Shimon Krokhmal's blog

As part of a development process, deployment, if handled wrong, may consume much of your precius time.
my goal is to automate as much as possible the deployment process.

I've read recently a post by Chris Burrows, which talks about "Setting Up Your Build Environment with TFS".
I strongly suggest paying him a visit, it contains many insights about the process.

he talks about :

this post is more as a question than just plain info,
How do you practice these subjects ?
Which tools/templates/methodologies do you use to elevate your process ?

Microsoft is going to publish it's source of .Net framework under a referance licience ,
According to this post of scott Gu , i will be intergated in the new Visual studio 2008.

a little background to that question,
in the last week I'm doing some sort of a job interviews marathon, being asked for some quite interesting questions (most of them are really simply OPP questions).
but this one caught me off guard, wouldn't expect this one as a pre-interview question over the phone.

so, how does this strange creature work (which most of us using it without even knowing what it does behind) ?

in contrast to regular method calling, the virtual method calling isn't called directly, instead it uses the "Virtual Functions Table". (C# compiler implements it with VFT, other compilers may implement it via binary trees)
in short, it uses pointers to functions table, to map the call to the right method.
lets take a look at an example :

public class Father
{
public virtual void foo()
{
Console.Write("string from the father");
}

public virtual void foo2()
{
Console.Write("foo2 string from the father");
}

internal void boo()
{
Console.Write("father says boo");
}
}

public class Son : Father
{
public override void foo()
{
Console.Write("string from the son");
}
public void moo()
{
Console.Write("son says moo");
}
public void faaBase()
{
base.foo();
}
}

we have 2 classes ,son derives from the father, and overrides one of his virtual methods.

Father f = new Father();
Son s = new Son();

// Father calls
// Virtual method call
f.foo();
f.foo2();

// Non virtual method calls
f.boo();

// Son calls
// Virtual method call
s.foo();

// Non virtual method calls
s.boo();
s.moo();

what really happens behind ?
lets view a part of the disassembly code

// Virtual method call
s.foo();
00000065 mov ecx,esi
00000067 mov eax,dword ptr [ecx]
00000069 call dword ptr [eax+38h]
0000006c nop

s.foo2();
0000006d mov ecx,esi
0000006f mov eax,dword ptr [ecx]
00000071 call dword ptr [eax+3Ch]
00000074 nop

// Non virtual method calls
s.boo();
00000075 mov ecx,esi
00000077 cmp dword ptr [ecx],ecx
00000079 call FFAB30A0
0000007e nop

s.moo();
0000007f mov ecx,esi
00000081 cmp dword ptr [ecx],ecx
00000083 call FFAB3158
00000088 nop

we can see clearly that the non virtual call has a direct calling to the function (a hard coded address),
whereas the virtual method calling points to the virtual method table that resides in the Son object.
lets take a look on that table :

EEClass: 00a21370
Module: 00a22c24
Name: VTF.Son
mdToken: 02000004 (E:\PROJECTS\vtf 2005\VTF\VTF\bin\Debug\VTF.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 9
--------------------------------------
MethodDesc Table
Entry    MethodDesc JIT     Name
7934cdcc 79137ab8    PreJIT System.Object.ToString()
7934bba0 79137ac0    PreJIT System.Object.Equals(System.Object)
7934bb90 79137ad8    PreJIT System.Object.GetHashCode()
793424c0 79137ae0    PreJIT System.Object.Finalize()
00a231b8 00a23140    JIT    VTF.Son.foo()
00a23100 00a23088    JIT    VTF.Father.foo2()
00a231c8 00a23148    NONE   VTF.Son.moo()
00a231d8 00a23150    NONE   VTF.Son.faaBase()
00a231e8 00a23158    JIT    VTF.Son..ctor()

we can see a couple of things from this table:

• VT lists all the methods the son object holds
• VT lists the virtual functions of the father that are virtual
• When the son object overrides one of the virtual methods that the father implements,
  the father method entry is being replaced by the new son method (line 5 at the table - Son.foo())
• the VT does not list father method that are not virtual.

actually the Son.moo() method looks a little unnecessary in the VT due to the fact that the function is not virtual and will be addressed directly and not by the VT.

