Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Tips and Tricks in ASP.NET 2.0 Development Talal Abdullah Alsubaie Programmer IT Department Saudi Food and Drugs Authority...
Tips and Tricks in ASP.NET 2.0 Development <ul><li>This presentation aims to give us (Developers) better knowledge in deve...
Tips and Tricks in ASP.NET 2.0 Development <ul><li>We will cover some topics in this presentation such as: </li></ul><ul><...
N-Tier Architecture Talal A. Alsubaie  SFDA
N-Tier Architecture <ul><li>An N-Tier architecture is a development method that  user interface ,  functional process logi...
Talal A. Alsubaie  SFDA Database Get Salary Total Get Last Year Salaries Query Salary 1 Salary 2 Salary 3 Add Salary Toget...
N-Tier Architecture <ul><li>One of the common mistakes is tightly coupling layers, and writing  business logic in presenta...
Database Programming Talal A. Alsubaie  SFDA
Database Programming <ul><ul><li>You Have Many Things to Think About </li></ul></ul>Talal A. Alsubaie  SFDA
Database Programming <ul><ul><li>Things to put in mind: </li></ul></ul><ul><ul><ul><li>Keep the connection string in web.c...
Database Programming <ul><ul><ul><li>Keep the connection string in web.config: </li></ul></ul></ul><ul><ul><ul><ul><li>Web...
Database Programming <ul><ul><li>Never store sensitive data in clear-text within a database: </li></ul></ul><ul><ul><ul><l...
Database Programming <ul><ul><li>Do not rely on Client Side validation: </li></ul></ul><ul><ul><ul><li>Client side validat...
Database Programming <ul><ul><li>Validate input for length, range, format, and type: </li></ul></ul><ul><ul><ul><li>Do not...
Database Programming <ul><li>What is a SQL Injection Attack? </li></ul><ul><ul><li>Many web applications take user input f...
Database Programming <ul><ul><li>SQL Injections: </li></ul></ul><ul><ul><ul><li>Database layer vulnerability. </li></ul></...
Demo Talal A. Alsubaie  SFDA
Database Programming <ul><ul><li>When constructing SQL queries, use type safe SQL parameters  : </li></ul></ul><ul><ul><ul...
Database Programming <ul><ul><li>Avoid Dynamic SQL that accepts user input: </li></ul></ul><ul><ul><ul><li>Avoid construct...
Database Programming <ul><li>Conclusion: </li></ul><ul><ul><li>Do not trust any input data. </li></ul></ul><ul><ul><li>Use...
Cascading Style Sheets CSS Talal A. Alsubaie  SFDA
Cascading Style Sheets (CSS) <ul><li>CSS stands for Cascading Style Sheets.  </li></ul><ul><li>Styles define how to displa...
Cascading Style Sheets (CSS) selector {property: value;} Selector:  The HTML element you wish to define. Property: Attribu...
Cascading Style Sheets (CSS) <ul><li>What style will be used when there is more than one style specified for an HTML eleme...
Demo Talal A. Alsubaie  SFDA
Cascading Style Sheets (CSS) <ul><li>How can you use CSS files? </li></ul><ul><ul><li>Create a .CSS file. </li></ul></ul><...
Cascading Style Sheets (CSS) <ul><li>Benefits of Cascading Style Sheets: </li></ul><ul><ul><li>Separate content from prese...
Exception Handling Talal A. Alsubaie  SFDA
Exception Handling <ul><ul><li>Exceptions are: </li></ul></ul><ul><ul><ul><li>Error that occurs at execution time. </li></...
Exception Handling Talal A. Alsubaie  SFDA <ul><ul><li>Syntax: </li></ul></ul><ul><ul><ul><li>Try  { </li></ul></ul></ul><...
Exception Handling <ul><ul><li>In Exceptions: </li></ul></ul><ul><ul><ul><li>Plan for the worst. </li></ul></ul></ul><ul><...
Exception Handling <ul><li>Objectives: </li></ul><ul><ul><ul><li>Making safer program by providing special mechanism. </li...
