Sunday, August 31, 2008

Security Guidance for IIS

Security Guidance for IIS

Find information on how to improve the security of your Web servers and Web applications with the tools, security hardening guidance, and other resources found here.

An ASP.NET Application Using a MySQL Database

An ASP.NET Application Using a MySQL Database
By vivekthangaswamy

How to use a MySQL 4.1 database from an ASP.NET application and some ODBC basics.

.NET is the new distributed computing platform developed by Microsoft and ASP.NET is its programming model for web development. I'm creating a Web Form with a DataGrid for data entry using C#. How can I make a DataGrid cell display a textbox for showing a list of products in all the rows. This solution will teach you how to use a MySQL database with ASP.NET. I have developed this sample with ASP.NET 1.1 using C# as the code-behind using MySQL 4.1. I think this will be a more useful article for beginners studying .NET. In this sample, I have taken the DataGrid control for demonstration. All the basic operations of the DataGrid are explained in this article.

Overview of the Solution
MySQL Server 4.0 laid the foundation for the new features implemented in MySQL 4.1, such as subqueries and Unicode support, which were desired by many of our customers. The server is available as a separate program for use in a client/server networked environment. It is also available as a library that can be embedded (linked) into standalone applications. Such applications can be used in isolation or in environments where no network is available. Clients can connect to a MySQL server using TCP/IP sockets on any platform. On Windows systems belonging the NT family (NT, 2000, XP, or 2003), clients can connect using named pipes. On UNIX systems, clients can connect using UNIX domain socket files.

In MySQL 4.1, we cannot write stored procedures, functions, or views. The following are sample SELECT, UPDATE, and DELETE queries in MySQL.

SELECT column_names from table_name [WHERE ...conditions];

UPDATE table_name SET column_names = ‘’ WHERE ...conditions;

DELETE FROM table_name WHERE ...conditions;
The Microsoft Open Database Connectivity (ODBC) interface is a C programming language interface that makes it possible for applications to access data from a variety of database management systems. The ODBC interface permits maximum interoperability — an application can access data in diverse DBMSs through a single interface. Furthermore, that application will be independent of any DBMS from which it accesses data. Users of the application can add software components called drivers, which interface between an application and a specific DBMS. Applications that use ODBC are responsible for any cross-database functionality. For example, ODBC is not a heterogeneous join engine, nor is it a distributed transaction processor. However, because it is DBMS-independent, it can be used to build such cross-database tools.

The following will explain to you the architecture of ODBC:

Namespace used for ODBC:

using System.Data.Odbc;
The System.Data.Odbc namespace is the .NET Framework Data Provider for ODBC.

The .NET Framework Data Provider for ODBC describes a collection of classes used to access an ODBC data source in the managed space. Using the OdbcDataAdapter class, you can fill a memory-resident DataSet, which you can use to query and update a data source.

Using Parameterized Queries in ASP.Net

There are two impelling reasons everyone should learn about Parameterized Queries. One entails one keyboard character and is more of a hassle reliever than anything else. That character, in code, can become either of two different objects, the single quote and the apostrophe. When you're coding, either one can make your life truely miserable at times. The second, and MOST compelling reason to learn Parameterized Queries is to protect your database from SQL Injection Injection Attacks. If you have never heard of them, you need to hear about them now. These attacks can reak havoc on your server and, more importantly, your data. Check out these articles on SQL Injection Attacks:
Simply by using Parameterized Queries, this becomes a first line of defense, and SQL Injection attacks are stopped in their tracks.
Anyone who has ever put together a long, involved SQL statement with variables, juggling single quotes, along with the double quotes (Tutorial on Single and Double Quotes), will tell you that it's not much fun. And - on top of that, when we then talk about the apostrophe, it gets even more complicated. Of course, as most of you know, in an Insert statement, if the last Name is O'Hara, the engine looks at the string, and only sees the apostrophe as a single quote, thereby truncating your perfectly structured SQL statement. Naturally, there are fixes for the latter (Replace statement to double up on the apostrophes, which tells the DataBase engine to interpret the two apostrophes as only one true apostrophe and not a single quote), but that's extra care you must take that's really not needed - but only if you use Parameterized Queries.

Let's put together a scenario - we're searching Employees of the Northwind Trading Company by last name. We have a DropDownList (DDL) with all the last names. From that, the end user will choose one, so that the rest of that employee's information will appear. This, naturally, is a fairly simple scenario to start. We don't want to get too complicated too quickly.

