Matt's Software Blog

The difference between validation and verification

2010-08-31T22:21:00.000+01:00

This one is kind of a rant. There is a subtle difference between the two key words validation and verification. They are not the same thing, and the difference is taught as low as GCSE IT level.

I just felt like I needed to say that as there is a lot of "validate this" and "validate that" knocking around when in fact verification is what is required. Don't know the difference?

Lets clear this up:

Validation: The process of checking of data to ensure that it is acceptable for it or not.
Verification: The process of checking of data to ensure that it is the correct value

So when you go down to the ATM and enter your PIN to get cash out its important to understand that any four digit number you type on the keyboard is in fact valid, whereas after checking it is actually yours means it has been verified.

Just so that no one gets this mixed up here are some more examples:

	Validation	Verification
Password	Any text at least 7 characters	Comparison with actual password
Phone number	Correct amount of numbers between 0 - 9	Dialling gets through to the right person
Television channel	Any number of correct length	Selecting the channel you wanted

For those who should know better Regular Expressions are for validation (thats all they do) and not verification!

I finally have somewhere to point those people who mean one thing, but say another...

Internet Explorer window.close(); does not work after print preview

2010-05-25T10:29:00.000+01:00

It appears that a call to window.close(); or self.close(); doesn't do a single thing after opening print preview in Internet Explorer. Apparently this bug goes from versions 6 - 8 (9 has yet to be released). If anyone has any work arounds for this bug I would be very greatful. It astounds me that such a simple bug can span multiple releases.

Overlooking the security aspect of the query string

2010-05-24T11:14:00.000+01:00

Recently whilst debugging a mission critical, public facing, financial web application I uncovered a very serious security hole.

As one of its features the application contained a content management system so that relevant departments can upload and change content which appears on carefully selected parts of the site. This meant that certain folders must be open to the departments which are available to be edited through the system. The folder currently being worked on was contained in the query string.

For those that do not know what the query string is here is an example. When you google something, for example 'blog' the page you are sent to is http://www.google.co.uk/search?q=blog. That bit after the ? is called the query string (in this case q=blog) which contains my search. I can do what I want with this string and resubmit it. So if I change the query string to q=blogspot and submit it, I am returned the google results for 'blogspot'. Anyone can manipulate the query string.

In the web application this meant that anyone could simply change the query string, and that would change the folder currently being worked on. Only a few guesses are needed to view the contents of restricted folders. Doing this I managed to download the full source code for the application, something which would be very valuable to an attacker...

So if in doubt use server side variables instead.

Validatation for Custom User Controls

2010-01-19T11:02:00.000Z

Recently I stumbled across the problem of needing to validate user input supplied to a Custom User Control. Usually validation is simply the case of dragging one of the excellent validation controls onto the page and pointing it towards the control you wish to validate.

Custom User Control's however are a different story. These are controls written by a developer to carry out a function which no other existing controls can. As they have been written from the ground up, they cannot be simply associated to a validation control without further work.

To allow a Custom User Control to be validated the first thing which is required is the addition of <ValidationPropertyAttribute("value")>. This specifies the property which supplies the string to be validated, where "value" is the name of the property.

Secondly the ControlToValidate="" property of validation control on the page should be the ID of the user control, colon(:), then the ID of the control to which 'value' is associated.

For example I had a control named cboTask which had <ValidationPropertyAttribute("value")> defined within it where value was a property which returned the current value of a DropDownList (DropDownList1) which was contained within cboTask. In order to validate that the user selected an option I used the RequiredFieldValidator with the ControlToValidate="cboTask:DropDownList1".

   1:  <ValidationPropertyAttribute("value")> _

   2:  Partial Public Class ctlDropDownList

   3:      Inherits System.Web.UI.UserControl

4:

5:

   6:   Public Property value() As String

   7:          Get

   8:              Return DropDownList1.SelectedValue.Trim()

   9:          End Get

  10:          Set(ByVal value As String)

  11:              Dim llistitem As ListItem

  12:              DropDownList1.ClearSelection()

  13:              For Each llistitem In DropDownList1.Items

  14:                  If RTrim(llistitem.Value) = RTrim(value) Then

  15:                      llistitem.Selected = True

  16:                      Exit For

  17:                  End If

  18:              Next

  19:          End Set

  20:      End Property

21:

  22:  End Class

   1:  <asp:RequiredFieldValidator ID="rfvTask"

   2:         runat="server"

   3:         ErrorMessage="Task cannot be blank"

   4:         InitialValue=""

   5:         ControlToValidate="cboTask:DropDownList1"

   6:          ValidationGroup="page">*</asp:RequiredFieldValidator>

Doing this allows both client and server validation, and allows you to use the validation controls as you would with any of the existing .NET controls.