in conclusion, think twice before you declare a method as virtual, because it contains some performance hit

ok, this is the point where all the OOP guru's can contribute some of thier knowledge.
i'm facing some strange problem maybe someone can point the solution.

i'm having this code :

public class Father
{
}

public class Son:Father
{
}

public class Tester
{
    public void TestFunc(Father a)
    {
    }

    public void Test()
    {
        Son aSon = new Son();

        TestFunc(aSon);
    }    
}

this code will compile with no problems.

but if i want to pass the object by reference, it will cause a compilation error.

public class Father
{
}

public class Son:Father
{
}

public class Tester
{
    public void TestFunc(ref Father a)
    {
    }

    public void Test()
    {
        Son aSon = new Son();

        TestFunc(ref aSon);
    }    
}

couple weeks ago, my friend and co-worker, shani raba, presented me a problem.
they have some sealed application as an .exe file that throws some exceptions and crashes their application.

So, i Thought that is a good idea to wrap the targeted application with reflection, and catch the unhandled thrown exceptions.

to demonstrate this,
I've created an application with a button that throws an exception.

private void button1_Click(object sender, System.EventArgs e)
{
    throw new Exception("my Exception, need to be wrapped");
}

the next thing that we need to create is the wrapper.

so, creating a console application with this code should have solved the problem:

[STAThread]
static void Main(string[] args)
{

    Assembly assembly = Assembly.LoadFrom ("cashTester.exe");

    Type t = assembly.GetType("cashTester.Form1");
    object o = Activator.CreateInstance(t);
    try
    {
        Application.Run((Form)o);
    }
    catch(Exception ex)
    {
        Console.Write("exception was thrown : " + ex.Message);
    }
}

running this code in debug mode successfully catch the exception from the winform.
but, for some reason, in a normal run, this code won't catch the exception.

makes you wonder, huh ?

so i did some thinking, what on earth can make this phenomena ?
The answer is : Threads.
Yes, like it or not, but this is the subject that everyone tries to avoid it.
everyone knows it exists, and no one really likes it,
but we can't run from the problem, we need to confront it.

So, what can we do ?

since Application.Run launches a new thread, we can add to the Application.ThreadException event handler, an exception handling method.

like this class :

/// <summary>
/// The Wrapper class
/// </summary>
public class Wrapper
{

    /// <summary>
    /// Public cunstructor
    /// </summary>
    public Wrapper()
    {
    }

    /// <summary>
    /// This function will initialize the exception handling
    /// </summary>
    public void Init()
    {
        // define handlers for unhandled exceptions
        AppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(this.exp);
        Application.ThreadException +=new System.Threading.ThreadExceptionEventHandler(this.ThreadExp);
    }

    /// <summary>
    /// This method is for the threads exceptions
    /// </summary>
    /// <param name="o">the object</param>
    /// <param name="args">Thread exception args</param>
    void ThreadExp(object o, System.Threading.ThreadExceptionEventArgs args)
    {
        // Write the message to the console
        Console.Write("Unhandled thread exception was thrown : " + args.Exception.Message);
    }

    /// <summary>
    /// This method is for the unhandled exceptions from the main thread
    /// </summary>
    /// <param name="o">the object</param>
    /// <param name="args">exception arguments</param>
    void exp(object o,System.UnhandledExceptionEventArgs args)
    {
        // Write the message to the console
        Console.Write("Unhandled exception was thrown : " + ((Exception)args.ExceptionObject).Message);
    }

    public void Run()
    {
        // Load the assembly
        Assembly assembly = Assembly.LoadFrom ("cashTester.exe");

        // get the type of the object
        Type t = assembly.GetType("cashTester.Form1");

        // invoke it
        object o = Activator.CreateInstance(t);

        // Run the application - note that this line starts an additional thread
        Application.Run((Form)o);
    }
}

now, all we need is to launch it :

/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
    Wrapper w = new Wrapper();
    w.Init();
    w.Run();
}

now we got an exception wrapper for launching applications.

