Security and the ASP.NET View State

| 0 comments

Many of you who work with Microsoft .NET are aware of the View State and for those of you who are just getting started with .NET please take the time to read the ASP.NET View State Overview over on the Microsoft Developer Network (MSDN). While the viewstate is necessary, it does not come without security concerns that you should understand and what you can do to mitigate the risks. The viewstate is a repository in an ASP.NET page that can store values that have to be retained during postback. The page framework uses view state to persist control settings between postbacks. You can use view state in your own applications to do the following: Keep values between postbacks without storing them in session state or in a user profile. Store the values of page or control properties that you define. Create a custom view state provider that lets you store view state information in a SQL Server database or in another data store. The Problem Sounds all well and good, but once again there are security concerns that you must address. Before we tackle security, take a minute and review what the View State looks like in the HTML markup …

Continue reading

Microsoft Enterprise Library: Caching Application Block

| 0 comments

This is a a second article on the topic of the Microsoft Enterprise Library. If you have not read the previous article titled Microsoft Enterprise Library: Data Access Application Block, I recommend you do so. Introduction to the Caching Application Block The Enterprise Library Caching Application Block lets developers incorporate a local cache in their applications. It supports both an in-memory cache and, optionally, a backing store that can either be the database store or isolated storage. The Caching Application Block can be used without modification; it provides all the functionality needed to retrieve, add, and remove cached data. Configurable expiration and scavenging policies are also part of the block. If you have been working with caching outside the Enterprise Library, I believe you will find this application block extremely powerful and easy to use. If you have not taken on the subject of caching before, I believe you also will find this easy to pick up and ultimately boost the performance of your applications. The Enterprise Library Caching Application Block includes the following features: You can use the graphical Enterprise Library configuration tools to manage configuration settings. You can configure a persistent storage location, using either isolated storage or …

Continue reading

Microsoft Enterprise Library: Data Access Application Block

| 0 comments

For those of you who have been using the Enterprise Library from Microsoft then I tip my hat to you. I admit that I have not used this library for a number of years and in most cases the reason is because I have honestly not been in a position to do so. It is a long story so don’t ask. There are a number of reason why you should seriously consider the use of the Enterprise Library and I cannot think of any better reason than those provided directly from Microsoft. The goals of Enterprise Library are the following: Consistency. All Enterprise Library application blocks feature consistent design patterns and implementation approaches. Extensibility. All application blocks include defined extensibility points that allow developers to customize the behavior of the application blocks by adding their own code. Ease of use. Enterprise Library offers numerous usability improvements, including a graphical configuration tool, a simpler installation procedure, and clearer and more complete documentation and samples. Integration. Enterprise Library application blocks are designed to work well together or individually. Now that the groundwork has been laid let us get started. Introduction to the Data Access Library The Data Access Application Block includes a …

Continue reading

Creating Charts With Microsoft Chart Controls

| 0 comments

There is no shortage of charting controls for the Microsoft .NET framework and while many do a great job, they may be overkill and costly to any project. If you’re not familiar with the Microsoft Chart Controls then you may find that you’re in for a pleasant surprise for two reasons; They are free Quickly render charts Quick Walkthrough My purpose here is simple and to the point. I want to demonstrate just how easy it is to return a chart to the end user. In this case I will be using an XML data source rather than a database which is typical in most cases. Line Chart ASPX: <asp:Chart ID=”Line” runat=”server” Width=”600px” Height=”400px”> <Series> <asp:Series Name=”Series1″ ChartType=”Line”> </asp:Series> </Series> <ChartAreas> <asp:ChartArea Name=”ChartArea1″> </asp:ChartArea> </ChartAreas> </asp:Chart> Code Behind: internal void BindCharts() { string dataPath = MapPath(“.”) + “App_Databooks.xml”; DataSet ds = new DataSet(); ds.ReadXml(dataPath); DataTable dt = ds.Tables[0]; DataView dataView = new DataView(dt); Line.Series[0].Points.DataBindXY(dataView, “title”, dataView, “price”); } Take note that the real magic happens on “DataBindXY” which represents that data point to display and in this case is title and price. As a bonus, if I add the following to the “BindCharts” method then I also have a stacked …

Continue reading

Security Development Lifecycle: SQL Injection Attacks

| 0 comments

In an earlier post titled Security Development Lifecycle: Introduction I begun introducing what the Security Development Lifecycle (SDL) represents and as I continue this series I will focus on the SDL model that Microsoft has so graciously provided to the community. Introduction In part 2 of this series I want to focus of SQL Injection and for those of you just getting started it is important to understand what a SQL Injection attack is. Here is what Microsoft has stated: SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parametrized data can be manipulated by a skilled and determined attacker. The primary form of SQL injection consists of direct insertion of code into user-input variables that are concatenated with SQL commands and executed. A less direct attack injects malicious code into strings that are destined for storage in a table or as metadata. When the stored strings are subsequently concatenated into a dynamic SQL command, the malicious …

Continue reading