Shimon Krokhmal's blog

As part of a development process, deployment, if handled wrong, may consume much of your precius time.
my goal is to automate as much as possible the deployment process.

I've read recently a post by Chris Burrows, which talks about "Setting Up Your Build Environment with TFS".
I strongly suggest paying him a visit, it contains many insights about the process.

he talks about :

this post is more as a question than just plain info,
How do you practice these subjects ?
Which tools/templates/methodologies do you use to elevate your process ?

Microsoft is going to publish it's source of .Net framework under a referance licience ,
According to this post of scott Gu , i will be intergated in the new Visual studio 2008.

a little background to that question,
in the last week I'm doing some sort of a job interviews marathon, being asked for some quite interesting questions (most of them are really simply OPP questions).
but this one caught me off guard, wouldn't expect this one as a pre-interview question over the phone.

so, how does this strange creature work (which most of us using it without even knowing what it does behind) ?

in contrast to regular method calling, the virtual method calling isn't called directly, instead it uses the "Virtual Functions Table". (C# compiler implements it with VFT, other compilers may implement it via binary trees)
in short, it uses pointers to functions table, to map the call to the right method.
lets take a look at an example :

public class Father
{
public virtual void foo()
{
Console.Write("string from the father");
}

public virtual void foo2()
{
Console.Write("foo2 string from the father");
}

internal void boo()
{
Console.Write("father says boo");
}
}

public class Son : Father
{
public override void foo()
{
Console.Write("string from the son");
}
public void moo()
{
Console.Write("son says moo");
}
public void faaBase()
{
base.foo();
}
}

we have 2 classes ,son derives from the father, and overrides one of his virtual methods.

Father f = new Father();
Son s = new Son();

// Father calls
// Virtual method call
f.foo();
f.foo2();

// Non virtual method calls
f.boo();

// Son calls
// Virtual method call
s.foo();

// Non virtual method calls
s.boo();
s.moo();

what really happens behind ?
lets view a part of the disassembly code

// Virtual method call
s.foo();
00000065 mov ecx,esi
00000067 mov eax,dword ptr [ecx]
00000069 call dword ptr [eax+38h]
0000006c nop

s.foo2();
0000006d mov ecx,esi
0000006f mov eax,dword ptr [ecx]
00000071 call dword ptr [eax+3Ch]
00000074 nop

// Non virtual method calls
s.boo();
00000075 mov ecx,esi
00000077 cmp dword ptr [ecx],ecx
00000079 call FFAB30A0
0000007e nop

s.moo();
0000007f mov ecx,esi
00000081 cmp dword ptr [ecx],ecx
00000083 call FFAB3158
00000088 nop

we can see clearly that the non virtual call has a direct calling to the function (a hard coded address),
whereas the virtual method calling points to the virtual method table that resides in the Son object.
lets take a look on that table :

EEClass: 00a21370
Module: 00a22c24
Name: VTF.Son
mdToken: 02000004 (E:\PROJECTS\vtf 2005\VTF\VTF\bin\Debug\VTF.exe)
BaseSize: 0xc
ComponentSize: 0x0
Number of IFaces in IFaceMap: 0
Slots in VTable: 9
--------------------------------------
MethodDesc Table
Entry    MethodDesc JIT     Name
7934cdcc 79137ab8    PreJIT System.Object.ToString()
7934bba0 79137ac0    PreJIT System.Object.Equals(System.Object)
7934bb90 79137ad8    PreJIT System.Object.GetHashCode()
793424c0 79137ae0    PreJIT System.Object.Finalize()
00a231b8 00a23140    JIT    VTF.Son.foo()
00a23100 00a23088    JIT    VTF.Father.foo2()
00a231c8 00a23148    NONE   VTF.Son.moo()
00a231d8 00a23150    NONE   VTF.Son.faaBase()
00a231e8 00a23158    JIT    VTF.Son..ctor()

we can see a couple of things from this table:

• VT lists all the methods the son object holds
• VT lists the virtual functions of the father that are virtual
• When the son object overrides one of the virtual methods that the father implements,
  the father method entry is being replaced by the new son method (line 5 at the table - Son.foo())
• the VT does not list father method that are not virtual.