Shani, tell me if that helped ...

p.s.
There are more ways to do it, but this is the simplest one

Yesterday, good friend of mine, Lev rosenblit, asked me a good question.
what are the life cycle of static objects in an aspx page.
so, at first without any hesitation, i answered that the object will die after the request event ends.
the dude insists that I'm wrong on that matter, so i decided to check it out .

here is some code snippet to check it out :

        private static int myStaticInt = 0;
        private void Page_Load(object sender, System.EventArgs e)
        {
            myStaticInt++;
            Response.Write(myStaticInt);
        }

by theory (which is objects in an aspx page die after the end of the request), this code should print the number "1" on each request.
but the result was different, on each request, the result increased.

digging a little on the web, i found that static objects live inside the App domain and not in the page context.
This interesting fact raised some interesting question, an architectural one:
what would happen if the code run in NLB configuration (Network Load Balancing)?

on that matter their is a session state issue which is solved by getting the session state from a shared database,
but what about the static objects that live inside the App domain ?
what can be done to share those object ?

from my point of view, this is a bad choice in architecture when you choosing to use static objects inside your page.
thus, it won't always work, and will be hardware Dependant system.

Let me tell you some story thats happening now.
couple month ago i hired some folks to do a part of some project due to time limits that i have.
now, i know those guys personally and checking thier technical backgroung seemed to be irrelevant (mistake no' 1).
i thought, how hard can i be to make some GUI to an application that all the other layers are done (3 tier architecture).

So, instead of 1 month development it turned to more than 3 months already, (30% progress)
god knows how long it will take them to finish it .

and now, when i finally see some progress, i see code like this :

if (!Page.IsValid)
{
}
else
{
    InsertNewCustomer();
    lblClientMessage.Text = NewClientText();
    ClearText();
}

ok, who are does guys ?
you think that a skilled programmer with 3 years of expirience would not write such crapy code like this (those things just get me mad.)
why they think that i allow such code to go on production ?
not speaking about the XSS holes that they made (just by the book....)
looks like they didn't read this guide

i mean look at this thing, how many mistakes you can do as a single code :

        private string NewClientText()
        {
            string strNewClient = txtName.Text + " " + txtFamily.Text + " " + "הוזן בהצלחה";
            return strNewClient;
        }

        private void btnAdd_Click(object sender, System.EventArgs e)
        {
            lblClientMessage.Text = "";

            if (!Page.IsValid)
            {
            }
            else
            {
                InsertNewCustomer();
                lblClientMessage.Text = NewClientText();
                ClearText();
            }
        }

        private void InsertNewCustomer()
        {
            Customers newCustomer = new Customers();

            newCustomer.Name = txtName.Text;
            newCustomer.LastName = txtFamily.Text;
            newCustomer.Notes = txtNotes.Text;
            newCustomer.isStudent = chkStudent.Checked;
            newCustomer.Phone = TxtPhone.Text;
            newCustomer.Cellular = txtCellular.Text;
            newCustomer.Email = txtEmail.Text;
            newCustomer.Address = txtAddress.Text;

            if (txtBirth.Text.Trim() != "")
            {
                newCustomer.BirthDate = Convert.ToDateTime(txtBirth.Text);
            }

            custDal.Add(newCustomer);
        }

• writing data to the page without validating it first
• some logical twists - (if page not valid, dont do anything, else do something...), why on earth ? why ?
• inserting to the database without validating the input (for those who are femilier with my architecture, validating is a single line "entity.Validate();"
• no exception managment what so ever.
• no code comments
• Client side input validations

here is some more goodies from the same author :

lblAddress.Style.Add("text-align","right");

what happened to CSS files ?
thier are lots of lines like this defining the style for every object.
i dont wanna know what are they planned to do when they need to change the style one by one .

man, this is a little piece of code, i'm affraid to see whats going on , on the rest of the code.

this is some lessons that you learn on the hard way....

"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"

i should better get some things to my own hands before it gets to late .
anyone wants a job to create some gui ?

Well,
after months I'm talking about it and couple of sleepless nights to prepare it, here it is.

So, what do have here ?

