Developer Barn - Blogs - jmurrayhead

Custom Authorization with ASP.NET MVC

jmurrayhead — Wed, 28 Jul 2010 19:05:02 GMT

Lately, I've been doing a lot of work with the ASP.NET MVC framework. One of the greatest attributes of MVC over Web Forms is its extensibility. Authorization is important to any application and being able to customize it to meet your project's needs is equally important.

In the ASP.NET MVC framework, developers can use attributes to control things like validation and authorization. To have custom authorization in your MVC project, start off by inheriting from the AuthorizeAttribute class:
Code:
Public Class CustomAuthorizeAttribute
    Inherits AuthorizeAttribute

    Protected Overrides Function AuthorizeCore(ByVal httpContext As System.Web.HttpContextBase) As Boolean

    End Function
End Class
With this, you can put whatever logic you want to determine if a user should be authorized or not. All you have to do is return either True or False, depending on your own logic.

The next thing you do is simply add the attribute to the controller method you wish to check authorization for:
Code:
 _
Public Function Index() As ActionResult
    Return View()
End Function
From this example, you could have such code to authorize your users:
Code:
Public Class CustomAuthorizeAttribute
    Inherits AuthorizeAttribute

    Public Permissions As ModulePermissions

    Protected Overrides Function AuthorizeCore(ByVal httpContext As HttpContextBase) As Boolean


        ' Ensure httpContext is not Nothing
        If httpContext Is Nothing Then
            ' Handle null value here
        End If

        ' Ensure the user is authenticated
        If Not httpContext.User.Identity.IsAuthenticated Then
            Return False
        End If

        ' Get user's permissions
        Dim permission As ModulePermissions = DirectCast([Enum].Parse(GetType(ModulePermissions), httpContext.Session("permissions")), ModulePermissions)

        ' Verify if user has perrmission
        If Permissions <> 0 AndAlso ((Permissions And permission) <> permission) Then
            Return False
        End If

        Return True
    End Function
End Class
Where the ModulePermissions enum is defined as:
Code:
 _
 _
Public Enum ModulePermissions
    CanViewDetails = 0
    CanCreateNew = 1
    CanEditOwn = 2
    CanDeleteOwn = 3
End Enum
This can be used on your controller like so:
Code:
     _
    Function Index() As ActionResult
        Return View()
    End Function
This will allow only users who have the CanViewDetails or CanCreateNew permissions. If they don't have one of these two permissions, they will be sent to the login page.

Happy Coding!

JmhCommonControl - Providing Common Controls with Validation

jmurrayhead — Wed, 10 Mar 2010 17:41:25 GMT

If you're like me, you don't like rewriting/copy & pasting validation code for controls that we use all the time. This enticed me to build a collection of these common controls that I can reuse in every application and save myself from a lot of typing. Thus the birth of JmhCommonControl.

Currently, the JmhCommonControl assembly consists of 6 controls: NameEntry, PhoneNumber, SocialSecurity, Url, ZipCode, and CustomTextBox. Continue reading for information on each of these.

NameEntry
Most forms I build require the entry of a person's first, last and sometimes middle name or initial. The NameEntry control can be used for each of these fields.
NameEntry Properties

FieldFormatErrorMessage - This is the error message you want to show to the user when they enter an invalid name (i.e. J@s0n).

Length - This is the maximum amount of characters a user can enter. If left blank, the default is 40.

IsRequired - Specifies whether the user must enter a value or not

RequiredFieldErrorMessage - This is the error message you want to show to the user when they leave the field blank (IsRequired must be set to true).

Text - Gets or sets the value in the textbox.

ValidationGroup - Like the regular ASP.Net validation controls, this allows you to specify which ValidationGroup the control should be validated with.
Example
Code:
Examples of Valid Input
John
John Doe
John O'Mally
Sarah Parker-Smith
PhoneNumber
This is another very common form element. The PhoneNumber control can be used when you want users to enter a valid US phone number.
PhoneNumber Properties

FieldFormatErrorMessage - This is the error message you want to show to the user when they enter an invalid phone number (i.e. abc-def-8765).

IsRequired - Specifies whether the user must enter a value or not

RequiredFieldErrorMessage - This is the error message you want to show to the user when they leave the field blank (IsRequired must be set to true).

Text - Gets or sets the value in the textbox.