Since we're searching the database by the last name, The SQL statement, using single quotes would be something like this:

sql = "Select * from Employees where Lastname = '" & ddl.selecteditem.text & "'"

As you can see, this could get pretty complicated, adding AND clauses and/or OR clauses on the end of the WHERE clause.
Using a Parameterized Query, it would look like this:

sql = "Select * from Employees where Lastname =@LastName"
All we'd need for this to work is to add the following to your code, after instantiating your Command:
(assuming you have defined a Command called 'cmd')

cmd.Parameters.Add(New SQLParameter("@LastName", ddl.SelectedItem.text))
Of course, this is an example for SQL Server. For OleDb (MS Access, and others), you would use (you guessed it!):

cmd.Parameters.Add(New OleDbParameter("@LastName", ddl.SelectedItem.text))
Of course, if you wanted to do a LIKE query (Select * from tablename where fieldname LIKE, etc), you would substitute the '=' sign for 'Like'. THEN, you could add your wildcards ('%' for SQL Server and '*" for MS Access) into the actual data being used for the search. For instance, if you had a text box for the end user to enter data to do a LIKE search - just have them put the wildcards in where they want (at the end, start, or both).
Where this really comes in handy is when you create an Insert or Update SQL statement. Suppose you were inserting a FirstName, LastName, Address, City, State, Zip, Phone, and Email address. Here's the older way you would have done this with single quotes:

sql="Insert into Employees (Firstname, Lastname, City, State, Zip, Phone, Email) Values ('" & frmFirstname.text & "', '" & frmLastName & "', '" & frmCity & "', '" & frmState & "', '" & frmZip & "', '" & frmPhone & "', '" & frmEmail & "')"
As you can see, this can get pretty cumbersome, doing it by hand. Here's the way you would take care of it with a Parameterized Query:

Dim MySQL as string = "Insert into NewEmp (fname, LName, Address, City, State, Postalcode, Phone, Email) Values (@Firstname, @LastName, @Address, @City, @State, @Postalcode, @Phone, @Email)"
Then, of course, you'd need to specify the parameters:

With SQL Server:
With cmd.Parameters:
.Add(New SQLParameter("@Firstname", frmFname.text))
.Add(New SQLParameter("@LastName", frmLname.text))
.Add(New SQLParameter("@Address", frmAddress.text))
.Add(New SQLParameter("@City", frmCity.text))
.Add(New SQLParameter("@state", frmState.text))
.Add(New SQLParameter("@Postalcode", frmPostalCode.Text))
.Add(New SQLParameter("@Phone", frmPhone.text))
.Add(New SQLParameter("@email", frmemail.text))
end with

With OleDb:
With cmd.Parameters:
.Add(New OleDbParameter("@Firstname", frmFname.text))
.Add(New OleDbParameter("@LastName", frmLname.text))
.Add(New OleDbParameter("@Address", frmAddress.text))
.Add(New OleDbParameter("@City", frmCity.text))
.Add(New OleDbParameter("@state", frmState.text))
.Add(New OleDbParameter("@Postalcode", frmPostalCode.Text))
.Add(New OleDbParameter("@Phone", frmPhone.text))
.Add(New OleDbParameter("@email", frmemail.text))
end with

Here's one note I received from a reader, Randy, that I'd like to mention here:
"I found out the hard way that the delineating of parameters must be in the SAME ORDER as they appear in the SQL command."
As far as using Stored Procedures, check out this code sample on using a Stored Procedure to populate a DropDownList - naturally, using parameters.

We'll discuss wldcards and using the 'Like' operator in another Tutorial called "Parameterized Queries - Part II".

I'm sure at this point, it's easy to also see, that consistent naming, from the Form Field names, to the Parameter Names is by far the best way to go. It's much easier to see at a glance, exactly what's going on in the code.

I've seen many examples on the net and in books that go into length concerning filetypes, sizes, etc when defining parameters. And while that's a more exact way of doing it, this tutorial shows that there is not just one way to do things in the ASP.Net world. Of course it's always best to make sure the data going in is in the exact form the database needs, in all cases. Therefore, whichever way you decide to do it, make sure your validation is the best it can be.