1 powerPoint presentation that explains what is Session Hijacking and XSS.
1 XSS demo.
0 Session hijacking Demo .... (why you ask ? - I'm planning to do another lecture on the topic for some those who missed it yesterday...)
0 Code included. (like the demos ....will be uploaded some time soon....)

long story short :
this presentation talks about the threats in Session hijacking.
and how to prevent it. - while its not a 100% solution, it certainly raises the bar for hackers to succeed in the session hijacking attack.

some wise man said to me once,
"for every defense that ever made, someone thought how to break it,
 the only thing we can do, is to narrow down the amount of people that is capable to perform it."

enjoy.

comments are welcomed :)

Security.pps (324 KB)

Security is one of the most important subjects when creating some business (not necessary a web business or even computer related).
think about investing lot of time developing your business, and then seeing it all ripped apart, just because a sensitive information was reviled to some unwanted individuals, or even worse, gone global to the public.
Of course, security in not only related to stealing data, messing with the business reputation can be devastating just as much as the mentioned above.

When developing Web applications, security is highly important due to the reason that the application is running in the most hostile environment, I mean, everybody can access it, meaning that everyone is a potential threat to the system.

Cross Site Scripting (AKA XSS) is one of the known and ancient methods to exploit security holes on the web.
The idea of the method is injecting client side script code to a web application, which will perform an additional task at the client side.
It may seem to some as a harmless thing, but actually, it can trigger much dangerous attacks such as session hijacking, one-click attacks and Phishing.

Well, this post actually not about how to conduct an XSS attack, but how to avoid being an XSS victim.

 So, what do you have to do in order to prevent XSS? - INPUT VALIDATION.

 Let's take a look what does the .Net framework has to offer on this matter

• ValidateRequest – page directive
• Built-in .Net validation controls (such as "required field validator", "Range Validator", and so…)
• Server Side validation.

ValidateRequest directive – Enabled by default, supposed to "protect" All the input to the page from XSS.
It looks for "<" and ">" tags, probably by some regulars expressions, the problem with this option is that it limits ALL inputs, even the intended ones (such as XML, HTML tags and so…).

Built-in .Net validation controls – The framework provides probably all the input validation that you will need when writing it.
Starting from required fields, numerics values, Regular expressions, and even write your own custom validation.
The problem with it, that it gives the developer a feeling that once the validation is made, it can't be tempered by the client, which IS NOT TRUE.

Note that the common use of these tools is on the client side, which makes the whole validation process irrelevant.

Ask yourself as a developer if you setting the "EnableClientScript" property on the validation control when you use it? – The common answer will be yes, because it improves performance by saving round trips to the server.

But if the question would be, have you did some extra coding to ensure server side validation to occur? – Unfortunately, the common answer will be NO.

Note to yourself – This is no' 1 reason for XSS vulnerabilities in ASP.NET applications.

Server Side validation – This is where your coding skills starts to kick in.

This is where you need to stop, and start thinking about security for your application.
A rooky developer will probably go straight to developing a page , neglecting the security aspect, while the more experienced developer will design a total solution, considering many aspects of the application, security would be one of the top issues (if not the first).

Lets see some examples :

Lets create this asp.net page :

an Interesting article I've read about the next .net framework,
apparently the new framework wont contain such drastic changes like .Net 1.1 VS 2.0 at the CLR or at the language features,
but, instead it will bring some architectural solutions for different tasks such as distributed programming, authentication, presentation and probably many more.

check out this article about the issue

As you know, Microsoft didn't intended that you access the SPS database, but via object model only.
the problem that it has many bugs, performance issues, security issues and lots lots problems that will make the programmer's life a living hell.

So, lets see how can we break the 1st guideline of SPS programming - "do not use the SPS database directly".
man , I'm feeling like a criminal now, presenting a guide how to do something that Microsoft invested a lot of effort to prevent us from doing.

Lets get down to business,
don't count that the connection string is laying in some property, this one we need to do some dirty work.