actually the Son.moo() method looks a little unnecessary in the VT due to the fact that the function is not virtual and will be addressed directly and not by the VT.

in conclusion, think twice before you declare a method as virtual, because it contains some performance hit

ok, this is the point where all the OOP guru's can contribute some of thier knowledge.
i'm facing some strange problem maybe someone can point the solution.

i'm having this code :

public class Father
{
}

public class Son:Father
{
}

public class Tester
{
    public void TestFunc(Father a)
    {
    }

    public void Test()
    {
        Son aSon = new Son();

        TestFunc(aSon);
    }    
}

this code will compile with no problems.

but if i want to pass the object by reference, it will cause a compilation error.

public class Father
{
}

public class Son:Father
{
}

public class Tester
{
    public void TestFunc(ref Father a)
    {
    }

    public void Test()
    {
        Son aSon = new Son();

        TestFunc(ref aSon);
    }    
}

couple weeks ago, my friend and co-worker, shani raba, presented me a problem.
they have some sealed application as an .exe file that throws some exceptions and crashes their application.

So, i Thought that is a good idea to wrap the targeted application with reflection, and catch the unhandled thrown exceptions.

to demonstrate this,
I've created an application with a button that throws an exception.

private void button1_Click(object sender, System.EventArgs e)
{
    throw new Exception("my Exception, need to be wrapped");
}

the next thing that we need to create is the wrapper.

so, creating a console application with this code should have solved the problem:

[STAThread]
static void Main(string[] args)
{

    Assembly assembly = Assembly.LoadFrom ("cashTester.exe");

    Type t = assembly.GetType("cashTester.Form1");
    object o = Activator.CreateInstance(t);
    try
    {
        Application.Run((Form)o);
    }
    catch(Exception ex)
    {
        Console.Write("exception was thrown : " + ex.Message);
    }
}

running this code in debug mode successfully catch the exception from the winform.
but, for some reason, in a normal run, this code won't catch the exception.

makes you wonder, huh ?

so i did some thinking, what on earth can make this phenomena ?
The answer is : Threads.
Yes, like it or not, but this is the subject that everyone tries to avoid it.
everyone knows it exists, and no one really likes it,
but we can't run from the problem, we need to confront it.

So, what can we do ?

since Application.Run launches a new thread, we can add to the Application.ThreadException event handler, an exception handling method.

like this class :

/// <summary>
/// The Wrapper class
/// </summary>
public class Wrapper
{

    /// <summary>
    /// Public cunstructor
    /// </summary>
    public Wrapper()
    {
    }

    /// <summary>
    /// This function will initialize the exception handling
    /// </summary>
    public void Init()
    {
        // define handlers for unhandled exceptions
        AppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(this.exp);
        Application.ThreadException +=new System.Threading.ThreadExceptionEventHandler(this.ThreadExp);
    }

    /// <summary>
    /// This method is for the threads exceptions
    /// </summary>
    /// <param name="o">the object</param>
    /// <param name="args">Thread exception args</param>
    void ThreadExp(object o, System.Threading.ThreadExceptionEventArgs args)
    {
        // Write the message to the console
        Console.Write("Unhandled thread exception was thrown : " + args.Exception.Message);
    }

    /// <summary>
    /// This method is for the unhandled exceptions from the main thread
    /// </summary>
    /// <param name="o">the object</param>
    /// <param name="args">exception arguments</param>
    void exp(object o,System.UnhandledExceptionEventArgs args)
    {
        // Write the message to the console
        Console.Write("Unhandled exception was thrown : " + ((Exception)args.ExceptionObject).Message);
    }

    public void Run()
    {
        // Load the assembly
        Assembly assembly = Assembly.LoadFrom ("cashTester.exe");

        // get the type of the object
        Type t = assembly.GetType("cashTester.Form1");

        // invoke it
        object o = Activator.CreateInstance(t);

        // Run the application - note that this line starts an additional thread
        Application.Run((Form)o);
    }
}

now, all we need is to launch it :

/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
    Wrapper w = new Wrapper();
    w.Init();
    w.Run();
}

now we got an exception wrapper for launching applications.