ValidationGroup - Like the regular ASP.Net validation controls, this allows you to specify which ValidationGroup the control should be validated with.

Example
Code:
Examples of Valid Input
(425) 555-0123
425-555-0123
425 555 0123
1-425-555-0123
SocialSecurityNumber
Perhaps not as common as most of these, but if you develop intranet applications for any corporation, government or military entity, this will likely be used a lot. The SocialSecurityNumber control allows you to choose between dashed and non-dashed social security numbers (i.e. 123-45-6789, 123456789).
SocialSecurityNumber Properties

FieldFormatErrorMessage - This is the error message you want to show to the user when they enter an invalid social security number (i.e. abcdefghi).

IsRequired - Specifies whether the user must enter a value or not

RequiredFieldErrorMessage - This is the error message you want to show to the user when they leave the field blank (IsRequired must be set to true).

SsnFormat - Allows you to choose between dashed or non-dashed validation.

Text - Gets or sets the value in the textbox.

ValidationGroup - Like the regular ASP.Net validation controls, this allows you to specify which ValidationGroup the control should be validated with.

Example
Code:
Examples of Valid Input
123-45-6789
123456789
URL
If you require users to enter URLs, the Url control will allow you to validate that the URLs are properly formatted.
Url Properties
FieldFormatErrorMessage - This is the error message you want to show to the user when they enter an invalid URL (i.e. john.).

Length - This is the maximum amount of characters a user can enter. If left blank, the default is 40.

IsRequired - Specifies whether the user must enter a value or not

RequiredFieldErrorMessage - This is the error message you want to show to the user when they leave the field blank (IsRequired must be set to true).

Text - Gets or sets the value in the textbox.

ValidationGroup - Like the regular ASP.Net validation controls, this allows you to specify which ValidationGroup the control should be validated with.

Example
Code:
Examples of Valid Input
developerbarn.com
http://www.developerbarn.com
https://mail.google.com
ftp.developerbarn.com
ZipCode
A quick solution to address-entry forms, the ZipCode control allows you to accept zip codes in either 5-digit, 9-digit, or either formats.
ZipCode Properties

FieldFormatErrorMessage - This is the error message you want to show to the user when they enter an invalid zip code (i.e. #$ghygaas).

IsRequired - Specifies whether the user must enter a value or not

RequiredFieldErrorMessage - This is the error message you want to show to the user when they leave the field blank (IsRequired must be set to true).

ZipCodeFormat - Allows you to choose between 5-digit, 9-digit or either formats.

Text - Gets or sets the value in the textbox.

ValidationGroup - Like the regular ASP.Net validation controls, this allows you to specify which ValidationGroup the control should be validated with.

Example
Code:
Example of Valid Input
55555
55555-5555
Email
Validates email address entry per the official standard RFC 2822
Email Properties

FieldFormatErrorMessage - This is the error message you want to show to the user when they enter an invalid email address (i.e. helpme.com, me@local).

IsRequired - Specifies whether the user must enter a value or not

RequiredFieldErrorMessage - This is the error message you want to show to the user when they leave the field blank (IsRequired must be set to true).

Text - Gets or sets the value in the textbox.

ValidationGroup - Like the regular ASP.Net validation controls, this allows you to specify which ValidationGroup the control should be validated with.

Example
Code:
Example of Valid Input
someone@somewhere.com
someone@government.gov
CustomTextBox
If the other five controls in the JmhCommonControl library don't meet your needs the CustomTextBox control is your friend. This allows you to use your own regular expression just as if you were using the RegularExpressionValidator control, only easier! Also, if you leave the ValidationExpression field blank, it will act as a textbox with just a RequiredFieldValidator applied (if IsRequired is set to true).
CustomTextBox Properties

FieldFormatErrorMessage - This is the error message you want to show to the user when they enter an invalid input.

IsRequired - Specifies whether the user must enter a value or not

RequiredFieldErrorMessage - This is the error message you want to show to the user when they leave the field blank (IsRequired must be set to true).

Text - Gets or sets the value in the textbox.

ValidationExpression - This is your own custom validation expression, just like you would use in the RegularExpressionValidator control.

ValidationGroup - Like the regular ASP.Net validation controls, this allows you to specify which ValidationGroup the control should be validated with.