A little background how we are going to do it:

The connection string looks like this :

"Integrated Security=SSPI;Server=someServer;database=SomeDatabase"

as you can see, the only thing that can change here is the server name and the database name.

lets create a core function that will receive DB collection and the desired site guid and construct the connection string.

private string GetConnectionStringForSite(SPContentDatabaseCollection DBs, Guid siteGuid)
{
    string rc = "";
    SPContentDatabase oDB = null;

    for(int i=0; i<DBs.Count;i++)
    {
        // Get the database
        oDB = DBs[i];

        SqlCommand c = new SqlCommand();
        string strConn = "Integrated Security=SSPI;Server=" + oDB.Server + ";database=" + oDB.Name;

        using(SqlConnection conn = new SqlConnection(strConn))
        {
            // Set the Connection
            c.Connection = conn;
            try
            {
                // Open the connection
                conn.Open();

                c.CommandText = "SELECT FullUrl FROM Sites where Id=@Id";

                // Set the parameter
                c.Parameters.Add(new SqlParameter("@Id",System.Data.SqlDbType.UniqueIdentifier));
                c.Parameters["@Id"].Value = siteGuid;

                // Execute reader
                SqlDataReader reader = c.ExecuteReader(System.Data.CommandBehavior.SingleRow);

                // check if we have rows
                bool hasRows = reader.HasRows;

                // Close the connection and the reader
                reader.Close();
                conn.Close();

                // Check if it got rows
                if(hasRows)
                {
                    // Set the return value
                    rs = strConn;

                    // Stop iterating through the DB's
                    break;
                }

                // Close the reader
                reader.Close();
            }
            finally
            {
                // Close the connection
                if(conn.State != System.Data.ConnectionState.Closed) conn.Close();
                oDB = null;
            }
        }
    }
    return rc;
}

this function will be placed in a dedicated class, i call is "SPSDB"

lets create the class itself and its private members

    public class SPSDB
    {
        private string _conString = "";
        private string _vsUrl = "";

        public String URL
        {
            get{return _vsURL;}
        }
    }

now we need to write the constructor and the connection "factory"

the constructor will look like this :

public SPSDB(string siteUrl)
{
    using(Microsoft.SharePoint.Administration.SPGlobalAdmin ga = new Microsoft.SharePoint.Administration.SPGlobalAdmin())
    {
        Microsoft.SharePoint.Administration.SPVirtualServerCollection VSc = ga.VirtualServers;

        SPVirtualServer vs = null;
        Guid g;
        bool isFound = false;
        
        // Run through all the VS collection
        for(int i=0; i<VSc.Count;i++)
        {
            // Get the virtual server reference
            vs = VSc[i];

            // if the current vs is not from the needed state than continue to the next VS
            if(vs.state != SPVirtualServerState.Ready)
                continue;

            // Run through all the sites in the vs
            for(int j=0; j< vs.Sites.Count;j++)
            {
                using(SPSite s = vs.Sites[j])
                {
                    // Check if we found the needed vs
                    if(s.Url.ToLower() == siteUrl.ToLower())
                    {
                        // Save the needed data
                        isFound = true;
                        g = s.ID;
                        _vsURL = vs.Url.ToString();
                        _conString = GetConnectionStringForSite(vs.ContentDatabases,g);
                        break;
                    }
                }
            }

            // Check if the vs has been found
            if(curVs != null)
                break;

            // Clear the virtual server object
            vs = null;

            // Clear memory
            GC.Collect();
            GC.WaitForPendingFinalizers();
        }

        // Throw an exception if the site guid is not there
        if(!isFound)
            throw new Exception("the given site url cannot be found");
        
    }
}

and the factory method will look like this :

public SqlConnection GetCon()
{
    return new SqlConnection(_conString);
}

thats it!
now to use it you can do it like this :

SPSDB dbstuff = new SPSDB("http://www.krokhmal.com");

using(SqlConnection con = dbstuff.GetCon())
{
    // Your DB code here ...
}

I've added a file attachment to this post with the mentioned class.
enjoy.

Recently i have given a task to build a tool for managing file versions in share point.
for some architectural decisions and performance issues, I've decided to do the aggregations directly through the share-point database (yes, even if is against Microsoft's guidelines).

Considering the fact that Microsoft invested a lot of afford so you wont find where each SPsite is located (on which DB) , one of the things i had to do is to iterate through all the sites in SPsitecollections in every SPVirtualServer in the SPVirtualServerCollection.
Sounds like a lot of "fun".