Shani, tell me if that helped ...

p.s.
There are more ways to do it, but this is the simplest one

Yesterday, good friend of mine, Lev rosenblit, asked me a good question.
what are the life cycle of static objects in an aspx page.
so, at first without any hesitation, i answered that the object will die after the request event ends.
the dude insists that I'm wrong on that matter, so i decided to check it out .

here is some code snippet to check it out :

        private static int myStaticInt = 0;
        private void Page_Load(object sender, System.EventArgs e)
        {
            myStaticInt++;
            Response.Write(myStaticInt);
        }

by theory (which is objects in an aspx page die after the end of the request), this code should print the number "1" on each request.
but the result was different, on each request, the result increased.

digging a little on the web, i found that static objects live inside the App domain and not in the page context.
This interesting fact raised some interesting question, an architectural one:
what would happen if the code run in NLB configuration (Network Load Balancing)?

on that matter their is a session state issue which is solved by getting the session state from a shared database,
but what about the static objects that live inside the App domain ?
what can be done to share those object ?

from my point of view, this is a bad choice in architecture when you choosing to use static objects inside your page.
thus, it won't always work, and will be hardware Dependant system.

Let me tell you some story thats happening now.
couple month ago i hired some folks to do a part of some project due to time limits that i have.
now, i know those guys personally and checking thier technical backgroung seemed to be irrelevant (mistake no' 1).
i thought, how hard can i be to make some GUI to an application that all the other layers are done (3 tier architecture).

So, instead of 1 month development it turned to more than 3 months already, (30% progress)
god knows how long it will take them to finish it .

and now, when i finally see some progress, i see code like this :

if (!Page.IsValid)
{
}
else
{
    InsertNewCustomer();
    lblClientMessage.Text = NewClientText();
    ClearText();
}

ok, who are does guys ?
you think that a skilled programmer with 3 years of expirience would not write such crapy code like this (those things just get me mad.)
why they think that i allow such code to go on production ?
not speaking about the XSS holes that they made (just by the book....)
looks like they didn't read this guide

i mean look at this thing, how many mistakes you can do as a single code :

        private string NewClientText()
        {
            string strNewClient = txtName.Text + " " + txtFamily.Text + " " + "הוזן בהצלחה";
            return strNewClient;
        }

        private void btnAdd_Click(object sender, System.EventArgs e)
        {
            lblClientMessage.Text = "";

            if (!Page.IsValid)
            {
            }
            else
            {
                InsertNewCustomer();
                lblClientMessage.Text = NewClientText();
                ClearText();
            }
        }

        private void InsertNewCustomer()
        {
            Customers newCustomer = new Customers();

            newCustomer.Name = txtName.Text;
            newCustomer.LastName = txtFamily.Text;
            newCustomer.Notes = txtNotes.Text;
            newCustomer.isStudent = chkStudent.Checked;
            newCustomer.Phone = TxtPhone.Text;
            newCustomer.Cellular = txtCellular.Text;
            newCustomer.Email = txtEmail.Text;
            newCustomer.Address = txtAddress.Text;

            if (txtBirth.Text.Trim() != "")
            {
                newCustomer.BirthDate = Convert.ToDateTime(txtBirth.Text);
            }

            custDal.Add(newCustomer);
        }

• writing data to the page without validating it first
• some logical twists - (if page not valid, dont do anything, else do something...), why on earth ? why ?
• inserting to the database without validating the input (for those who are femilier with my architecture, validating is a single line "entity.Validate();"
• no exception managment what so ever.
• no code comments
• Client side input validations

here is some more goodies from the same author :

lblAddress.Style.Add("text-align","right");

what happened to CSS files ?
thier are lots of lines like this defining the style for every object.
i dont wanna know what are they planned to do when they need to change the style one by one .

man, this is a little piece of code, i'm affraid to see whats going on , on the rest of the code.

this is some lessons that you learn on the hard way....

"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"

i should better get some things to my own hands before it gets to late .
anyone wants a job to create some gui ?

Well,
after months I'm talking about it and couple of sleepless nights to prepare it, here it is.

So, what do have here ?

