   6:          ValidationGroup="page">*</asp:RequiredFieldValidator>

Doing this allows both client and server validation, and allows you to use the validation controls as you would with any of the existing .NET controls.

Preventing an error 403 ever reaching the client

2009-12-14T10:49:00.000Z

I was put in the strange position of preventing an ASP.net web application sending an error HTTP 403 to the client. This was following 'security recommendations from the experts' that an error 403 confirms to an attacker that they have identified a part of the file structure.

Anyway this is how I managed to do it.

Add an Application_Error method to Global.asax which directs the user to a known page:

   1:  protected void Application_Error(object sender, EventArgs e)

   2:              {

3:

   4:                  Response.Redirect("Default.aspx");

5:

   6:  }

and configure IIS custom error page to direct to a non-existing page, this will show in the logs so choose something like /AttemptToAccess403.aspx.

When the server encounters a 403 it will look up the non-existing page which will cause an error in the application. This is caught via the Application_Error method and will direct the user to a valid page (Default.aspx). To the user this is invisible, however the server has logged the attempt to access a directory structure (403) as an attempt to access page /AttemptToAccess403.aspx and an error 403 is never propogated to the client and hence satisfies the security requirement.

Headers returned to the client:

(before)

HTTP/1.x 301 Moved Permanently

HTTP/1.x 302 Found

(after)

HTTP/1.x 200 OK

HTTP/1.x 200 OK

As for the initial 'security' concern....

ASP Menu bug in IE8 and Chrome

2009-12-03T12:56:00.000Z

Well it turns out there is a bug in the ASP Menu control that stops the dynamic part of the menu rendering when the user rolls their mouse over a static part of the menu.

It appears the problem is to do with the way the control checks if the browser has javascript enabled, and it decides both IE 8 and Chrome don't, hence nothing is shown to the user.

The only work arounds I've come across are:

Don't use the thing
Put IE8 into compatibility mode (or download this hotfix)
Use this nasty hack around

Obviously we cannot expect our users to have to follow special procedures to view our site, and with the only other solution being a hack, we'd rather go with something else completely...

Regular Expressions are fun

2009-11-23T16:29:00.001Z

I've finally made the effort to fully understand how to write my own regular expressions. In the past I just had no idea what something as cryptic as ^.+[a-zA-Z][a-zA-Z]\d\d\d\d\d\d.+?.pdf|^.+\w+\.xml (I just wrote that) meant.

Plugging that into my application now means that it fully validates my input, and does it perfectly. How did we manage before these things were invented?

If you want to learn more about regular expressions then take a look here.

Using the @MasterType directive instead of the @Page directive with MasterPageFile=""

2009-11-04T10:14:00.000Z

Just a quick snippet for future use. When referencing a master page within your aspx file its best to use the @MasterType directive rather than the MasterPageFile="" attribute of the @Page directive. Doing so will allow strongly typed access to any methods you've put in the master page rather than having to do something ugly.

Example:

((DefaultLayout)this.Master).SetPageHeading("This heading is set from inside Default.aspx");

becomes:

Master.SetPageHeading("This heading is set from inside Default.aspx");

Much better dont you think?

Browser discrepancies, arghh!

2009-11-03T18:55:00.000Z

Why oh why do browsers from different vendors (Internet Exlorer, Firefox, Chrome etc) STILL have problems agreeing on the correct way to display a web page and correctly interpret javascript?

The World Wide Web Consortium has been around for 15 years now and defines the standards required for web developers to follow (which I must say I attempt to do very carefully) only to find that most browsers out there don't (or even worse have their own interpretation of them).

The problem here is the W3C leaves it up to the software manufacturers in order to become 'compliant', which doesn't mean much, as there are different standards of compliance, huh?

Microsoft's latest version of Internet Explorer claims it is "standards compliant" and has been riled all over the internet forums for breaking existing websites. Which I think is a very positive move as now these websites must also begin to follow standards or start losing traffic.