Well, actually there was problem.
I'll show some bad practices to iterate through that and explain each one

Option 1 :

SPGlobalAdmin globalAdmin = new SPGlobalAdmin();
SPVirtualServerCollection vServers = globalAdmin.VirtualServers;


// Run through the virtual servers
foreach (SPVirtualServer vs in vServers)
{ 
   // Run through the sites
   foreach (SPSite site in vs.Sites) 
   { 
      if(site.Url == predefinedUrl)
      {
         // Do some logic ...
      }
   }
}

Option 2 :

SPGlobalAdmin globalAdmin = new SPGlobalAdmin();
SPVirtualServerCollection vServers = globalAdmin.VirtualServers;


// Run through the virtual servers
for(int i=0; i<vServers.Count; i++)
{ 
   // Run through the sites
   for(int j=0; j<vServers[i].Sites.Count; j++) 
   { 
      if(vServers[i].Sites[j].Url == predefinedUrl)
      {
         // Do some logic ...
      }
   }
}

Option 3 :

SPGlobalAdmin globalAdmin = new SPGlobalAdmin();
SPVirtualServerCollection vServers = globalAdmin.VirtualServers;


// Run through the virtual servers
for(int i=0; i<vServers.Count; i++)
{ 
   SPVirtualServer vs = vServers[i];
   
   // Run through the sites
   for(int j=0; vs.Sites.Count; j++) 
   { 
      SPSite s = vs.Sites[j];
      if(s.Url == predefinedUrl)
      {
         // Do some logic ...
      }
   }
}

So, what's wrong with this practices ?
the problem lays in the way the object model is implemented : Unmanaged code - which means that you must to release memory explicitly.
garbage collector will not handle these object, and you must handle it in your code.

problems in option 1 :

• implementing this practice (please don't), will cause memory leaks, due to a fact that dispose() method is not being used, and memory is not being released.
• Exception management - suppose you will call the dispose method of the SPSite object and the end of the foreach loop,
  what will happen if an exception occur ?
  the memory allocated to the object will not be released, and the garbage collector won't release it either, causing memory leaks each time exception takes place.
• Even if you decide to include some exception management code (try-catch for example), the given object won't be reachable because it lives in it's own scope (the foreach scope).

Problems in option 2 :

• implementing this practice (just like the 1st option), will cause memory leaks, due to a fact that dispose() method is not being used, and memory is not being released.
• reading the previews statement probably raise some reasonable question :
  "hey, I'm not creating any new objects, and does not allocating any memory, just accessing some property in a given collection, what is the problem here ?"
  this is a question i asked myself too, so i dug deep through it, and found that the sites in the Sites collection that lays in a virtual server object is not being created until you reference them explicitly - which means : accessing their properties or getting an outer reference to some site through a variable.
  so when accessing a property will cause memory allocation behind the scenes.
• calling the dispose method like so :
  

  Sites[i].Dispose();

         will not release the memory.
         maybe its related to the fact that the Sites[i] object is defined as "read-only" .
         if you find the reason for that please let me know.

Problems in option 3 :

• OK, i must admit, this looks much better than the ones mentioned above, but still lack of some memory releasing.

How can we write it right ?
here is an example of what i consider as a good practice :

Option 4:

// Wrap the globalAdmin object in a using scope - this object is unmanaged
using(SPGlobalAdmin globalAdmin = new SPGlobalAdmin())
{
    // Get the virtual servers collection reference
    SPVirtualServerCollection vServers = globalAdmin.VirtualServers; 

    // Run through the virtual servers
    for(int i=0; i<vServers.Count; i++)
    {
        SPVirtualServer vs = vServers[i];
    
        // Run through the sites
        for(int j=0; vs.Sites.Count; j++)
        {
            // Wrap the SPSite object in a using scope - this object is unmanaged
            using(SPSite s = vs.Sites[j])
            {
                if(s.Url == predefinedUrl)
                {
                    // Do some logic ...
                }
            }
        }

        // Make sure that this objects memory will be cleared by the GC
        vs = null;

        // Call the garbage collector and make sure that the memory is released
        GC.Collect();
        GC.WaitForPendingFinalizers();
    
    }
}

as you can see, unmanaged object is wrapped in a using scope,
and the GC(garbage collector) is being activated manually.

changing from one of the bad practices to this one improved dramatically performance.
for example :
iterating with option number 2 caused the w3wp.exe process (that is the IIS process) to reach 1200 MB and crash (reaching the given limit) after iterating through 2700 sites,
while implementing option 4, i didn't saw any dramatic changes in the process info, and it stayed at 87 MB only and iterated through all the sites, a total of 8876 sites.