Example
Code:
Examples of Valid Input
Depends on your regular expression
Setup

To use the JmhCommonControl library: Download the zip file and extract JmhCommonControl.dll to an area on your hard disk.

Copy JmhCommonControl library to your application's bin folder OR Right-Click the bin folder in Visual Studio and click "Add Reference" and choose JmhCommonControl.dll from the dialogue.

Register the assembly in either the pages you are going to use it on OR in the web.config file (see below).
Register in the page
Code:
<%@ Register Assembly="JmhCommonControl" Namespace="JmhCommonControl" TagPrefix="jmh" %>
Register in Web.config
Code:
  
    
  
 
Latest Version Available: 1.0.0 Beta 2
Release Notes
v1.0.0 Beta 1 : 10-Mar-2010 : Initial release.
v1.0.0 Beta 2 : 24-Mar-2010 : Added Email control. Added ability to set TextMode of SocialSecurityNumber control. Fixed bug when explicitly setting the Text property of any controls (i.e.

Attached Files

The Username or Password is Incorrect when Logging into Server 2008 from XP

jmurrayhead — Sat, 25 Apr 2009 13:55:48 GMT

After I upgraded to Windows Server 2008, I was unable to remotely log in via Remote Desktop. The client machine I'm trying to connect from is Windows XP SP2. When I tried from a Vista machine, everything worked fine.

Here's how I solved the "username or password is incorrect" problem:

First off, I noticed that the Routing and Remote Access service wasn't started on the server. To resolve this, do the following:

1. Click Start, point to Programs, point to Administrative Tools, and then click Services.
2. Right-click the Routing and Remote Access service, and then click Start.

The next thing that needed to be dealt with is the Remote Desktop authentication on the server. By default, Network Level Authentication was selected. Windows XP doesn't have the ability to authenticate using NLA. To allow our Windows XP client to connect to the server, you have to change this setting:

In Server Manager, click Configure Remote Desktop.

Choose Allow connections from computers using any version of Remote Desktop (less secure).

Click OK.

This still didn't solve the problem for me using my Windows XP SP2 client. When using XP SP2, you need to specify the domain name and the username (i.e. domain/username), not the server name and username. After I specified the domain with the username, I was able to successfully connect to the Windows Server 2008.

Strong Passwords and Password Security

jmurrayhead — Tue, 07 Apr 2009 00:27:26 GMT

Introduction

Passwords are the keys to the Personally Identifiable Information (PII) stored on your computer and online accounts. If a criminal or any other type of malicious user were to gain access to this information, they could potentially use your name to open new credit card accounts or even pose as you when purchasing items online.

What Makes a Password Strong?

To an attacker, your password should look like a bunch of random characters, with no meaning behind them. Here are a few things you can do to make your passwords more safe:

Make your passwords lengthy: your passwords should be 8 or more characters in length, 14 or more being ideal.

Use letters, numbers and symbols: the greater the variety of character types, the harder it is to guess.
The fewer types of characters are used, the longer the password should be.

Symbols can be used by pressing the "Shift" key while holding down a regular key. This includes punctuation marks and other types of symbols.

Use words and phrases that are easy for you to remember but hard for others to guess.

Things to Avoid When Creating Passwords

Avoid sequences or repeated characters like '1234567890' or '222222222'.

Avoid your username.

Avoid words in the dictionary of any language.

Use multiple passwords for different accounts. If one account is compromised, the others will still be safe.

Don't store your passwords online or on network computers. If found, an attacker will have access to your information.

Avoid using only look-alike characters, like in 'P@ssw0rd'. Attackers know enough to try these characters, such as the '@' for 'a' and '0' for 'o'.

Conclusion

If you have problems thinking of a good password, you can use our Random Password Generator, which allows you to choose the length and strength of the password. Password security is very important to protecting your personal data. Never reveal your passwords to anyone.

.NET Business Object Base Class

jmurrayhead — Wed, 07 Jan 2009 23:52:08 GMT

Like my other .NET Development blogs, I preach about building applications with a layered, Object-Oriented architecture. Now I'm going to discuss how to create a base class that all of your business objects can inherit.

This base class will contain methods and properties that, when inherited, will be available to any class that inherits it. In Visual Studio, we will start by creating a new Class Library (*.vb or *.cs) in the App_Code directory. We will name this file BizObject.vb (or BizObject.cs for C#).