Demo Talal A. Alsubaie  SFDA
Q & A Talal A. Alsubaie  SFDA
Thank you Talal Abdullah Alsubaie [email_address] IT Department Saudi Food and Drugs Authority Talal A. Alsubaie  SFDA
Upcoming SlideShare
Loading in …5
×

Selected Topics ASP.NET2

6,363 views

Published on

Published in: Technology, Business
  • Fioricet is often prescribed for tension headaches caused by contractions of the muscles in the neck and shoulder area. Buy now from http://www.fioricetsupply.com and make a deal for you.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Selected Topics ASP.NET2

  1. 1. Tips and Tricks in ASP.NET 2.0 Development Talal Abdullah Alsubaie Programmer IT Department Saudi Food and Drugs Authority Talal A. Alsubaie SFDA
  2. 2. Tips and Tricks in ASP.NET 2.0 Development <ul><li>This presentation aims to give us (Developers) better knowledge in development in MS ASP.NET 2.0 environment. </li></ul><ul><li>Knowing some tips and tricks in ASP.NET 2.0 programming. </li></ul><ul><li>The main goal is to enhance: </li></ul><ul><ul><li>Security. </li></ul></ul><ul><ul><li>Availability. </li></ul></ul><ul><ul><li>Integrity. </li></ul></ul><ul><ul><li>Usability. </li></ul></ul><ul><ul><li>Performance. </li></ul></ul>Talal A. Alsubaie SFDA
  3. 3. Tips and Tricks in ASP.NET 2.0 Development <ul><li>We will cover some topics in this presentation such as: </li></ul><ul><ul><li>N-Tier Architecture. </li></ul></ul><ul><ul><li>CSS (Cascading Style Sheets)Pages. </li></ul></ul><ul><ul><li>Database Programming </li></ul></ul><ul><ul><li>Exception Handling. </li></ul></ul>Talal A. Alsubaie SFDA
  4. 4. N-Tier Architecture Talal A. Alsubaie SFDA
  5. 5. N-Tier Architecture <ul><li>An N-Tier architecture is a development method that user interface , functional process logic , data storage , and data access are developed and maintained as independent model. ( http://en.wikipedia.org/wiki/N_tier ) . </li></ul><ul><li>The N-Tier architecture is based on the concept of separating a system to different layers (usually 3) Each layer interacts with only the layer directly below, and has specific function that it is responsible for. </li></ul><ul><li>It is considered as a Software Design Pattern . </li></ul><ul><li>N-Tier provides reusability, scalability, maintainability. </li></ul><ul><li>Web development often use the 3-Tier model. </li></ul><ul><li>A Three-Tier model has. </li></ul><ul><ul><li>Presentation Tier. </li></ul></ul><ul><ul><li>Business Tier. </li></ul></ul><ul><ul><li>Data Tier. </li></ul></ul>Talal A. Alsubaie SFDA
  6. 6. Talal A. Alsubaie SFDA Database Get Salary Total Get Last Year Salaries Query Salary 1 Salary 2 Salary 3 Add Salary Together Display Total
  7. 7. N-Tier Architecture <ul><li>One of the common mistakes is tightly coupling layers, and writing business logic in presentation tier. </li></ul>Talal A. Alsubaie SFDA
  8. 8. Database Programming Talal A. Alsubaie SFDA
  9. 9. Database Programming <ul><ul><li>You Have Many Things to Think About </li></ul></ul>Talal A. Alsubaie SFDA
  10. 10. Database Programming <ul><ul><li>Things to put in mind: </li></ul></ul><ul><ul><ul><li>Keep the connection string in web.config. </li></ul></ul></ul><ul><ul><ul><li>Never store sensitive data in clear-text within a database. </li></ul></ul></ul><ul><ul><ul><li>Do not rely on Client Side validation. </li></ul></ul></ul><ul><ul><ul><li>Validate input for length, range, format, and type. </li></ul></ul></ul><ul><ul><ul><li>Validate un trusted input passed to your data access methods. </li></ul></ul></ul><ul><ul><ul><li>When constructing SQL queries, use type safe SQL parameters. </li></ul></ul></ul><ul><ul><ul><li>Avoid Dynamic SQL that accepts user input. </li></ul></ul></ul><ul><ul><ul><li>Be aware of SQL Injections. </li></ul></ul></ul>Talal A. Alsubaie SFDA
