The IsNullOrEmpty method was added to the String class in the 2.0 Framework, and it makes testing for an empty or null string as easy as a single function call. Instead of having to test the String object if it’s null then checking if it’s empty, this can now be done in one easy method call.
VB.NET
Dim s As String If String.IsNullOrEmpty(s) Then Console.WriteLine("String is null or empty.") Else Console.WriteLine(String.Format("String = {0}", s)) EndIf
This isn’t exactly an earth shattering discovery, but it’s useful nonetheless.
In the next installment of my security series, I’ll tackle SQL injection. In the true code reuse fashion, I’ll provide a couple links that do a great job of explaining some misconceptions about SQL injection and how to protect your application.
First here’s a link to a post on Glen Gordon’s blog about injection: http://blogs.msdn.com/glengordon/archive/2008/04/15/some-sql-injection-attack-misperceptions-and-reality.aspx. Glen includes a nice list of common mistakes when thinking about preventing injection attacks.
Next is a link from the MSDN magazine showing how to stop injection attacks: http://msdn2.microsoft.com/en-us/magazine/cc163917.aspx
I know this was a lazy post, but cut me some slack. I’ve got a 2 month old baby and a new PS3. 
Cross site scripting can be a tough vulnerability to eliminate, but it doesn’t necessarily have to be. If you’re working on an ASP.NET project, the Microsoft Anti-XSS library is easy to use and freely available. Like a lot of developers, I’ve rolled my own anti-XSS by escaping specific characters, but it’s usually clunky and let’s face it. There are still bound to be vulnerabilities. The MS library can be used to encode HTML, HTML attributes, JavaScript, VBScript, as well as encode for XML and XML attributes.
Always encode data from untrusted inputs. Just a few examples include:
- Databases
- Form fields
- Session variables
- Query string
- Cookies
Using the library is very simple. Just add a reference to the dll to your project, and you’re ready to go. Here’s a quick and dirty code example encoding a value from the query string:
string Name = AntiXss.HtmlEncode(Request.QueryString["Name"]);
A good rule to live by is “When in doubt. Encode it.” Just don’t encode it twice.
You can download the library from Microsoft here.
Well my highly publicized conversion to Linux is sort of over. I’ve still got Ubuntu installed on my secondary notebook, but I went back to WinXP on my primary notebook. There are some things I want to do, and it’s just a whole lot easier to use Windows (primarily work with videos of my daughter I’ve taken using my camcorder). This doesn’t mean that I didn’t like Unbuntu. I actually really liked it, but it just wasn’t practical for my needs. I’ll still use it, but just not as much.
I recently completed a project at work that included the requirement to monitor data files on 30 or more different Windows NT4 machines for changes. Naturally I thought of using the FileSystemWatcher class in the System.IO namespace. As anyone who has used the FileSystemWatcher has come to realize, it can be unreliable. Specifically, if one of the NT4 machines were rebooted, the watcher would “lose” its ability to capture the file modification events I needed. What was my solution? Well, it’s a bit of a hack. Actually, it’s a really big hack. I used the Timer class in the System.Threading namespace to restart the watchers at a specified interval and to check for changes to the files that I might have missed. The files don’t change very often, so the solution has worked so far. I also can’t install anything on the NT4 machines, so this is what I was forced to do. Come on. I’m not the only one to hack something together like this. Am I?
I hope you cashed in while Google was at its high because the stock is now down 40% from its high of $747. Is the bubble busting on the little text ad clicks market???
It looks like the war for high def DVD dominance has finally ended. All I can say is that I’m glad I didn’t get that Samsung HD DVD player I was drooling over a few months ago…
On a personal note, my wife gave birth to our first child Sunday morning at 2:06 am. She’s a beautiful 8lb 9oz 22in long baby girl! The posts to the ScarTech blog might few and far between in the next few weeks while I’m showering love on my little girl.
At work we’ve started a pretty aggressive re-write of our web applications. We’re moving them all to a set of common style-sheets, graphics and master pages as well as putting both our web server and SVN repository into a logical structure. What started as just a few ASP.NET applications, has grown to a jumbled mix of .NET apps, web services and ASP classic applications. Since we’ll be touching a lot of code in this project, we’re going to be taking a long hard look at security. Among other tasks we’re taking steps to prevent SQL injection and we’re making sure we close any cross-site scripting vulnerabilities.
We work on strictly enterprise applications and as a result we’re tucked in behind a nice corporate firewall. This is no comfort though because we have sites all over the world, and there are countless opportunities for attackers to get behind enemy lines. Because I’m beginning to take a more in-depth approach to security and how I write code, I thought I would share some of my lessons here in yet another series of blog posts (like the Second Look at Linux and FLOSS series weren’t enough). My next installment will concentrate on using the Anti-Xss library as well as a few code samples. The library is free to use and provides an easy method for encoding output from untrusted sources (i.e. the user).
After first testing in a virtual machine and then on a secondary machine, I’ve made the leap to running Linux full time on my primary home computer. I’ve been running Ubuntu 7.10 (Gutsy Gibbon) for about 3 weeks now, and I’ve been loving it. I’ve already detailed how easy the OS is to setup and configure. Since I’ve got a dedicated 3D card in my notebook, I was able to finally enjoy all the eye candy Ubuntu had to offer. Once I installed Compiz and enabled advanced desktop effects I was blown away! I never wanted to shell out the cash for the upgrade to Vista, so after coming from WinXP the difference is huge. Now I know that the eye candy isn’t what makes Linux so great, but it sure makes it pretty.
What I really like about switching to Ubuntu is that it’s something new (at least for me). The saying goes “familiarity breeds contempt”, and that’s how I was beginning to feel about WinXP. I’ve been using it for what seems like forever and Windows for even longer. I now find myself digging around the OS to familiarize myself with it. I’ve got a new system to learn, and I can’t help but think that it will make me a better developer in the long run.
I’ve even gone as far as to install NetBeans and Eclipse, so who knows. I might even begin writing some Java or C++ code in my spare time. I have to remember that there’s life outside the .NET framework.