1 powerPoint presentation that explains what is Session Hijacking and XSS.
1 XSS demo.
0 Session hijacking Demo .... (why you ask ? - I'm planning to do another lecture on the topic for some those who missed it yesterday...)
0 Code included. (like the demos ....will be uploaded some time soon....)

long story short :
this presentation talks about the threats in Session hijacking.
and how to prevent it. - while its not a 100% solution, it certainly raises the bar for hackers to succeed in the session hijacking attack.

some wise man said to me once,
"for every defense that ever made, someone thought how to break it,
 the only thing we can do, is to narrow down the amount of people that is capable to perform it."

enjoy.

comments are welcomed :)

Security.pps (324 KB)

Security is one of the most important subjects when creating some business (not necessary a web business or even computer related).
think about investing lot of time developing your business, and then seeing it all ripped apart, just because a sensitive information was reviled to some unwanted individuals, or even worse, gone global to the public.
Of course, security in not only related to stealing data, messing with the business reputation can be devastating just as much as the mentioned above.

When developing Web applications, security is highly important due to the reason that the application is running in the most hostile environment, I mean, everybody can access it, meaning that everyone is a potential threat to the system.

Cross Site Scripting (AKA XSS) is one of the known and ancient methods to exploit security holes on the web.
The idea of the method is injecting client side script code to a web application, which will perform an additional task at the client side.
It may seem to some as a harmless thing, but actually, it can trigger much dangerous attacks such as session hijacking, one-click attacks and Phishing.

Well, this post actually not about how to conduct an XSS attack, but how to avoid being an XSS victim.

 So, what do you have to do in order to prevent XSS? - INPUT VALIDATION.

 Let's take a look what does the .Net framework has to offer on this matter

• ValidateRequest – page directive
• Built-in .Net validation controls (such as "required field validator", "Range Validator", and so…)
• Server Side validation.

ValidateRequest directive – Enabled by default, supposed to "protect" All the input to the page from XSS.
It looks for "<" and ">" tags, probably by some regulars expressions, the problem with this option is that it limits ALL inputs, even the intended ones (such as XML, HTML tags and so…).

Built-in .Net validation controls – The framework provides probably all the input validation that you will need when writing it.
Starting from required fields, numerics values, Regular expressions, and even write your own custom validation.
The problem with it, that it gives the developer a feeling that once the validation is made, it can't be tempered by the client, which IS NOT TRUE.

Note that the common use of these tools is on the client side, which makes the whole validation process irrelevant.

Ask yourself as a developer if you setting the "EnableClientScript" property on the validation control when you use it? – The common answer will be yes, because it improves performance by saving round trips to the server.

But if the question would be, have you did some extra coding to ensure server side validation to occur? – Unfortunately, the common answer will be NO.

Note to yourself – This is no' 1 reason for XSS vulnerabilities in ASP.NET applications.

Server Side validation – This is where your coding skills starts to kick in.

This is where you need to stop, and start thinking about security for your application.
A rooky developer will probably go straight to developing a page , neglecting the security aspect, while the more experienced developer will design a total solution, considering many aspects of the application, security would be one of the top issues (if not the first).

Lets see some examples :

Lets create this asp.net page :

an Interesting article I've read about the next .net framework,
apparently the new framework wont contain such drastic changes like .Net 1.1 VS 2.0 at the CLR or at the language features,
but, instead it will bring some architectural solutions for different tasks such as distributed programming, authentication, presentation and probably many more.

check out this article about the issue

As you know, Microsoft didn't intended that you access the SPS database, but via object model only.
the problem that it has many bugs, performance issues, security issues and lots lots problems that will make the programmer's life a living hell.

So, lets see how can we break the 1st guideline of SPS programming - "do not use the SPS database directly".
man , I'm feeling like a criminal now, presenting a guide how to do something that Microsoft invested a lot of effort to prevent us from doing.

Lets get down to business,
don't count that the connection string is laying in some property, this one we need to do some dirty work.

A little background how we are going to do it:

The connection string looks like this :

"Integrated Security=SSPI;Server=someServer;database=SomeDatabase"

as you can see, the only thing that can change here is the server name and the database name.

lets create a core function that will receive DB collection and the desired site guid and construct the connection string.

private string GetConnectionStringForSite(SPContentDatabaseCollection DBs, Guid siteGuid)
{
    string rc = "";
    SPContentDatabase oDB = null;

    for(int i=0; i<DBs.Count;i++)
    {
        // Get the database
        oDB = DBs[i];