Preventing an error 403 ever reaching the client

2009-12-14T10:49:00.000Z

I was put in the strange position of preventing an ASP.net web application sending an error HTTP 403 to the client. This was following 'security recommendations from the experts' that an error 403 confirms to an attacker that they have identified a part of the file structure.

Anyway this is how I managed to do it.

Add an Application_Error method to Global.asax which directs the user to a known page:

   1:  protected void Application_Error(object sender, EventArgs e)

   2:              {

3:

   4:                  Response.Redirect("Default.aspx");

5:

   6:  }

and configure IIS custom error page to direct to a non-existing page, this will show in the logs so choose something like /AttemptToAccess403.aspx.

When the server encounters a 403 it will look up the non-existing page which will cause an error in the application. This is caught via the Application_Error method and will direct the user to a valid page (Default.aspx). To the user this is invisible, however the server has logged the attempt to access a directory structure (403) as an attempt to access page /AttemptToAccess403.aspx and an error 403 is never propogated to the client and hence satisfies the security requirement.

Headers returned to the client:

(before)

HTTP/1.x 301 Moved Permanently

HTTP/1.x 302 Found

(after)

HTTP/1.x 200 OK

HTTP/1.x 200 OK

As for the initial 'security' concern....

ASP Menu bug in IE8 and Chrome

2009-12-03T12:56:00.000Z

Well it turns out there is a bug in the ASP Menu control that stops the dynamic part of the menu rendering when the user rolls their mouse over a static part of the menu.

It appears the problem is to do with the way the control checks if the browser has javascript enabled, and it decides both IE 8 and Chrome don't, hence nothing is shown to the user.

The only work arounds I've come across are:

Don't use the thing
Put IE8 into compatibility mode (or download this hotfix)
Use this nasty hack around

Obviously we cannot expect our users to have to follow special procedures to view our site, and with the only other solution being a hack, we'd rather go with something else completely...

Regular Expressions are fun

2009-11-23T16:29:00.000Z

I've finally made the effort to fully understand how to write my own regular expressions. In the past I just had no idea what something as cryptic as ^.+[a-zA-Z][a-zA-Z]\d\d\d\d\d\d.+?.pdf|^.+\w+\.xml (I just wrote that) meant.

Plugging that into my application now means that it fully validates my input, and does it perfectly. How did we manage before these things were invented?

If you want to learn more about regular expressions then take a look here.

Using the @MasterType directive instead of the @Page directive with MasterPageFile=""

2009-11-04T10:14:00.000Z

Just a quick snippet for future use. When referencing a master page within your aspx file its best to use the @MasterType directive rather than the MasterPageFile="" attribute of the @Page directive. Doing so will allow strongly typed access to any methods you've put in the master page rather than having to do something ugly.

Example:

((DefaultLayout)this.Master).SetPageHeading("This heading is set from inside Default.aspx");

becomes:

Master.SetPageHeading("This heading is set from inside Default.aspx");

Much better dont you think?

Browser discrepancies, arghh!

2009-11-03T18:55:00.000Z

Why oh why do browsers from different vendors (Internet Exlorer, Firefox, Chrome etc) STILL have problems agreeing on the correct way to display a web page and correctly interpret javascript?

The World Wide Web Consortium has been around for 15 years now and defines the standards required for web developers to follow (which I must say I attempt to do very carefully) only to find that most browsers out there don't (or even worse have their own interpretation of them).

The problem here is the W3C leaves it up to the software manufacturers in order to become 'compliant', which doesn't mean much, as there are different standards of compliance, huh?

Microsoft's latest version of Internet Explorer claims it is "standards compliant" and has been riled all over the internet forums for breaking existing websites. Which I think is a very positive move as now these websites must also begin to follow standards or start losing traffic.