Next, we will clear out the contents that are automatically inserted. At the top, we will being importing the namespaces that we plan on using:
Code:
Imports System
Imports System.Data
Imports System.Collections
Imports System.Collections.Generic
Imports System.Web.Caching
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Configuration
Imports System.Web.UI
Imports System.Web.Security
Imports System.Security.Principal
Now, we will enclose our class within its own namespace:
Code:
Namespace DeveloperBarn.SampleApp.BLL
    ' Classes will go here
End Namespace
You can use any naming convention that you want. I typically do something along the lines of "Organization.ApplicationName.Layer". Above, we're dealing with the Business Logic Layer, so the last portion of the namespace is "BLL".

Now onto making the class. We will define this class as Public MustInherit. This simply means that you cannot directly access the methods and properties, (i.e. BizObject.MethodName), it must be inherited and accessed through the class that inherits it.
Code:
Public MustInherit Class BizObject
    ' Methods and properties will be here
End Class
Now, let's create some properties that are commonly used in applications:
Code:
Public MustInherit Class BizObject
    ' We use this for caching, which will be demonstrated at a later time
    Protected Shared ReadOnly Property Cache() As Cache
        Get
            Return HttpContext.Current.Cache
        End Get
    End Property
 
    ' This returns the IPrincipal of the currently logged in user
    Protected Shared ReadOnly Property CurrentUser() As IPrincipal
        Get
            Return HttpContext.Current.User
        End Get
    End Property
 
    ' This returns the username of the currently logged in user
    Protected Shared ReadOnly Property CurrentUserName() As String
        Get
            Dim userName As String = ""
            If HttpContext.Current.User.Identity.IsAuthenticated Then
                userName = HttpContext.Current.User.Identity.Name
            End If
            Return userName
        End Get
    End Property
 
    ' This returns the IP address of the currently logged in user
    Protected Shared ReadOnly Property CurrentUserIP() As String
        Get
            Return HttpContext.Current.Request.UserHostAddress
        End Get
    End Property
Now let's create a method that will purge our cache items based off the supplied key:
Code:
    ''' 
    ''' Remove from the ASP.NET cache all items whose key starts with the input prefix
    ''' 
    Protected Shared Sub PurgeCacheItems(ByVal prefix As String)
        prefix = prefix.ToLower()
        Dim itemsToRemove As New List(Of String)()
 
        Dim enumerator As IDictionaryEnumerator = BizObject.Cache.GetEnumerator()
        While enumerator.MoveNext()
            If enumerator.Key.ToString().ToLower().StartsWith(prefix) Then
                itemsToRemove.Add(enumerator.Key.ToString())
            End If
        End While
 
        For Each itemToRemove As String In itemsToRemove
            BizObject.Cache.Remove(itemToRemove)
        Next
    End Sub
End Class
Here is the entire BizObject.vb file:
Code:
Imports System
Imports System.Data
Imports System.Collections
Imports System.Collections.Generic
Imports System.Web.Caching
Imports System.Web.UI.WebControls
Imports System.Web.UI.HtmlControls
Imports System.Configuration
Imports System.Web.UI
Imports System.Web.Security
Imports System.Security.Principal
 
Namespace DeveloperBarn.SampleApp.BLL
    Public MustInherit Class BizObject
        ' We use this for caching, which will be demonstrated at a later time
        Protected Shared ReadOnly Property Cache() As Cache
            Get
                Return HttpContext.Current.Cache
            End Get
        End Property
 
        ' This returns the IPrincipal of the currently logged in user
        Protected Shared ReadOnly Property CurrentUser() As IPrincipal
            Get
               Return HttpContext.Current.User
            End Get
        End Property
 
        ' This returns the username of the currently logged in user
        Protected Shared ReadOnly Property CurrentUserName() As String
            Get
                Dim userName As String = ""
                If HttpContext.Current.User.Identity.IsAuthenticated Then
                    userName = HttpContext.Current.User.Identity.Name
                End If
                Return userName
            End Get
        End Property
 
        ' This returns the IP address of the currently logged in user
        Protected Shared ReadOnly Property CurrentUserIP() As String
            Get
                Return HttpContext.Current.Request.UserHostAddress
            End Get
        End Property
 
