My wife and I finally wrapped up moving into our new home, which has been a very frustrating and tiresome couple of months. Although I hate moving, the process of moving our stuff was actually the easy part. The frustrating part was working with the builder to made good on the 100 or so items that were unfinished or done poorly on the new home. Although the builder did manage to take care of everything and the home has turned out beautifully, the process of working with the builder and subcontractors was painful. As of yesterday, I think we have seen our last subcontractor in our home for some time. Now I can get back to blogging and other more interesting endeavors ( after I prepare for Hurricane Wilma that is... ).
Pro ADO.NET 2.0 and Pro ASP.NET 2.0 in C# 2005
I got an itch to buy a couple of new development books a few weeks ago and chose Pro ADO.NET 2.0 and Pro ASP.NET 2.0 in C# 2005.
I have read about 50% of Pro ADO.NET 2.0. Thankfully it is not regurgitating the MSDN documentation and full of tables explaining every last property or method on various ADO.NET 2.0 classes ( an old WROX trick ). It not only covers the basics, but appears to be more focused on teaching best practices and useful techniques for your day-to-day programming. I am saving the last couple of chapters, The CLR in SQL Server and ADO.NET Best Practices, for last which I expect to be the finale. An earlier chapter hinted on a DataSet vs. Business Objects discussion in Chapter 14 which should be interesting. Although I am not ready to give a final review of the book, I think you will be happy with the purchase. It has got me brushing up on Optimistic Concurrency in SQL Server, SQL Server Transactions, and Transaction Savepoints to say the least, which doesn't even scratch the surface of content in the book.
I have barely touched Pro ASP.NET 2.0 in C# 2005. I have been bouncing back and forth on non-ASP.NET 2.0 specific stuff like databinding, XML, the ASP.NET Security Model, Forms Authentication, etc. This book is about 1200 pages long and looks like it shares the same principles as Pro ADO.NET 2.0 - no fluff and more concentration on stuff to help your day-to-day programming. As I start to read it more, you can certainly expect a bunch of posts on it as well as a final review.
ASP.NET Security
Microsoft came out with their ASP.NET 2.0 Security Best Practices Document ( read on MSDN ) that lists a number of coding best practices and techniques to make your web applications more secure. I have been slowly going through the document and updating my code generation templates and reusable libraries as necessary to make sure I am aligned with their thoughts. If you haven't seen the document or read it, I highly recommend taking a peek.
As I mentioned above, Pro ASP.NET 2.0 in C# 2005 appears to have a decent primer on the subject as well which I am currently looking over. It has a few obvious security guidelines that are also mentioned in the MSDN document:
- Never trust user input - validate! Use regular expressions to test for correct data.
- Never use string concatenation for creating SQL statements. SQL Injection Attacks.
- Never output data entered by a user directly on your web page before validating and encoding it. Use HttpUtility.HtmlEncode for escaping special characters.
- Never store sensitive data or things that effect your business rules in hidden fields on your web page.
- Never store sensitive data or things that effect your business rules in hidden fields in your viewstate.
- Use SSL when appropriate.
- Protect your cookies, especially your authentication cookies.
More on these security best practices later. You may want to check out the post that Peter just submitted, Protecting an ASP.NET page against malicious input with ValidateRequest, that hints on issues of Cross-Site Scripting and making sure you validate your input. If you output this information directly, you will also want to make sure you encode it with HttpUtility.HtmlEncode.