Selected Topics ASP.NET2

Tips and Tricks in ASP.NET 2.0 Development Talal Abdullah Alsubaie Programmer IT Department Saudi Food and Drugs Authority Talal A. Alsubaie SFDA

Tips and Tricks in ASP.NET 2.0 Development This presentation aims to give us (Developers) better knowledge in development in MS ASP.NET 2.0 environment. Knowing some tips and tricks in ASP.NET 2.0 programming. The main goal is to enhance: Security. Availability. Integrity. Usability. Performance. Talal A. Alsubaie SFDA

Tips and Tricks in ASP.NET 2.0 Development We will cover some topics in this presentation such as: N-Tier Architecture. CSS (Cascading Style Sheets)Pages. Database Programming Exception Handling. Talal A. Alsubaie SFDA

N-Tier Architecture Talal A. Alsubaie SFDA

N-Tier Architecture An N-Tier architecture is a development method that user interface , functional process logic , data storage , and data access are developed and maintained as independent model. ( http://en.wikipedia.org/wiki/N_tier ) . The N-Tier architecture is based on the concept of separating a system to different layers (usually 3) Each layer interacts with only the layer directly below, and has specific function that it is responsible for. It is considered as a Software Design Pattern . N-Tier provides reusability, scalability, maintainability. Web development often use the 3-Tier model. A Three-Tier model has. Presentation Tier. Business Tier. Data Tier. Talal A. Alsubaie SFDA

Talal A. Alsubaie SFDA Database Get Salary Total Get Last Year Salaries Query Salary 1 Salary 2 Salary 3 Add Salary Together Display Total

N-Tier Architecture One of the common mistakes is tightly coupling layers, and writing business logic in presentation tier. Talal A. Alsubaie SFDA

Database Programming Talal A. Alsubaie SFDA

Database Programming You Have Many Things to Think About Talal A. Alsubaie SFDA

Database Programming Things to put in mind: Keep the connection string in web.config. Never store sensitive data in clear-text within a database. Do not rely on Client Side validation. Validate input for length, range, format, and type. Validate un trusted input passed to your data access methods. When constructing SQL queries, use type safe SQL parameters. Avoid Dynamic SQL that accepts user input. Be aware of SQL Injections. Talal A. Alsubaie SFDA

Database Programming Keep the connection string in web.config: Web.config is a XML file that stores configuration settings for an ASP.NET application. Why would you want to keep your database connection strings in the Web.config file? Easier maintenance and deployment. Use CustomErrors and keep the mode = “On”. Disable trace for production; else take a look at “ trace.axd ”. Disable Debugging. The Web.Config is not accessible by the server. “ You can read it using the file system ”. The .NET framework will take care of web.config security. Talal A. Alsubaie SFDA

Database Programming Never store sensitive data in clear-text within a database: No application is 100% secure. The attacker can enter your database without using your application. The attacker can use MS SQL Server Management Studio or use his own application to enter your database. Talal A. Alsubaie SFDA

Database Programming Do not rely on Client Side validation: Client side validation can easily bypassed. What if the user disables JavaScript?! Use client side validation plus server side validation. Talal A. Alsubaie SFDA

Database Programming Validate input for length, range, format, and type: Do not trust user input. Attacker can pass malicious input. i.e. SQL Injections. Use Regex class to validate input. (Regular Expressions). For example an E-mail regular expression is: [A-Za-z] + [A-Za-z0-9_.-]* @ [A-Za-z0-9-]+ . [A-Za-z]{2,3} Take a look at: http://regexlib.com Talal A. Alsubaie SFDA

Database Programming What is a SQL Injection Attack? Many web applications take user input from a form. Often this user input is used literally in the construction of a SQL query submitted to a database. For example: SELECT productdata FROM products WHERE productname = ‘ user input product name ’; A SQL injection attack involves placing SQL statements in the user input. Talal A. Alsubaie SFDA

Database Programming SQL Injections: Database layer vulnerability. Characters like ’ and ; have special meaning to SQL engine. Attacker can benefit of: Unauthorized data access. Execute arbitrary commands. RFID Injections: What if a clever person doctored a tag to include extra characters in that item number? Talal A. Alsubaie SFDA