        ''' 
        ''' Remove from the ASP.NET cache all items whose key starts with the input prefix
        ''' 
        Protected Shared Sub PurgeCacheItems(ByVal prefix As String)
            prefix = prefix.ToLower()
            Dim itemsToRemove As New List(Of String)()
 
            Dim enumerator As IDictionaryEnumerator = BizObject.Cache.GetEnumerator()
            While enumerator.MoveNext()
                If enumerator.Key.ToString().ToLower().StartsWith(prefix) Then
                    itemsToRemove.Add(enumerator.Key.ToString())
                End If
            End While
 
            For Each itemToRemove As String In itemsToRemove
                BizObject.Cache.Remove(itemToRemove)
            Next
        End Sub
    End Class
 End Namespace
Now our base class is completed. Here is an example of a class that inherits the BizObject class:
Code:
Imports Microsoft.VisualBasic
 
Namespace DeveloperBarn.SampleApp.BLL.Users
    Public MustInherit Class BaseUser
        Inherits BizObject
 
#Region "Methods"
        Protected Shared Sub CacheData(ByVal key As String, ByVal data As Object)
            If Settings.EnableCaching AndAlso Not IsNothing(data) Then
                BizObject.Cache.Insert(key, data, Nothing, _
                    DateTime.Now.AddSeconds(Settings.CacheDuration), TimeSpan.Zero)
            End If
        End Sub
#End Region
    End Class
End Namespace
Above, I have another base class which is used for a Users object. Typically, this class would contain private variables, properties, constructors, etc. But that is out of scope for this entry and will be touched on at a later time. Do notice, however, the CacheData method. This is called whenever you retrieve data from the database that you want to be cached on the server to prevent multiple calls to the database. This works with the PurgeCacheItems method to manage the application cache. You will call PurgeCacheItems any time you Create, Update or Delete records. Simply provide these methods a key (using the same key for each class) and they will do the rest.

For example, let's say you retrieve a list of users. You may have something like this:
Code:
Public Shared Function GetAllUsers() As List(Of User)
    ' Check if the object is already in cache
    Dim appUser As List(Of User) = Nothing
    Dim key As String = "users_user"
 
    If Not IsNothing(BizObject.Cache(key)) Then
        appUser = CType(BizObject.Cache(key), List(Of User))
    Else
        ' Perform a call to the data access layer (to be discussed later), retrieve the results and cache them
        Dim recordset As List(Of UserDetails) = _
                    SiteProvider.Users.GetAllUsers
        appUser = GetUserListFromUserDetailsList(recordset)
                BaseUser.CacheData(key, appUser)
    End If
 
    Return appUser        
End Function
Now, much of the code here might not make much sense to you now because I'm using methods from my own Data Access Layer. If you don't know anything about business objects, read my blog here: Building Applications with a Business Object Architecture - DeveloperBarn Forums
Basically, the above code is calling the Data Access Layer to populate a business object which is then cached.

Finally, whenever Create, Update or Delete methods are called, using the same key as above for this class, call the PurgeCacheItems method to clear the cache. This method will clear all cache items with keys beginning with "users_user".
Code:
BizObject.PurgeCacheItems("users_user")
That's it! Now you have a base class that can be inherited to reuse methods and properties that are often used.

Building Applications with a Business Object Architecture

jmurrayhead — Thu, 20 Nov 2008 01:44:19 GMT

Business Objects are objects in an object-oriented computer application or program that represent the entities within a business domain. A business object will often encapsulate all of the data and business logic associated with the entity in which it represents. Furthermore, business objects provide flexibility and adaptability, scalability and reusability.

Let's take a look at how a business object may look within an ASP.NET web application. Let's say you want to design an application that serves as a contact book. The contact book will have the following entities:

Contact
Address
PhoneNumber

The Contact class might look like this:

Code:

Public Class Contact
#Region "Private Variables"
        Private _ID As Integer = 0
        Private _firstName As String = String.Empty
        Private _middleName As String = String.Empty
        Private _lastName As String = String.Empty
        Private _suffix As String = String.Empty
#End Region

#Region "Properties"
        Public Property ID() As Integer
            Get
                Return _ID
            End Get
            Set(ByVal value As Integer)
                _ID = value
            End Set
        End Property