  11. 11. Database Programming <ul><ul><ul><li>Keep the connection string in web.config: </li></ul></ul></ul><ul><ul><ul><ul><li>Web.config is a XML file that stores configuration settings for an ASP.NET application. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Why would you want to keep your database connection strings in the Web.config file? </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Easier maintenance and deployment. </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>Use CustomErrors and keep the mode = “On”. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Disable trace for production; else take a look at “ trace.axd ”. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Disable Debugging. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The Web.Config is not accessible by the server. “ You can read it using the file system ”. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>The .NET framework will take care of web.config security. </li></ul></ul></ul></ul>Talal A. Alsubaie SFDA
  12. 12. Database Programming <ul><ul><li>Never store sensitive data in clear-text within a database: </li></ul></ul><ul><ul><ul><li>No application is 100% secure. </li></ul></ul></ul><ul><ul><ul><li>The attacker can enter your database without using your application. </li></ul></ul></ul><ul><ul><ul><li>The attacker can use MS SQL Server Management Studio or use his own application to enter your database. </li></ul></ul></ul>Talal A. Alsubaie SFDA
  13. 13. Database Programming <ul><ul><li>Do not rely on Client Side validation: </li></ul></ul><ul><ul><ul><li>Client side validation can easily bypassed. </li></ul></ul></ul><ul><ul><ul><li>What if the user disables JavaScript?! </li></ul></ul></ul><ul><ul><ul><li>Use client side validation plus server side validation. </li></ul></ul></ul>Talal A. Alsubaie SFDA
  14. 14. Database Programming <ul><ul><li>Validate input for length, range, format, and type: </li></ul></ul><ul><ul><ul><li>Do not trust user input. </li></ul></ul></ul><ul><ul><ul><li>Attacker can pass malicious input. i.e. SQL Injections. </li></ul></ul></ul><ul><ul><ul><li>Use Regex class to validate input. (Regular Expressions). </li></ul></ul></ul><ul><ul><ul><li>For example an E-mail regular expression is: </li></ul></ul></ul><ul><ul><ul><ul><li>[A-Za-z] + [A-Za-z0-9_.-]* @ [A-Za-z0-9-]+ . [A-Za-z]{2,3} </li></ul></ul></ul></ul><ul><ul><ul><li>Take a look at: </li></ul></ul></ul><ul><ul><ul><ul><li>http://regexlib.com </li></ul></ul></ul></ul>Talal A. Alsubaie SFDA
  15. 15. Database Programming <ul><li>What is a SQL Injection Attack? </li></ul><ul><ul><li>Many web applications take user input from a form. </li></ul></ul><ul><ul><li>Often this user input is used literally in the construction of a SQL query submitted to a database. For example: </li></ul></ul><ul><ul><li>SELECT productdata FROM products WHERE productname = ‘ user input product name ’; </li></ul></ul><ul><ul><li>A SQL injection attack involves placing SQL statements in the user input. </li></ul></ul>Talal A. Alsubaie SFDA
  16. 16. Database Programming <ul><ul><li>SQL Injections: </li></ul></ul><ul><ul><ul><li>Database layer vulnerability. </li></ul></ul></ul><ul><ul><ul><li>Characters like ’ and ; have special meaning </li></ul></ul></ul><ul><ul><ul><li>to SQL engine. </li></ul></ul></ul><ul><ul><ul><li>Attacker can benefit of: </li></ul></ul></ul><ul><ul><ul><ul><li>Unauthorized data access. </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Execute arbitrary commands. </li></ul></ul></ul></ul><ul><ul><li>RFID Injections: </li></ul></ul><ul><ul><ul><li>What if a clever person doctored a tag to include extra characters in that item number? </li></ul></ul></ul>Talal A. Alsubaie SFDA
  17. 17. Demo Talal A. Alsubaie SFDA
