Selected Topics ASP.NET2

Tips and Tricks in Tips and Tricks in ASP.NET 2.0 ASP.NET 2.0 DevelopmentDevelopment

Talal Abdullah AlsubaieProgrammerIT DepartmentSaudi Food and Drugs Authority

1Talal A. Alsubaie SFDA

Tips and Tricks in ASP.NET 2.0 Tips and Tricks in ASP.NET 2.0 DevelopmentDevelopment This presentation aims to give us (Developers) better

knowledge in development in MS ASP.NET 2.0 environment.

Knowing some tips and tricks in ASP.NET 2.0 programming.

The main goal is to enhance:◦ Security.◦ Availability.◦ Integrity.◦ Usability.◦ Performance.


Tips and Tricks in ASP.NET 2.0 Tips and Tricks in ASP.NET 2.0 DevelopmentDevelopment We will cover some topics in this presentation such

as:◦ N-Tier Architecture.◦ CSS (Cascading Style Sheets)Pages.◦ Database Programming◦ Exception Handling.


N-Tier N-Tier ArchitectureArchitecture


N-Tier ArchitectureN-Tier Architecture• An N-Tier architecture is a development method that user interface, functional process logic, data storage, and data access are developed and maintained as independent model. (http://en.wikipedia.org/wiki/N_tier).•The N-Tier architecture is based on the concept of separating a system to different layers (usually 3) Each layer interacts with only the layer directly below, and has specific function that it is responsible for.•It is considered as a Software Design Pattern. •N-Tier provides reusability, scalability, maintainability.•Web development often use the 3-Tier model.•A Three-Tier model has.

Presentation Tier.Business Tier.Data Tier.



DatabaseDatabase

Get Salary Total

Get Last Year Salaries

Query

Salary 1

Salary 2

Salary 3

Add Salary Together

Display Total

N-Tier ArchitectureN-Tier Architecture• One of the common mistakes is tightly coupling layers, and writing business logic in presentation tier.


Database Database ProgrammingProgramming


Database ProgrammingDatabase Programming

• You Have Many Things to Think About



•Things to put in mind:•Keep the connection string in web.config.•Never store sensitive data in clear-text within a database.•Do not rely on Client Side validation.•Validate input for length, range, format, and type.•Validate un trusted input passed to your data access methods.•When constructing SQL queries, use type safe SQL parameters.•Avoid Dynamic SQL that accepts user input.•Be aware of SQL Injections.


Database ProgrammingDatabase Programming•Keep the connection string in web.config:

•Web.config is a XML file that stores configuration settings for an ASP.NET application.

•Why would you want to keep your database connection strings in the Web.config file?

•Easier maintenance and deployment.

•Use CustomErrors and keep the mode = “On”.•Disable trace for production; else take a look at “trace.axd”.•Disable Debugging.

•The Web.Config is not accessible by the server. “You can read it using

the file system”.•The .NET framework will take care of web.config security.



•Never store sensitive data in clear-text within a database:

•No application is 100% secure.•The attacker can enter your database without using your application.

•The attacker can use MS SQL Server Management Studio or use his own application to enter your database.



•Do not rely on Client Side validation:•Client side validation can easily bypassed.•What if the user disables JavaScript?!•Use client side validation plus server side validation.



•Validate input for length, range, format, and type:

•Do not trust user input.•Attacker can pass malicious input. i.e. SQL Injections.

•Use Regex class to validate input. (Regular Expressions).

•For example an E-mail regular expression is:

•[A-Za-z]+[A-Za-z0-9_.-]*@[A-Za-z0-9-]+.[A-Za-z]{2,3}

•Take a look at:•http://regexlib.com



•What is a SQL Injection Attack?•Many web applications take user input from a form.•Often this user input is used literally in the construction of a SQL query submitted to a database. For example:

SELECT productdata FROM products WHERE productname = ‘user input product name’;

•A SQL injection attack involves placing SQL statements in the user input.



•SQL Injections:•Database layer vulnerability.•Characters like ’ and ; have special meaning to SQL engine.•Attacker can benefit of:

•Unauthorized data access.•Execute arbitrary commands.