Today I stepped into my parallel team office just when shani raba (AKA - "human debugger") explained to a new programmer the usage of validators in ASP.NET form.
We started an argument about the affectivity of the .Net built-in validators, and what should you do besides that on the server side, to guarantee no security breaches through that tiny input that protected by the "mighty" .Net Validator.

We came to several interesting conclusions and understanding about aspect of the subject that we didn't knew.
So, I decided to write a post about that,
I came home, and started to write some example on the subject.
The problem is that as soon as I started to cover one aspect of the subject, other aspects came across that I couldn't neglect.
So I decided to create several posts during this week and the next, which will cover most of the "secure .Net code for web applications" subject.

The posts will refer to:

• Cross-site scripting (XSS)
• Session hijacking
• Hidden field tampering
• SQL injection
• Cookies and Authentication
• some other aspects that I'll encounter on the way
• Your requests...
•  

So stay tuned for the next weeks for more about the subject.

the main reason that I've started to play with threads is because the industry WILL (sooner or later) move to a multi-core guided programing, and it WILL become mainstream (mark my words :) ).

any way, lets start from the beginning, and why do we need threads.
according to the definition : "Threads are a way for a program to split itself into two or more simultaneously (or pseudo-simultaneously) running tasks. Threads and processes differ from one operating system to another, but in general, the way that a thread is created and shares its resources is different from the way a process does."

so, in other words, we will use threads when we need to perform simultaneous tasks.
these kind of actions made when you have unused processing time while waiting for other task to finish.

so, back to the .Net world, how would we do that ?

to use threads, we need to include the library :

the next thing we need i to know how to to lunch a thread with a task.

• we need to create a task to be done.
• a ThredStart delegate which will point to our task.
• a new thread ( or an old one from a thread pool ) - which is better and when will be explained in some later posts.
• start the thread.

so :

lets create some task :

        private void BurnCPUwithOneThread()
        {
            for(int i=0; i< 5000000;i++)
            {
                lblcounter.Text = i.ToString();
            }
        }

and one more :

        private void BurnCPUwithTwoThreads()
        {
            for(int i=0; i< 5000000;i++)
            {
                lblCounter2.Text = i.ToString();
            }
        }

now we will create the delegate and the threads, and activate them.

While surfing the net for some new hardware tech toys, i encountered an article about multi-core guided software architecture.

"Intel's support in multi-core education is critical for two reasons," said Karsten Schwan, professor of College of Computing, Georgia Institute of Technology. "First, getting early access to advanced technology and new equipment is something that always excites students. Second, companies like Intel have a perspective that looks beyond research to see the broader potential for technology."

For us, it means changing the whole perception of software architecture, design and implementation such as parallelism, threading concepts, threading methodology and programming with threads

when planning a software solution, one of the most important things is to design the solution the best way it can be,
even before writing the first line of code, we need to know exactly how we should implement it.

so what would you do if you never planned/worked/implemented such type of a solution ?

needless to say that inventing the wheel all over again will be unnecessary ,
first you consult with the "elders" (the more experienced co-workers),
trying maybe google up the solution,
going over the references and the guide lines in developing this kind of a solution or at the given platform,
starting some thinking team and so ...

finally, you came up with a solution, and....
start implementing it.

now, in a perfect world, once you did the steps mentioned above, you have a perfect solution.
but in the real world, something must to go wrong.

recently i came across some interesting example of this phenomena.
while designing a "file Version manager solution" on SPS (Share point Server) platform,
following the SPS development guidelines, which says that you (the developer), should never approach the SPS database.
always, but always get the data through the object model.

so, by doing that, you came up with a working application,but..... catastrophic performance.
after consulting with other staff, we came to the conclusion that the bottleneck is in the object model itself.
so the only thing we had to do is the direct approach to the database ( a big NO NO on the guide lines).
and apparently the performance graph suddenly got a dramatic change (better performance).

i think that guide lines did not meant to become laws, but to be just as a suggestions to most of the cases.
what do you think about this issue ?