        Public Property FirstName() As String
            Get
                Return _firstName
            End Get
            Set(ByVal value As String)
                _firstName = value
            End Set
        End Property

        Public Property MiddleName() As String
            Get
                Return _middleName
            End Get
            Set(ByVal value As String)
                _middleName = value
            End Set
        End Property

        Public Property LastName() As String
            Get
                Return _lastName
            End Get
            Set(ByVal value As String)
                _lastName = value
            End Set
        End Property

        Public Property Suffix() As String
            Get
                Return _suffix
            End Get
            Set(ByVal value As String)
                _suffix = value
            End Set
        End Property
#End Region

#Region "Constructors"
        Public Sub New()

        End Sub

        Public Sub New(ByVal id As Integer, lastName As String, ByVal firstName As String)
            Me.ID = id
            Me.LastName = lastName
            Me.FirstName = firstName
        End Sub

        Public Sub New(ByVal id As Integer, lastName As String, ByVal firstName As String, _
        ByVal middleName As String, ByVal suffix As string)
            Me.ID = id
            Me.LastName = lastName
            Me.FirstName = firstName
            Me.MiddleName = middleName
            Me.Suffix = suffix
        End Sub
#End Region
End Class

The Address class might look like this:

Code:

Public Class Address
#Region "Private Variables"
        Private _ID As Integer = 0
        Private _contactID As Integer = 0
        Private _street1 As String = String.Empty
        Private _street2 As String = String.Empty
        Private _city As String = String.Empty
        Private _Country As String = String.Empty
#End Region

#Region "Properties"
        Public Property ID() As Integer
            Get
                Return _ID
            End Get
            Set(ByVal value As Integer)
                _ID = value
            End Set
        End Property

        Public Property ContactID() As Integer
            Get
                Return _contactID
            End Get
            Set(ByVal value As Integer)
                _contactID = value
            End Set
        End Property

        Public Property Street1() As String
            Get
                Return _street1
            End Get
            Set(ByVal value As String)
                _street1 = value
            End Set
        End Property

        Public Property Street2() As String
            Get
                Return _street2
            End Get
            Set(ByVal value As String)
                _street2 = value
            End Set
        End Property

        Public Property City() As String
            Get
                Return _city
            End Get
            Set(ByVal value As String)
                _city = value
            End Set
        End Property

        Public Property Country() As String
            Get
                Return _country
            End Get
            Set(ByVal value As String)
                _country = value
            End Set
        End Property
#End Region

#Region "Constructors"
        Public Sub New()

        End Sub

        Public Sub New(ByVal id As Integer, city As String, ByVal country As String)
            Me.ID = id
            Me.City = city
            Me.Country = country
        End Sub

        Public Sub New(ByVal id As Integer, street1 As String, ByVal street2 As String, _
        ByVal city As String, ByVal country As string)
            Me.ID = id
            Me.Street1 = street1
            Me.Street2 = street2
            Me.City = city
            Me.Country = country
        End Sub
#End Region
End Class

and the PhoneNumber class might look like this:

Code:

Public Class PhoneNumber
#Region "Private Variables"
        Private _ID As Integer = 0
        Private _contactID As Integer = 0
        Private _phoneNumber As String = String.Empty
        Private _phoneType As String = String.Empty
#End Region

#Region "Properties"
        Public Property ID() As Integer
            Get
                Return _ID
            End Get
            Set(ByVal value As Integer)
                _ID = value
            End Set
        End Property

        Public Property ContactID() As Integer
            Get
                Return _contactID
            End Get
            Set(ByVal value As Integer)
                _contactID = value
            End Set
        End Property

        Public Property PhoneNumber() As String
            Get
                Return _phoneNumber
            End Get
            Set(ByVal value As String)
                _phoneNUmber = value
            End Set
        End Property

        Public Property PhoneType() As String
            Get
                Return _phoneType
            End Get
            Set(ByVal value As String)
                _phoneType = value
            End Set
        End Property
#End Region

#Region "Constructors"
        Public Sub New()

        End Sub

        Public Sub New(ByVal id As Integer, phoneNUmber As String, ByVal phoneType As String)
            Me.ID = id
            Me.PhoneNumber = phoneNumber
            Me.PhoneType = phoneType
        End Sub
#End Region
End Class