I think the only way this can be tackled would a scheme which checks new web browser software prior to market for compliance, and only if it passes 100% of tests can it legally be called a browser. Such a scheme could work in the same way that SSL certificates are issued, and would work something like this:

Software is submitted to an independent authority which performs tests on the browser for compliance with current standards
Following a successful result a certificate is issued based on a signature of the software, and is unique to that software
In order resolve domain names this certificate must be included in DNS requests, failure of which would mean the request is ignored

Assuming this is possible would mean that non-compliant browsers would be less convenient to use for end users (who wants to type in IPs each time they want to visit a page?) and would result in loss of custom, forcing them elsewhere.

On a side note the latest version of outlook express actually uses the Word (yes Word) to render embedded HTML, surely this is a joke Microsoft?

Why I hate the bank card readers

2009-11-02T16:46:00.000Z

All the major banks are now supplying the darned card readers to be used for online transactions.

If you don't know what I mean they're the little "calculator like" devices which you insert your debit card (and pin) to allow yourself to be authenticated via online banking.

However (like all security) there are downsides:

You have to carry one everywhere you do your online banking
For some reason most institutions lock them to only work with their cards (so you cannot simply borrow one from someone)

Most people mis-understand how these devices work, the clue is in the name, they are a reader, they don't have any logic on-board regarding anything financial. The processing all happens within the chip itself on the card, the readers are simply a means of communicating with your card.

Regarding having to use one for each institution would be very understandable if each used their own algorithms for card transactions, but this would be both a massive overhead and simply isn't the way its done (do they have different card readers for each bank in the shops?). Instead a marker is set on the card detailing the banks 5 digit number. The readers must simply compare this to a pre-set value and if not identical "Wrong Card", god dam!

Forcing most people to have to carry this stupid things around with them.

Regarding security they can actually make it worse. Picture this. Dark alley late at night. Thieves mug you, get your card, and demand your pin. It can be checked on the spot, without the thieves having to risk marching you to the nearest cash machine. This is stupid that these things actually issue "wrong pin, try again". A better way would to be simply issue the authentication codes anyway, which would of course be wrong had the pin being incorrect.

Nevermind, maybe the banks will catch up with technology one day...

Shame on you banks for locking down on internet banking when the whole ethos is around making it more convenient for their customers.

.NET Framework gets more powerful by the day

2009-10-29T14:11:00.000Z

Almost daily now I discover another aspect of the .NET framework which replaces manual repetitive tasks us developers are used to.

On going about setting up a membership system for a recent project I was about to go ahead and create session variables so the user can be tracked across pages, a pretty usual task in web development, when a colleague passed me a training folder entitled "Developing ASP.NET Web Applications: Hands-On".

Well blow me, everything you need (I mean EVERYTHING) is already pre-written and accessible through the System.Web.Security namespace using the Membership Provider, and anything that you need to customise is simply a case of deriving a class full of your own code.

In about 5 mins flat I put all the "members only" pages into a respective folder and changed the config file, now it'll only be shown when I drag the asp:Login control and authenticate myself. So much easier, and .NET is definitely becoming my first choice for personal and future projects

WHHAAT? HttpUtility.Urlencode() doesn't encode apostrophes?

2009-06-08T15:28:00.000+01:00

For some obscure reason HttpUtility.Urlencode() supplied with the .NET framework doesn't encode the apostrophe! The only way around this appears to be encode it, then manually replace this "special character" with %27.

This is rather worrying actually. I've used this method plenty of times, in past projects, only to have found out they can be broken with a simple '. This is a major oversight on MS's behalf (yes have you noticed the amount of apostrophe's that appear in this post?).

Anyways, looks like a quick Ctrl+F to find all instances of this I can and to replace with:

HttpUtility.UrlEncode(URL.Replace("'", "%27");

Funny how this isn't documented anywhere in the official docs isn't it?

I was caught Google's StreetView!

2009-05-29T11:39:00.000+01:00

On the way to work this morning whilst sending a text message I realised the easily distinguishable Google StreetView cam flying past on the top of a foreign registered corsa, and I've a good bet it was filming at the time.

No images are online yet...but I'll be checking on a daily basis. I wonder how long it takes them to process and upload the images?

Creating a windows service using the .net framework

2009-05-19T14:53:00.000+01:00

Today has been spent attempting to write a windows service in the .NET framework (Using C#). While reasonably hard to get of the ground, after a bit of research they are actually only slighty harder to write than a simple WinForm. I do however want to repeat some bits of my research here, hopefully to make coding a windows service easier in the future:

They cannot be simply ran by hitting F5 and hoping for the best. They must be tediously installed (or if like me you can write an External Tool to Visual Studio :-)
You need to start the service manually (or again you could write a small batch file [using net start])
The service will not be started from a network drive (You will get an error along the lines of: Error 403 File cannot be found) generic huh?