  18. 18. Database Programming <ul><ul><li>When constructing SQL queries, use type safe SQL parameters : </li></ul></ul><ul><ul><ul><li>Use type safe SQL parameters to avoid possible SQL injection attacks that can occur with unfiltered input. </li></ul></ul></ul><ul><ul><ul><li>You can use type safe parameters with stored procedures and with dynamic SQL statements. </li></ul></ul></ul><ul><ul><ul><li>Parameters are also checked for type and length. </li></ul></ul></ul><ul><ul><ul><li>using System.Data; </li></ul></ul></ul><ul><ul><ul><li>using System.Data.SqlClient; </li></ul></ul></ul><ul><ul><ul><li>using (SqlConnection connection = new SqlConnection(connectionString)) </li></ul></ul></ul><ul><ul><ul><li>{ </li></ul></ul></ul><ul><ul><ul><li>DataSet userDataset = new DataSet(); </li></ul></ul></ul><ul><ul><ul><li>SqlDataAdapter myCommand = </li></ul></ul></ul><ul><ul><ul><li>new SqlDataAdapter(“LoginStoredProcedure&quot;, connection); </li></ul></ul></ul><ul><ul><ul><li>myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; </li></ul></ul></ul><ul><ul><ul><li>myCommand.SelectCommand.Parameters.Add(&quot;@au_id&quot;, SqlDbType.VarChar, 11); </li></ul></ul></ul><ul><ul><ul><li>myCommand.SelectCommand.Parameters[&quot;@au_id&quot;].Value = SSN.Text; </li></ul></ul></ul><ul><ul><ul><li>myCommand.Fill(userDataset); </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul>Talal A. Alsubaie SFDA
  19. 19. Database Programming <ul><ul><li>Avoid Dynamic SQL that accepts user input: </li></ul></ul><ul><ul><ul><li>Avoid constructing SQL queries in code that include user input. </li></ul></ul></ul><ul><ul><ul><li>instead, prefer parameterized store procedures that use type safe SQL parameters. </li></ul></ul></ul><ul><ul><ul><li>If you construct queries dynamically using user input, your code is susceptible to SQL injection. </li></ul></ul></ul>Talal A. Alsubaie SFDA // Use dynamic SQL SqlDataAdapter myCommand = new SqlDataAdapter( &quot;SELECT au_lname, au_fname FROM authors WHERE au_id = '&quot; + SSN.Text + &quot;'&quot;, myConnection); SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE HR--'
  20. 20. Database Programming <ul><li>Conclusion: </li></ul><ul><ul><li>Do not trust any input data. </li></ul></ul><ul><ul><li>Use Regular Expressions to validate data. </li></ul></ul><ul><ul><li>Use parameterized SQL input. </li></ul></ul><ul><ul><li>Don’t interact with database directly; instead use stored procedures. </li></ul></ul>Talal A. Alsubaie SFDA
  21. 21. Cascading Style Sheets CSS Talal A. Alsubaie SFDA
  22. 22. Cascading Style Sheets (CSS) <ul><li>CSS stands for Cascading Style Sheets. </li></ul><ul><li>Styles define how to display HTML elements. </li></ul><ul><li>Styles are normally stored in Style Sheets. </li></ul><ul><li>External Style Sheets can save you a lot of work. </li></ul><ul><li>External Style Sheets are stored in CSS files. </li></ul><ul><li>Multiple style definitions will cascade into one. </li></ul><ul><li>Separating the content and presentation. </li></ul>Talal A. Alsubaie SFDA
  23. 23. Cascading Style Sheets (CSS) selector {property: value;} Selector: The HTML element you wish to define. Property: Attribute you wish to change. Value: Value the property takes. Talal A. Alsubaie SFDA
  24. 24. Cascading Style Sheets (CSS) <ul><li>What style will be used when there is more than one style specified for an HTML element? </li></ul><ul><ul><li>Generally speaking we can say that all the styles will &quot;cascade&quot; into a new &quot;virtual&quot; style sheet by the following rules, where number four has the highest priority: </li></ul></ul><ul><ul><ul><li>Browser default. </li></ul></ul></ul><ul><ul><ul><li>External style sheet. </li></ul></ul></ul><ul><ul><ul><li>Internal style sheet (inside the <head> tag). </li></ul></ul></ul><ul><ul><ul><li>Inline style (inside an HTML element). </li></ul></ul></ul>Talal A. Alsubaie SFDA