• RFID Injections:•What if a clever person doctored a tag to include extra characters in that item number?


DemoDemo


Database ProgrammingDatabase Programming•When constructing SQL queries, use type safe SQL parameters :

•Use type safe SQL parameters to avoid possible SQL injection attacks that can occur with unfiltered input.•You can use type safe parameters with stored procedures and with dynamic SQL statements.•Parameters are also checked for type and length.

using System.Data;

using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))

{

DataSet userDataset = new DataSet();

SqlDataAdapter myCommand =

new SqlDataAdapter(“LoginStoredProcedure", connection);

myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;

myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);

myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;

myCommand.Fill(userDataset);

} 18Talal A. Alsubaie SFDA


•Avoid Dynamic SQL that accepts user input:•Avoid constructing SQL queries in code that include user input.•instead, prefer parameterized store procedures that use type safe SQL parameters.•If you construct queries dynamically using user input, your code is susceptible to SQL injection.


// Use dynamic SQLSqlDataAdapter myCommand = new SqlDataAdapter( "SELECT au_lname, au_fname FROM authors WHERE au_id = '" + SSN.Text + "'", myConnection);

SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE HR--'


•Conclusion:•Do not trust any input data.•Use Regular Expressions to validate data.•Use parameterized SQL input. •Don’t interact with database directly; instead use stored procedures.


Cascading Style Cascading Style SheetsSheets

CSSCSS


Cascading Style Sheets Cascading Style Sheets (CSS)(CSS)

•CSS stands for Cascading Style Sheets. •Styles define how to display HTML elements.•Styles are normally stored in Style Sheets. •External Style Sheets can save you a lot of work. •External Style Sheets are stored in CSS files. •Multiple style definitions will cascade into one. •Separating the content and presentation.


Cascading Style Sheets Cascading Style Sheets (CSS)(CSS)selector {property: value;}

Selector:

The HTML element you wish to define.

Property:

Attribute you wish to change.

Value:

Value the property takes.



•What style will be used when there is more than one style specified for an HTML element?

•Generally speaking we can say that all the styles will "cascade" into a new "virtual" style sheet by the following rules, where number four has the highest priority:

1. Browser default.

2. External style sheet.3. Internal style sheet (inside the <head> tag). 4. Inline style (inside an HTML element).


DemoDemo



•How can you use CSS files?•Create a .CSS file.•Enter your CSS code.•In your .HTML or .ASPX page add:

•<link rel="stylesheet" href=“css_file_path.css" type="text/css"/>

inside your head tag.•For example:

•<head>• <title>My Title</title>• <link rel="stylesheet" href="MyStyle.css" type="text/css" />•</head>



•Benefits of Cascading Style Sheets: Separate content from presentation. Look and feel consistency. Web site maintenance.


Exception Exception HandlingHandling


Exception HandlingException Handling

•Exceptions are:• Error that occurs at execution time.•Abnormal termination of program.• Wrong execution result.

•Exception handling: is a programming language construct mechanism designed to handle the occurrence of some condition that changes the normal flow of execution.




•Syntax:

Try {

//Code that may raise exception.

}

Catch (Exception1 e){

//Case Exception1 occurs.

}

Catch (Exception2 e){

//Case Exception2 occurs.

}

Else

{

//Case other exception occurs.

}

Finally {

//Code to be executed after exception occurs.

}


•In Exceptions:•Plan for the worst.•Don’t trust external data.•Don’t trust other systems:

•Databases, or other applications.

•The only reliable devices are: the screen, the mouse and keyboard.•Writes can fail, too. (Space, Privileges, Physical fault…).

•Don't put important exception information on the Message field. (Security).

•Don't ever swallow exceptions.•Cleanup code should be put in finally blocks.



•Objectives:•Making safer program by providing special mechanism.•Keeps your program running.•Don’t scare the user with technical errors.


DemoDemo


Q & AQ & A


Thank youThank you


Talal Abdullah [email protected] DepartmentSaudi Food and Drugs Authority

Technology

Selected Topics ASP.NET2