And last but not least....you can't use the Timer control contained in System.Windows.Forms, nope, it has to be a cousin (albeit almost identical) control within the System.Timers namespace. Use of the latter won't cause any compilation problems, it simply won't work, as I eventually found out from this obscure Microsoft article.

As you can see, writing a Windows Service is no trivial task...

Happy coding!

How to create a ComboBox in ASP.NET

2009-05-15T11:39:00.000+01:00

The .NET framework has long been deficient in the fact it DOES NOT include a ComboBox control as standard. For those of you who do not know what a ComboBox is, it is essentially an editable drop down list (see here) which allows the user to either type OR select from a list. I suppose it is rather analogous to the browsers address bar.

There are other options out there to provide this functionality (such as the AJAX solution above) and countless paid for controls, but what if all you want is a simple, no frills ComboBox?

Well it is actually rather simple to create one.

What is required is to add a TextBox and a Button (or if you're feeling fancy an image) and a ListBox below them, so that you have something like:

<div>

    <asp:TextBox ID="TextBox1" runat="server"
        style="z-index: 1; left: 102px; top: 28px; position: absolute"
        Height="20px"></asp:TextBox>

    <input id="Button1" type="button" value="V" style="width:20px; height:28px; z-index: 1; left: 239px; top: 27px; position: absolute" onclick="toggle_visibility('div1')" />

    <div id="div1" style="display:none">
        <asp:ListBox ID="ListBox1" runat="server"
            style="z-index: 1; left: 102px; top: 59px; position: absolute"
            Width="155px" AutoPostBack="True">
            <asp:ListItem Selected="True">Sids Co</asp:ListItem>
            <asp:ListItem>Jacks Co</asp:ListItem>
            <asp:ListItem>Daves Co</asp:ListItem>
        </asp:ListBox>
    </div>

</div>

Then all is required is a spot of JavaScript to show/hide the ListBox when you click the button:

function toggle_visibility(id) {

var e = document.getElementById(id);

if(e.style.display == 'block')

e.style.display = 'none';

else

e.style.display = 'block';

}

Of course you may find that you'll have to play around with CSS to get it looking correctly and a bit of codebehind so that when the user selects from the ListBox the TextBox is updated correctly. However what you have is essentially a working ComboBox that works in all browsers, and to be honest, what else do you need?

Those looking for a more elegant solution are either going to have to cough up and pay for the control, or move towards the AJAX solution (which will NOT work with JavaScript disabled). Blame Microsoft :-)

EDIT: I have found a nice free version of a ComboBox control . However I would use with caution as it doesn't seem to work in FireFox :-S

Getting the Ajax Control Toolkit to work with Visual Studio 2005

2009-05-15T09:44:00.000+01:00

Like many out there I have recently been problems attempting to get the Ajax Control Toolkit to work (correctly) in Visual Studio 2005.

After LOTS of research it appears that most of the problems are caused by a mismatch of the referenced versions versions of the System.Web.Extensions namespace. Just to clarify the errors that pop-up DO NOT usually mention this is the culprit. For example the error the parser kept throwing at me was:

The base class includes the field 'ScriptManager1', but its type (System.Web.UI.ScriptManager) is not compatible with the type of control (System.Web.UI.ScriptManager).

Now as you need a Script Manager on the page in order to use any of the controls in the toolkit this was really starting to get annoying. I couldn't see anything wrong with the System.Web namespace, but as usual, I was looking in the wrong place.

To solve this problem involves the web.config file.

You need to check through this ensuring the versions for the System.Web.UI is using version 3.5.0.0 and NOT 1.0.61025.0

For example the line I had was:

 <system.web>
     <pages>
       <controls>
         <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=1.0.61025.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
       </controls>
     </pages>
 </system.web>

Which should have been:

 <system.web>
     <pages>
       <controls>
         <add tagPrefix="asp" namespace="System.Web.UI" assembly="System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/>
       </controls>
     </pages>
 </system.web>

Which completely solved my problem.

p.s. To find the solution of this problem I edited every instance of the version in the web config, although probably not required, doesn't seem to cause any problems.