Database Programming When constructing SQL queries, use type safe SQL parameters : Use type safe SQL parameters to avoid possible SQL injection attacks that can occur with unfiltered input. You can use type safe parameters with stored procedures and with dynamic SQL statements. Parameters are also checked for type and length. using System.Data; using System.Data.SqlClient; using (SqlConnection connection = new SqlConnection(connectionString)) { DataSet userDataset = new DataSet(); SqlDataAdapter myCommand = new SqlDataAdapter(“LoginStoredProcedure", connection); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11); myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text; myCommand.Fill(userDataset); } Talal A. Alsubaie SFDA

Database Programming Avoid Dynamic SQL that accepts user input: Avoid constructing SQL queries in code that include user input. instead, prefer parameterized store procedures that use type safe SQL parameters. If you construct queries dynamically using user input, your code is susceptible to SQL injection. Talal A. Alsubaie SFDA // Use dynamic SQL SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT au_lname, au_fname FROM authors WHERE au_id = '" + SSN.Text + "'", myConnection); SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE HR--'

Database Programming Conclusion: Do not trust any input data. Use Regular Expressions to validate data. Use parameterized SQL input. Don’t interact with database directly; instead use stored procedures. Talal A. Alsubaie SFDA

Cascading Style Sheets CSS Talal A. Alsubaie SFDA

Cascading Style Sheets (CSS) CSS stands for Cascading Style Sheets. Styles define how to display HTML elements. Styles are normally stored in Style Sheets. External Style Sheets can save you a lot of work. External Style Sheets are stored in CSS files. Multiple style definitions will cascade into one. Separating the content and presentation. Talal A. Alsubaie SFDA

Cascading Style Sheets (CSS) selector {property: value;} Selector: The HTML element you wish to define. Property: Attribute you wish to change. Value: Value the property takes. Talal A. Alsubaie SFDA

Cascading Style Sheets (CSS) What style will be used when there is more than one style specified for an HTML element? Generally speaking we can say that all the styles will "cascade" into a new "virtual" style sheet by the following rules, where number four has the highest priority: Browser default. External style sheet. Internal style sheet (inside the <head> tag). Inline style (inside an HTML element). Talal A. Alsubaie SFDA

Cascading Style Sheets (CSS) How can you use CSS files? Create a .CSS file. Enter your CSS code. In your .HTML or .ASPX page add: <link rel="stylesheet" href=“ css_file_path.css " type="text/css"/> inside your head tag. For example: <head> <title> My Title </title> <link rel="stylesheet" href="MyStyle.css" type="text/css" /> </head> Talal A. Alsubaie SFDA

Cascading Style Sheets (CSS) Benefits of Cascading Style Sheets: Separate content from presentation. Look and feel consistency. Web site maintenance. Talal A. Alsubaie SFDA

Exception Handling Talal A. Alsubaie SFDA

Exception Handling Exceptions are: Error that occurs at execution time. Abnormal termination of program. Wrong execution result. Exception handling: is a programming language construct mechanism designed to handle the occurrence of some condition that changes the normal flow of execution. Talal A. Alsubaie SFDA

Exception Handling Talal A. Alsubaie SFDA Syntax: Try { //Code that may raise exception. } Catch (Exception1 e){ //Case Exception1 occurs. } Catch (Exception2 e){ //Case Exception2 occurs. } Else { //Case other exception occurs. } Finally { //Code to be executed after exception occurs. }

Exception Handling In Exceptions: Plan for the worst. Don’t trust external data. Don’t trust other systems: Databases, or other applications. The only reliable devices are: the screen, the mouse and keyboard. Writes can fail, too. (Space, Privileges, Physical fault…). Don't put important exception information on the Message field. (Security). Don't ever swallow exceptions. Cleanup code should be put in finally blocks. Talal A. Alsubaie SFDA

Exception Handling Objectives: Making safer program by providing special mechanism. Keeps your program running. Don’t scare the user with technical errors. Talal A. Alsubaie SFDA

Thank you Talal Abdullah Alsubaie [email_address] IT Department Saudi Food and Drugs Authority Talal A. Alsubaie SFDA

Selected Topics ASP.NET2

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Selected Topics ASP.NET2 (20)

More from Talal Alsubaie (9)

Recently uploaded (20)

Selected Topics ASP.NET2