I think the only way this can be tackled would a scheme which checks new web browser software prior to market for compliance, and only if it passes 100% of tests can it legally be called a browser. Such a scheme could work in the same way that SSL certificates are issued, and would work something like this:

Software is submitted to an independent authority which performs tests on the browser for compliance with current standards
Following a successful result a certificate is issued based on a signature of the software, and is unique to that software
In order resolve domain names this certificate must be included in DNS requests, failure of which would mean the request is ignored

Assuming this is possible would mean that non-compliant browsers would be less convenient to use for end users (who wants to type in IPs each time they want to visit a page?) and would result in loss of custom, forcing them elsewhere.

On a side note the latest version of outlook express actually uses the Word (yes Word) to render embedded HTML, surely this is a joke Microsoft?

Why I hate the bank card readers

2009-11-02T16:46:00.000Z

All the major banks are now supplying the darned card readers to be used for online transactions.

If you don't know what I mean they're the little "calculator like" devices which you insert your debit card (and pin) to allow yourself to be authenticated via online banking.

However (like all security) there are downsides:

You have to carry one everywhere you do your online banking
For some reason most institutions lock them to only work with their cards (so you cannot simply borrow one from someone)

Most people mis-understand how these devices work, the clue is in the name, they are a reader, they don't have any logic on-board regarding anything financial. The processing all happens within the chip itself on the card, the readers are simply a means of communicating with your card.

Regarding having to use one for each institution would be very understandable if each used their own algorithms for card transactions, but this would be both a massive overhead and simply isn't the way its done (do they have different card readers for each bank in the shops?). Instead a marker is set on the card detailing the banks 5 digit number. The readers must simply compare this to a pre-set value and if not identical "Wrong Card", god dam!

Forcing most people to have to carry this stupid things around with them.

Regarding security they can actually make it worse. Picture this. Dark alley late at night. Thieves mug you, get your card, and demand your pin. It can be checked on the spot, without the thieves having to risk marching you to the nearest cash machine. This is stupid that these things actually issue "wrong pin, try again". A better way would to be simply issue the authentication codes anyway, which would of course be wrong had the pin being incorrect.

Nevermind, maybe the banks will catch up with technology one day...

Shame on you banks for locking down on internet banking when the whole ethos is around making it more convenient for their customers.

.NET Framework gets more powerful by the day

2009-10-29T14:11:00.000Z

Almost daily now I discover another aspect of the .NET framework which replaces manual repetitive tasks us developers are used to.

On going about setting up a membership system for a recent project I was about to go ahead and create session variables so the user can be tracked across pages, a pretty usual task in web development, when a colleague passed me a training folder entitled "Developing ASP.NET Web Applications: Hands-On".

Well blow me, everything you need (I mean EVERYTHING) is already pre-written and accessible through the System.Web.Security namespace using the Membership Provider, and anything that you need to customise is simply a case of deriving a class full of your own code.

In about 5 mins flat I put all the "members only" pages into a respective folder and changed the config file, now it'll only be shown when I drag the asp:Login control and authenticate myself. So much easier, and .NET is definitely becoming my first choice for personal and future projects

WHHAAT? HttpUtility.Urlencode() doesn't encode apostrophes?

2009-06-08T15:28:00.000+01:00

For some obscure reason HttpUtility.Urlencode() supplied with the .NET framework doesn't encode the apostrophe! The only way around this appears to be encode it, then manually replace this "special character" with %27.

This is rather worrying actually. I've used this method plenty of times, in past projects, only to have found out they can be broken with a simple '. This is a major oversight on MS's behalf (yes have you noticed the amount of apostrophe's that appear in this post?).

Anyways, looks like a quick Ctrl+F to find all instances of this I can and to replace with:

HttpUtility.UrlEncode(URL.Replace("'", "%27");

Funny how this isn't documented anywhere in the official docs isn't it?

I was caught Google's StreetView!

2009-05-29T11:39:00.000+01:00

On the way to work this morning whilst sending a text message I realised the easily distinguishable Google StreetView cam flying past on the top of a foreign registered corsa, and I've a good bet it was filming at the time.

No images are online yet...but I'll be checking on a daily basis. I wonder how long it takes them to process and upload the images?