Easy SMTP Mail Using ASP.NET 2.0

Easy SMTP Mail Using ASP.NET 2.0
By salysle

The article addresses two topics: sending an email message to a standard email account, and sending an SMS message to a cell phone or pager.
The article addresses two topics: sending an email message to a standard email account, and sending an SMS message to a cell phone or pager. The approach uses the SMTP client contained in System.Net to accomplish both types of message submittal, and all messages are sent from ASP.NET 2.0 ASPX pages.

The SMTP email portion application will demonstrate the following:

Using SMTP to configure and send email messages
Adding ‘CC’ addresses as message recipients
Adding attachments to a message
The SMS portion of the email application will demonstrate the following:

Passing standard email messages through the carrier to deliver SMS messages to the target.
In addition to discussing the small bit of code necessary to send these messages, the document will address the primary configuration requirements needed to successfully send messages through an ASP.NET 2.0 based website on an IIS server.

In order to use this demonstration, you should have an instance of IIS installed on your development machine, you should have Visual Studio 2005 installed, and you should have the optional SMTP mail server installed in your local IIS instance.

Add Web Parts to Your Application

Building Web Parts, Part 1
by Wei-Meng Lee, author of ASP.NET 2.0: A Developer's Notebook

Websites today contain a wealth of information; so much that a poorly designed site can easily overwhelm users. To better help users cope, portal websites today (such as MSN) often organize their data into discrete units that support a degree of personalization. Information is organized into standalone parts, and users can rearrange those parts to suit their individual working styles. Such personalization also lets users hide the parts that contain information in which they have no interest. What's more, users can save their settings so that the site will remember their preferences the next time they visit the site. In ASP.NET 2.0, you can now build web portals that offer this kind of modularization of information and personalization using the new Web Parts framework.

Essentially, the Web Parts framework contains a set of controls that lets you organize a portal page in a way that allows users of the portal to customize the appearance, content, and behavior of its contents directly from a web browser. The changes are then saved for the user and recalled for subsequent visits. All of this functionality can be implemented without the need for much coding.

Saturday, August 30, 2008

Adding Google Maps

I found an easy way to include Google map support to my web site.
It is a ASP.NET Googlemaps User Control from GoogleMaps.Subgurim.NET.

GoogleMaps.Subgurim.NET is the most advanced Google Maps control for ASP.NET 2.0.
With the full power of the official GoogleMaps API, yet without the need of a single line of javascript code: only ASP.NET!
Just drag the control in Visual Studio, and with a few lines of code you will be able program powerful Google Maps applications!!

They offer a free version and a low cost version.

Obscure ASP.NET Problem - AJAX Control Toolkit, CollapsiblePanelExtender, Image controls pages loading more than once....

Had an issue on a current project where a page was being loaded twice for each request, although it was a little different for each browser. Under IE, this particular page was loaded, then the 'Default.aspx' page in the same directory was loaded. In Firefox, the same page was loaded twice. This was verified by simply placing breakpoints in the Page_Load events and watching it get hit twice, in addition to seeing this via the NET monitor in Firebug (the Firefox addin).

It was causing performance issues as well as weirdness regarding page state, as you can imagine. So in I went, thinking it should be relatively easy to debug. Turns out it was quite obscure and took more time than I had originally anticipated.

ViewState Chunking in ASP.NET

ASP.NET 2.0 introduces the ViewState Chunking mechanism. This means that if your ViewState is too large then it will be broken into small chunks. The reason behind this feature is that many firewalls and proxies does not accept the huge ViewState sizes.
You can set the MaxPageStateFieldLength property in the web.config section. The property represents the number of bytes. By default the value is -1 which means no chunking.

How to: Install and Configure SMTP Virtual Servers in IIS 6.0

In order to send e-mail from an ASP.NET Web application, you must have the Simple Mail Transfer Protocol (SMTP) service of Internet Information Services (IIS) installed and configured on your server. The IIS SMTP service is a simple component for forwarding e-mail messages to an SMTP server for delivery.

How to: Create and Configure Local ASP.NET Web Sites in IIS 6.0

Using Internet Information Services (IIS) Manager, you can create a local Web site for hosting an ASP.NET Web application. This topic explains how you can create a local Web site and configure it to run ASP.NET pages. For more information about how to install and configure IIS, or about how to create a Web site, see the IIS Help or the online IIS product documentation on the Microsoft TechNet Web site.

ASP.Net Feeds