I've divided each of these classes into three regions: Private Variables, Properties, and Constructors. Properties are what you use to set and get values for your objects. The Private Variables are used to hold the data for these properties. The Constructors allow you to quickly and easily assign values to your object's properties. For example, look at the second constructor in the Contact class:

Code:

Public Sub New(ByVal id As Integer, lastName As String, ByVal firstName As String)
    Me.ID = id
    Me.LastName = lastName
    Me.FirstName = firstName
End Sub

This allows you to populate the Contact object with the ID, LastName and FirstName in one easy piece of code:

Code:

Dim myContact As New Contact(dtr("ID"), dtr("LastName"), dtr("FirstName"))

As opposed to this way, without constructors:

Code:

Dim myContact As New Contact
With myContact
    .ID = dtr("ID")
    .LastName = dtr("LastName")
    .FirstName = dtr("FirstName")
End With

You would then be able to use your business object like this:

Code:

txtID.Text = myContact.ID
txtLastName.Text = myContact.LastName
txtFirstName.Text = myContact.FirstName

You can quickly see power behind using business objects in your applications. You can do much more with business objects, but that is out of the scope of this entry. If you've noticed my other entries and posts within this forum, you will know that I am a huge supporter of the layered approach to designing applications, specifically the one used by the BeerHouse CMS (TheBeerHouse: CMS & e-commerce StarterKit - Home). As time allows, I will break down this project in easier to understand sections, including how business objects are used and what else you can do with them to make managing your applications easier.

Modal Popup Not Displaying Correctly in IE6

jmurrayhead — Mon, 17 Nov 2008 14:31:18 GMT

I currently work for an organization that still widely uses Internet Explorer 6. We have only a few machines with IE7 installed. This means that until all computers have been converted, those of us on the development team must develop for both browsers.

I recently ran into an issue using the modal popup, that only appeared in IE6. On the intial page load, when I call the Show() method of the ModalPopupExtender, everything appears fine. It is only after a postback that the problem occurs. What happens is the background content is shifted down and left about 3 pixels or so. This creates horiztonal and vertical scrollbars, which is really ugly. Many of the suggestions I found while searching suggested using the following doctype:

Code:

DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

However, seeing as I already had this set as my doctype, this obviously wasn't going to work. I had a hunch the real issue was with the CSS and that hunch was confirmed after I tried changing the CSS classes for the modal background and popup to these:

Code:

.modalBackground { background-color: Gray; filter: alpha(opacity=70) !important; opacity: 0.7; top: 0px !important; left: 0px !important; position: absolute !important; z-index: 1 !important; } .modalPopup { background-color: #ffffdd; padding: 3px; z-index: 10001; }

I feel the key things were the positioning in the modalBackground class and the addition of !important.

After these changes were made, my modal popups displayed correctly in IE6 and IE7.

ASP Application Security Tips

jmurrayhead — Sun, 17 Aug 2008 13:09:31 GMT

I posted this as a thread in the ASP Development forum, but now that we have a blog here, I felt this would be a more suitable place for it :)

Introduction
Although many developers are aware of the importance of application security, many do not know the first place to begin. This will serve as a guide to help you make your ASP application more secure.

Using MS Access Database
Many developers choose to use Microsoft Access as the backend to their application. However, the database is too often placed in a web accessible folder. This is a security risk as it allows web users to guess the database name and download the database. For example, let's say you have a database named mysite.mdb. It is placed within the "/db" folder inside your web root. A malicious user could browse to 'www.yoursite.com/db/mysite.mdb' and gain access to all of your data. To avoid this, you should place your database inside a folder that is not web accessible. This will usually be a higher directory than the root or base directory of your web site. You will then have to modify your connection string to contain the physical path to your database. If your site is hosted and they do not allow you to place your database higher than your website root, then it is recommended that you change your database name to something obscure that can't be easily guessed. For example, 129056AHD544JUH.mdb will be much more difficult to guess than mysite.mdb.

Filtering Input from QueryStrings and Input Boxes
All input that is used in a database query should be filtered for inappropriate content. A method known as whitelisting should be used on all input. Whitelisting allows for only specific types of data to be entered into a field or querystring. For example, let's say you have a field that is used for users to enter their phone number.