  25. 25. Demo Talal A. Alsubaie SFDA
  26. 26. Cascading Style Sheets (CSS) <ul><li>How can you use CSS files? </li></ul><ul><ul><li>Create a .CSS file. </li></ul></ul><ul><ul><li>Enter your CSS code. </li></ul></ul><ul><ul><li>In your .HTML or .ASPX page add: </li></ul></ul><ul><ul><ul><li><link rel=&quot;stylesheet&quot; href=“ css_file_path.css &quot; type=&quot;text/css&quot;/> </li></ul></ul></ul><ul><ul><li>inside your head tag. </li></ul></ul><ul><ul><li>For example: </li></ul></ul><ul><ul><ul><li><head> </li></ul></ul></ul><ul><ul><ul><li><title> My Title </title> </li></ul></ul></ul><ul><ul><ul><li><link rel=&quot;stylesheet&quot; href=&quot;MyStyle.css&quot; type=&quot;text/css&quot; /> </li></ul></ul></ul><ul><ul><ul><li></head> </li></ul></ul></ul>Talal A. Alsubaie SFDA
  27. 27. Cascading Style Sheets (CSS) <ul><li>Benefits of Cascading Style Sheets: </li></ul><ul><ul><li>Separate content from presentation. </li></ul></ul><ul><ul><li>Look and feel consistency. </li></ul></ul><ul><ul><li>Web site maintenance. </li></ul></ul>Talal A. Alsubaie SFDA
  28. 28. Exception Handling Talal A. Alsubaie SFDA
  29. 29. Exception Handling <ul><ul><li>Exceptions are: </li></ul></ul><ul><ul><ul><li>Error that occurs at execution time. </li></ul></ul></ul><ul><ul><ul><li>Abnormal termination of program. </li></ul></ul></ul><ul><ul><ul><li>Wrong execution result. </li></ul></ul></ul><ul><ul><li>Exception handling: is a programming language construct mechanism designed to handle the occurrence of some condition that changes the normal flow of execution. </li></ul></ul>Talal A. Alsubaie SFDA
  30. 30. Exception Handling Talal A. Alsubaie SFDA <ul><ul><li>Syntax: </li></ul></ul><ul><ul><ul><li>Try { </li></ul></ul></ul><ul><ul><ul><li>//Code that may raise exception. </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><ul><li>Catch (Exception1 e){ </li></ul></ul></ul><ul><ul><ul><li>//Case Exception1 occurs. </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><ul><li>Catch (Exception2 e){ </li></ul></ul></ul><ul><ul><ul><li>//Case Exception2 occurs. </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><ul><li>Else </li></ul></ul></ul><ul><ul><ul><li>{ </li></ul></ul></ul><ul><ul><ul><li>//Case other exception occurs. </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul><ul><ul><ul><li>Finally { </li></ul></ul></ul><ul><ul><ul><li>//Code to be executed after exception occurs. </li></ul></ul></ul><ul><ul><ul><li>} </li></ul></ul></ul>
  31. 31. Exception Handling <ul><ul><li>In Exceptions: </li></ul></ul><ul><ul><ul><li>Plan for the worst. </li></ul></ul></ul><ul><ul><ul><li>Don’t trust external data. </li></ul></ul></ul><ul><ul><ul><li>Don’t trust other systems: </li></ul></ul></ul><ul><ul><ul><ul><li>Databases, or other applications. </li></ul></ul></ul></ul><ul><ul><ul><li>The only reliable devices are: the screen, the mouse and keyboard. </li></ul></ul></ul><ul><ul><ul><li>Writes can fail, too. (Space, Privileges, Physical fault…). </li></ul></ul></ul><ul><ul><ul><li>Don't put important exception information on the Message field. (Security). </li></ul></ul></ul><ul><ul><ul><li>Don't ever swallow exceptions. </li></ul></ul></ul><ul><ul><ul><li>Cleanup code should be put in finally blocks. </li></ul></ul></ul>Talal A. Alsubaie SFDA
  32. 32. Exception Handling <ul><li>Objectives: </li></ul><ul><ul><ul><li>Making safer program by providing special mechanism. </li></ul></ul></ul><ul><ul><ul><li>Keeps your program running. </li></ul></ul></ul><ul><ul><ul><li>Don’t scare the user with technical errors. </li></ul></ul></ul>Talal A. Alsubaie SFDA
  33. 33. Demo Talal A. Alsubaie SFDA
  34. 34. Q & A Talal A. Alsubaie SFDA
  35. 35. Thank you Talal Abdullah Alsubaie [email_address] IT Department Saudi Food and Drugs Authority Talal A. Alsubaie SFDA

×