Selected Topics ASP.NET2
Upcoming SlideShare
Loading in...5
×
 

Selected Topics ASP.NET2

on

  • 7,018 views

 

Statistics

Views

Total Views
7,018
Views on SlideShare
7,012
Embed Views
6

Actions

Likes
0
Downloads
58
Comments
1

3 Embeds 6

http://www.slideshare.net 2
http://www.linkedin.com 2
https://www.linkedin.com 2

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Fioricet is often prescribed for tension headaches caused by contractions of the muscles in the neck and shoulder area. Buy now from http://www.fioricetsupply.com and make a deal for you.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Selected Topics ASP.NET2 Selected Topics ASP.NET2 Presentation Transcript

  • Tips and Tricks in ASP.NET 2.0 Development Talal Abdullah Alsubaie Programmer IT Department Saudi Food and Drugs Authority Talal A. Alsubaie SFDA
  • Tips and Tricks in ASP.NET 2.0 Development
    • This presentation aims to give us (Developers) better knowledge in development in MS ASP.NET 2.0 environment.
    • Knowing some tips and tricks in ASP.NET 2.0 programming.
    • The main goal is to enhance:
      • Security.
      • Availability.
      • Integrity.
      • Usability.
      • Performance.
    Talal A. Alsubaie SFDA
  • Tips and Tricks in ASP.NET 2.0 Development
    • We will cover some topics in this presentation such as:
      • N-Tier Architecture.
      • CSS (Cascading Style Sheets)Pages.
      • Database Programming
      • Exception Handling.
    Talal A. Alsubaie SFDA View slide
  • N-Tier Architecture Talal A. Alsubaie SFDA View slide
  • N-Tier Architecture
    • An N-Tier architecture is a development method that user interface , functional process logic , data storage , and data access are developed and maintained as independent model. ( http://en.wikipedia.org/wiki/N_tier ) .
    • The N-Tier architecture is based on the concept of separating a system to different layers (usually 3) Each layer interacts with only the layer directly below, and has specific function that it is responsible for.
    • It is considered as a Software Design Pattern .
    • N-Tier provides reusability, scalability, maintainability.
    • Web development often use the 3-Tier model.
    • A Three-Tier model has.
      • Presentation Tier.
      • Business Tier.
      • Data Tier.
    Talal A. Alsubaie SFDA
  • Talal A. Alsubaie SFDA Database Get Salary Total Get Last Year Salaries Query Salary 1 Salary 2 Salary 3 Add Salary Together Display Total
  • N-Tier Architecture
    • One of the common mistakes is tightly coupling layers, and writing business logic in presentation tier.
    Talal A. Alsubaie SFDA
  • Database Programming Talal A. Alsubaie SFDA
  • Database Programming
      • You Have Many Things to Think About
    Talal A. Alsubaie SFDA
  • Database Programming
      • Things to put in mind:
        • Keep the connection string in web.config.
        • Never store sensitive data in clear-text within a database.
        • Do not rely on Client Side validation.
        • Validate input for length, range, format, and type.
        • Validate un trusted input passed to your data access methods.
        • When constructing SQL queries, use type safe SQL parameters.
        • Avoid Dynamic SQL that accepts user input.
        • Be aware of SQL Injections.
    Talal A. Alsubaie SFDA
  • Database Programming
        • Keep the connection string in web.config:
          • Web.config is a XML file that stores configuration settings for an ASP.NET application.
          • Why would you want to keep your database connection strings in the Web.config file?
            • Easier maintenance and deployment.
          • Use CustomErrors and keep the mode = “On”.
          • Disable trace for production; else take a look at “ trace.axd ”.
          • Disable Debugging.
          • The Web.Config is not accessible by the server. “ You can read it using the file system ”.
          • The .NET framework will take care of web.config security.
    Talal A. Alsubaie SFDA
  • Database Programming
      • Never store sensitive data in clear-text within a database:
        • No application is 100% secure.
        • The attacker can enter your database without using your application.
        • The attacker can use MS SQL Server Management Studio or use his own application to enter your database.
    Talal A. Alsubaie SFDA
  • Database Programming
      • Do not rely on Client Side validation:
        • Client side validation can easily bypassed.
        • What if the user disables JavaScript?!
        • Use client side validation plus server side validation.
    Talal A. Alsubaie SFDA
  • Database Programming
      • Validate input for length, range, format, and type:
        • Do not trust user input.
        • Attacker can pass malicious input. i.e. SQL Injections.
        • Use Regex class to validate input. (Regular Expressions).
        • For example an E-mail regular expression is:
          • [A-Za-z] + [A-Za-z0-9_.-]* @ [A-Za-z0-9-]+ . [A-Za-z]{2,3}
        • Take a look at:
          • http://regexlib.com
    Talal A. Alsubaie SFDA
  • Database Programming
    • What is a SQL Injection Attack?
      • Many web applications take user input from a form.
      • Often this user input is used literally in the construction of a SQL query submitted to a database. For example:
      • SELECT productdata FROM products WHERE productname = ‘ user input product name ’;
      • A SQL injection attack involves placing SQL statements in the user input.
    Talal A. Alsubaie SFDA
  • Database Programming
      • SQL Injections:
        • Database layer vulnerability.
        • Characters like ’ and ; have special meaning
        • to SQL engine.
        • Attacker can benefit of:
          • Unauthorized data access.
          • Execute arbitrary commands.
      • RFID Injections:
        • What if a clever person doctored a tag to include extra characters in that item number?
    Talal A. Alsubaie SFDA
  • Demo Talal A. Alsubaie SFDA
  • Database Programming
      • When constructing SQL queries, use type safe SQL parameters :
        • Use type safe SQL parameters to avoid possible SQL injection attacks that can occur with unfiltered input.
        • You can use type safe parameters with stored procedures and with dynamic SQL statements.
        • Parameters are also checked for type and length.
        • using System.Data;
        • using System.Data.SqlClient;
        • using (SqlConnection connection = new SqlConnection(connectionString))
        • {
        • DataSet userDataset = new DataSet();
        • SqlDataAdapter myCommand =
        • new SqlDataAdapter(“LoginStoredProcedure", connection);
        • myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
        • myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
        • myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
        • myCommand.Fill(userDataset);
        • }
    Talal A. Alsubaie SFDA
  • Database Programming
      • Avoid Dynamic SQL that accepts user input:
        • Avoid constructing SQL queries in code that include user input.
        • instead, prefer parameterized store procedures that use type safe SQL parameters.
        • If you construct queries dynamically using user input, your code is susceptible to SQL injection.
    Talal A. Alsubaie SFDA // Use dynamic SQL SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT au_lname, au_fname FROM authors WHERE au_id = '" + SSN.Text + "'", myConnection); SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE HR--'
  • Database Programming
    • Conclusion:
      • Do not trust any input data.
      • Use Regular Expressions to validate data.
      • Use parameterized SQL input.
      • Don’t interact with database directly; instead use stored procedures.
    Talal A. Alsubaie SFDA
  • Cascading Style Sheets CSS Talal A. Alsubaie SFDA
  • Cascading Style Sheets (CSS)
    • CSS stands for Cascading Style Sheets.
    • Styles define how to display HTML elements.
    • Styles are normally stored in Style Sheets.
    • External Style Sheets can save you a lot of work.
    • External Style Sheets are stored in CSS files.
    • Multiple style definitions will cascade into one.
    • Separating the content and presentation.
    Talal A. Alsubaie SFDA
  • Cascading Style Sheets (CSS) selector {property: value;} Selector: The HTML element you wish to define. Property: Attribute you wish to change. Value: Value the property takes. Talal A. Alsubaie SFDA
  • Cascading Style Sheets (CSS)
    • What style will be used when there is more than one style specified for an HTML element?
      • Generally speaking we can say that all the styles will "cascade" into a new "virtual" style sheet by the following rules, where number four has the highest priority:
        • Browser default.
        • External style sheet.
        • Internal style sheet (inside the <head> tag).
        • Inline style (inside an HTML element).
    Talal A. Alsubaie SFDA
  • Demo Talal A. Alsubaie SFDA
  • Cascading Style Sheets (CSS)
    • How can you use CSS files?
      • Create a .CSS file.
      • Enter your CSS code.
      • In your .HTML or .ASPX page add:
        • <link rel=&quot;stylesheet&quot; href=“ css_file_path.css &quot; type=&quot;text/css&quot;/>
      • inside your head tag.
      • For example:
        • <head>
        • <title> My Title </title>
        • <link rel=&quot;stylesheet&quot; href=&quot;MyStyle.css&quot; type=&quot;text/css&quot; />
        • </head>
    Talal A. Alsubaie SFDA
  • Cascading Style Sheets (CSS)
    • Benefits of Cascading Style Sheets:
      • Separate content from presentation.
      • Look and feel consistency.
      • Web site maintenance.
    Talal A. Alsubaie SFDA
  • Exception Handling Talal A. Alsubaie SFDA
  • Exception Handling
      • Exceptions are:
        • Error that occurs at execution time.
        • Abnormal termination of program.
        • Wrong execution result.
      • Exception handling: is a programming language construct mechanism designed to handle the occurrence of some condition that changes the normal flow of execution.
    Talal A. Alsubaie SFDA
  • Exception Handling Talal A. Alsubaie SFDA
      • Syntax:
        • Try {
        • //Code that may raise exception.
        • }
        • Catch (Exception1 e){
        • //Case Exception1 occurs.
        • }
        • Catch (Exception2 e){
        • //Case Exception2 occurs.
        • }
        • Else
        • {
        • //Case other exception occurs.
        • }
        • Finally {
        • //Code to be executed after exception occurs.
        • }
  • Exception Handling
      • In Exceptions:
        • Plan for the worst.
        • Don’t trust external data.
        • Don’t trust other systems:
          • Databases, or other applications.
        • The only reliable devices are: the screen, the mouse and keyboard.
        • Writes can fail, too. (Space, Privileges, Physical fault…).
        • Don't put important exception information on the Message field. (Security).
        • Don't ever swallow exceptions.
        • Cleanup code should be put in finally blocks.
    Talal A. Alsubaie SFDA
  • Exception Handling
    • Objectives:
        • Making safer program by providing special mechanism.
        • Keeps your program running.
        • Don’t scare the user with technical errors.
    Talal A. Alsubaie SFDA
  • Demo Talal A. Alsubaie SFDA
  • Q & A Talal A. Alsubaie SFDA
  • Thank you Talal Abdullah Alsubaie [email_address] IT Department Saudi Food and Drugs Authority Talal A. Alsubaie SFDA