Typical US phone numbers look like this: 1-555-555-5555 or 1 (555) 555-5555
Whichever format you choose, you would only want to allow users to enter 11 digits separated by either hyphens or hyphens with parenthesis around the area code. You would not allow any other characters. Regular expressions are great for this type of validation. Also keep in mind the length of characters that should be allowed for each field.

Another example, is if your query takes a value from a querystring. Let's say this value represents a numeric ID. Since the database expects a numeric value, (as the field in the database is numeric), it would throw an error if a string variable was passed to it. In situations like this, you can use the IsNumeric() function to check if a value is numeric or not before you pass it to a query.

When filtering input, it is best to use a combination of client-side (JavaScript) and server-side (VBScript) validation. Using client-side validation allows you to quickly validate input before a request to the server is even made. Server-side validation is the safety net. If a user has turned off JavaScript then client-side validation won't work, but any validation errors will still be caught server-side.

Parameterized Queries
Whether you're using MS Access, MySQL or MS SQL as your database platform, you can and should use parameterized queries. Although you can do all kinds of validation checks, parameterized queries provide an easy way to secure your application against SQL Injection attacks.

For examples of using parameterized queries, see the following:
How To Call a Parameterized Query to an Access Database with ADO
4GuysFromRolla.com - Using Parameterized Queries in ASP

The above links provide two different methods of doing so.

Stored Procedures
Stored procedures offer you an even greater sense of security. Used with parameterized queries, they restrict users to perform only specific CRUD (Create, Read, Update, Delete) operations. For example, if you are using MS SQL Server, you can deny all CRUD operations to the user on table objects and only allow them Execute permissions on specific stored procedures.

Cross-Site Scripting
Cross-Site Scripting (XSS) is a vulnerabilty which allows code injection by malicous users. For example, let's say we have a form field that performs no validation. The input taken from this field is saved in the database and then displayed on the page. Now let's say the user entered the following text and submitted the form:
Code:
Please login with the form below before proceeding:Login: 
Password: 
This would display a login form on the site to all users. Something like this could be used to capture usernames and passwords from users. This is why validation is important. To prevent database data from rendering HTML, JavaScript or any other code to your pages, use the ASP Server.HtmlEncode method when outputting to a page (unless you are
outputting to form fields). This method applies HTML encoding to a specified string.
Code:
Response.Write Server.HtmlEncode(Request.Querystring("contact"))
Response.Write Server.HtmlEncode(rs("contact"))
The above will output an HTML encoded string which will not render the HTML or Javascript elements to the page, rather, you will see them as regular page text.

Conclusion
Hopefully this guide will help you to build secure ASP applications. There is much more involved in application security, which will be covered at a later time. This should be used only as a guide to securing your ASP applications.

ASP.NET Application Design

jmurrayhead — Fri, 15 Aug 2008 21:57:15 GMT

Over the past year and a half, I've been doing what I can to convert Classic ASP scripters over to ASP.NET programmers.

Why did I call them "scripters"? Because Classic ASP uses scripting languages such as server-side VBScript and server-side JScript, whereas ASP.NET uses programming languages such as VB.Net, C# and J#. These programming languages are full-blown object-oriented languages.

After I was able to successfully convert these former Classic ASP scripters to ASP.NET, I noticed a common thing among all of them: they all couldn't get their minds past scripting. They treated their C# or VB.NET code as if it was a script.

So, I had to teach them what I was taught and also researched on myself. The Microsoft .NET framework allows you to build applications in a layered or tiered manner. The terms layered application and tiered application are often used interchangeably, but I look at it this way: A layered application is an application that is separated logically whereas a tiered application is separated physically.

So what's all this talk about separation? I've been building my applications in a layered manner. I have the following layers: DAL (Data Access Layer), BLL (Business Logic Layer) and UI (User Interface). The user interface calls on the BLL to perform business logic, which in turn calls on the DAL to perform data access with the database.

How does this benefit me? Breaking an application down into these layers provides the following benefits:

maintainability

reusability

scalability

robustness

security

For more details on this, see the following MSDN article: Layered Application

If you're interested in learning more about ASP.Net and the layered application approach, I suggest you download the BeerHouse CMS:TheBeerHouse: CMS & e-commerce StarterKit - Home

It is by far one of the best examples of layered application design that I have seen available for free on the web.

That's all for now and I hope this has helped convince you to properly build your ASP.NET and Windows Forms applications.

Login:
Password: