User Interface Process Application Block

Recently, I have migrated the quickstart applications for User Interface Process Application Block to Visual Studio 2008. I’ll be including the download url of the quickstart applications in this blog item.

Ok. Let’s start with a brief overview of the User Interface Process Application Block. The User Interface Process Application Block has been developed to solve issues that regularly occur when you are developing large applications with complex user interface interactions.

Design Goals
The User Interface Process Application Block is designed to solve these problems and provide you with a plug-in block you can use to control your user interface interactions. Specifically, the design goals are:
. Abstracting all navigation and workflow code from the user interface
. Enabling the use of the same programming model for Windows, Web, and device applications
. Removing all state management from the user interface
. Using tasks to persist snapshot state across processes

I’m previously from Java background. I develop frameworks, components, and applications. I used Struts in most of the applications. One the features of Struts that impressed me is the Struts Action Framework. I started to look for something in .NET which is similar to the framework. I found the User Interface Process Application Block on MSDN. Right now I’m in the process of evaluating the application block for possibilities to promote the application block to ISVs that are partnering with us.

Download Url: http://cid-d1df34a904545dc5.skydrive.live.com/self.aspx/Public/User%20Interface%20Process.zip

MySQL Workbench is now on .NET

Today I went to http://dev.mysql.com. I wanted to download MySQL 5.0 Community Server for my upcoming training. Guess what? I’m surprised to see that MySQL Workbench is now on .NET. MySQL Workbench is a next-generation visual database design application that can be used to efficiently design, manage and document database schemata.

You may download the source codes for MySQL Workbench (Visual Studio 2005 project) from: http://dev.mysql.com/downloads/workbench/5.0.html

The following are some screenshots of MySQL Workbench in action:

 

Swapping two variables

Some time ago, I had a chat with a few of my friends during a yam cha session on interview questions. One of my friends mentioned that he knew of someone who likes to ask interviewees to demonstrate a way to swap two variables. And according to my friend, most of the fresh graduates are not able to answer the question correctly. ūüôā This really surprises me. Last week, I interviewed a fresh graduate from MIT, he is able to answer the question very brilliantly. I’m very much impressed. This is what he answered:

The best way to swap two variables is to use a temporary variable. He wrote this on a piece of paper:

int a = 0, b = 0, temp = 0;

temp = a;
a = b;
b = temp;

Okay. This is what I would answer if someone asked me this question. Next, he wrote the following in the same piece of paper:

int a = 0, b = 0;

a = a + b;
b = a – b;
a = a – b;

in which he further summarized into:

a = a-(b=(a=a+b)-b);

and

a ^= b;b ^= a;a ^= b;

Finally, at the end he wrote this:

#define swap(type,a,b) type temp;temp=a;a=b;b=temp;

and

#define swap(a,b) a^=b^=a^=b;

Well.. What I have to say? ūüôā Pretty impressive for a fresh graduate of Computer Science.

Handling SQL Injection

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection vulnerabilities because SQL Server will execute all syntactically valid queries that it receives. Even parameterized data can be manipulated by a skilled and determined attacker.
 
The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user:
 
CS
 
string vUserId = null;
vUserId = Request.Form ("UserId");
string vSql = null;
vSql = "select * from¬†Users where¬†UserId = ‘" + vUserId + "’";
 
VB
 
Dim vUserId As String = Nothing
vUserId = Request.Form("UserId")
Dim vSql As String = Nothing
vSql = "select * from¬†Users where UserId = ‘"¬†& vUserId & "’"
 
The user is prompted to enter the name of a ‘User Id’. If the user enters "John", the query assembled by the script looks similar to the following:
 
SELECT * FROM Users WHERE UserId = ‘John’
 
However, assume that the user enters the following:
 
John’; drop table Users–
 
In this case, the following query is assembled by the script:
 
SELECT * FROM Users WHERE UserId = ‘John’; drop table Users–‘
 
The semicolon (;) denotes the end of one query and the start of another. The double hyphen (–) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When SQL Server processes this statement, SQL Server will first select all records in Users where UserId is John. Then, SQL Server will drop Users.
 
As long as injected SQL code is syntactically correct, tampering cannot be detected programmatically. Therefore, you must validate all user input and carefully review code that executes constructed SQL commands in the server that you are using.
 
Here goes my tips to handle SQL Server. You should always reject input that contains the following characters programmatically.
 
1. ; (Query delimiter.)
2. ‘- (Character data string delimiter.)
3. — (Comment delimiter.)
4. /* … */ (Comment delimiters. Text between /* and */ is not evaluated by the server.)
5. xp_ (Used at the start of the name of catalog-extended stored procedures, such as xp_cmdshell.)

What happened to Chrome?

Today, coincidentally I found this page:

I was wondering what happened to Google? Not confident with Google Chrome? … err.. or forgotten to update their web pages? Anyway, thumbs up for Internet Explorer!

Does LINQ to SQL supports SQL Server 2000?

Recently, I took the intiative to verify LINQ to SQL support on SQL Server 2000. Guess what? LINQ to SQL does support SQL Server 2000. Only one feature that requires SQL Server 2005 or above is the server-side paging support (where you only do the paging in the database).  This uses the SQL 2005 ROW_NUMBER() feature which is only in SQL Server 2005 or above.

Joins with LINQ

This week I delivered a course, namely Introduction to ASP .NET 3.5. One of the participants asked me a question on SQL JOINS with LINQ. The request is to demontrate in VB the way to code three types of JOINS: CROSS JOIN, INNER JOIN, and OUTER JOIN. I thought would be interesting if I blog on my findings.

1. Cross Join

In SQL, you would code like:
SELECT CustomerTable.Name, OrderTable.OrderDate
FROM CustomerTable, OrderTable

Similarly, in VB you can code like:
From Contact In CustomerTable, Shipment In OrderTable _
Select Contact.Name, Shipment.OrderDate

2. Inner Join

In SQL, you would code like:
SELECT Contact.Name, Shipment.OrderID
FROM CustomerTable Contact
INNER JOIN OrderTable Shipment
ON Contact.CustomerID = Shipment.CustomerID
AND Contact.Zip = Shipment.ShippingZip

Similarly, in VB you can code like:
From Contact In CustomerTable
Join Shipment In OrderTable _
On Contact.CustomerID Equals Shipment.CustomerID _
And Contact.Zip Equals Shipment.ShippingZip _
Select Contact.Name, Shipment.OrderID

3. Outer (Left/Right) Join

In SQL, you would code like:
SELECT CustomerTable.Name, SUM(OrderTable.Cost) Sum
FROM CustomerTable
LEFT JOIN OrderTable
ON CustomerTable.CustomerID = OrderTable.CustomerID
GROUP BY CustomerTable.Name

Similarly, in VB you can code like:
From Contact In CustomerTable _
Group Join Shipment In OrderTable _
On Contact.CustomerID Equals Shipment.CustomerID _
Into Sum(Shipment.Cost) _
Select Contact.Name, Sum

Note: I’m using Northwind database.