Feeds:
Posts
Comments

Posts Tagged ‘jason bock’

WPF, Hackers, jQuery QUnit, Static Analysis, and MVC

Another day full of great sessions…although as the days go by and I procrastinate on writing up my notes, my mind is getting a bit foggy. Hopefully, you can get something from my notes…

Sessions Attended:

  • WPF Validation – Techniques & Styles (Miguel Castro)
  • Hack Proofing Your ASP.NET Web Forms and MVC Applications (Adam Tuliper)
  • Introduction to jQuery QUnit (John Petersen)
  • Static Analysis in .NET (Jason Bock)
  • Extending ASP.NET MVC with jQuery/Ajax and jSON (John Petersen)

WPF Validation – Techniques & Styles

The validation that comes out of the box in VS2010 is not that great. MVVM is better. Data annotation is good for quick validation on the code side.

There is a difference between validation and business rules. Business rules act on an object and validation does not. Validation is usually a check field – yes/no questions. With business rules, it is more like if this field has this then do this or some other stuff.

We should reject user input as early as we can and do NOT touch valid input. How many times have we run across a website where we enter an invalid value and the site comes back with an error and all the fields are wiped out? Or even worse…no error message at all and we are left to guess at what we did wrong.

We should have one place to go to check for validation of an object (one routine to check). Validation should not be done in multiple places unless we just can’t help it. Validation should be done as early as possible, and rules code should be reusable.

The out of the box validation is view based validation (ValidationRule class) and requires view-based code to perform validation. The validation is done at the XAML level and it cannot be tested. We don’t get information back on what field is invalid, and the error message is put in a hover message.

  • Style Trigger
  • Validation.HasError
  • Set ToolTip property

In MVVM, validation is totally decoupled from the view and we can test it. IDataErrorInfo can be implemented in ViewModel or Model. The indexer method gets the name of the property that changed. The view model is bound to the view and drives state. Anytime a field changes the OnPropertyChanged is called. We drive our buttons with commands not click events. Every command (DelegateCommand) has a method that drives the command and a method that determines if the command can happen.

Error message can include field info. Attributes set on the binding in XAML. Set ValidatesOnDataErrors to true to use validation. IDataErrorInfo can be extended to incorporate rules engine and interface can be implemented by the base class.

With Data Annotations (System.ComponentModel.DataAnnotations), we have to do the checking. An attribute is only as good as its use. Attributes are used by decorating the property, and the attribute values have to be a constant.

Code will use reflection to get the property value and runs the property through validation by using the Validator static class. We can write custom data annotations by overriding IsValid, and we can do multiple validations.

  • this.GetType().GetProperty(PropertyName).GetValue(this, null)
  • Check data validation (Validator.TryValidateProperty)
  • AdornedElementPlaceholder

Recommended Reading:

  • WPF 4 Unleashed (Adam Nathan)
  • WPF Programmer’s Reference: Windows Presentation Foundation with C# 2010 and .NET 4 (Rod Stephens)

Related Sites:

Hack Proofing Your ASP.NET Web Forms and MVC Applications

One big issue we have with web applications is SQL Injection. But we also have to deal with cross site scripting, cross site request forgery, parameter tampering, information leakage, and encryption.

SQL injection is when code gets injected into the data channel and values are altered to create SQL commands when data is expected.

  • URI tampering
  • Parameter tampering
  • Cookie tampering

We should not be using inline SQL, but instead use parameritized queries. Don’t use dynamic strings. Do use ORMs, escape/whitelist input, and audit table permissions. We can use Rank() Order by and pass a number to sort by different things. We can pass parameters in dynamic SQL and use sp_ExecuteSQL.

Cross site scripting (XSS) is when script gets injected into the page, the database, or the cookies. The main types are reflected, persistent, and DOM based. We can also have scriptless attacks.

To prevent XSS, we use HTMLEncode or AttributeEncode for all output (@, <%:, HtmlEncode(), HtmlAttributeEncode()). Do not use the WebForm’s ValidateRequest=false. In ASP.NET 4.5 the HtmlEncode will be embedded in the databind.

He ran out of time to finish his slides, but did leave us with one last tidbit of info. To prevent Information Leakage, Use Retail Mode!! Setting RetailMode = TRUE turns off debugging and tracking which is the main source for Information Leakage.

Related Sites:

Introduction to jQuery QUnit

Why should we test? We can get immediate feedback of our code with unit testing. Testable code is better code. Unit testing makes automated builds worth something.

JavaScript has been challenging to test. JS is not C# or VB, usually embedded in HTML docs and often disorganized.

jQuery QUnit addresses the challenges of testing our JS. It’s a testing framework that is easy to use and integrates with other coding tools like Telerik’s JustCode (a test runner).

Static Analysis in .NET

This was a fascinating session. I found out that maybe I should have gone with Premium or Ultimate instead of getting the Professional edition of VS2010. Code analysis is only available for Premium and Ultimate. However, Jason believes someone on Codeplex has written an add-in to Professional.

We can also use FX Cop…it’s a free tool that offers command line tools for performing static code analysis of .NET code.

In source, an attribute is added to the code to suppress. In project file, we can suppress the instance but it does not get updated if we refactor it. Custom rules are not officially supported.

Other tools: Nitriq CodeAnalysis, NDepend, CodeIt..Right, and Klocwork

Related Sites:

Extending ASP.NET MVC with jQuery/Ajax and jSON

I thought about attending the How to Be a C# Ninja in 10 Easy Steps, but I thought maybe I should have a little more exposure to MVC and jQuery. I think I was in over my head in this one since I have had no experience in this area. Also, I think I was in information overload by the time I got to this session. But here are my notes for what it’s worth…

jQuery is a JavaScript library that is actually a family of projects: jQuery Core, UI, and Mobile, and QUnit. CSS always in play behind the scenes of jQuery

Ajax – Asynchronous JavaScript and XML: A technique to create asynchronous web requests from the client. Ajax communicates with the server and does a postback, and is conservative with bandwidth. The main objective is to improve performance. Multiple components and technologies are involved: HTML, CSS, XMLHttpRequest, and JavaScript. jQuery is a popular JS/Ajax framework.

JSON – JavaScript Object Notation: made up of key/value pairs and groups of key/value pairs make up a document. MongoDB and Couch are DBs that use JSON/BSON (binary JSON).

JavaScript is the glue that ties these 3 together and CSS makes it all come alive.

The update panel in ASP.NET is a div that gets updated via Ajax. Telerik has extensions for MVC and there are other MVC/jQuery based frameworks out there.

Related Sites:

Read Full Post »

%d bloggers like this: