This is my personal blog. The views expressed on these pages are mine alone and not those of my employer.

Monday, 20 December 2010

Is Gmail dangerous?

To date Gmail is offering 7530+ MB of free storage space.  Of course thats nothing new and is a welcome relief to those who have used e-mail services in the past which restrict your storage.

However those restrictive e-mail services have one advantage that Gmail cannot possibly hope to offer; security by forced removal of data

Don't get me wrong, I'm an avid Gmail fan and love being able to search back through the months to find past communications. My gripe is that information is needlessly kept not for a set time but essentially forever.

"Great" some people might think, now I'll never lose anything and it will always be there for me again if I need it, but take a moment to think of it this way:

Almost every single part of your online identity - for the whole of the time you've been online - is usually contained within e-mails.  Thats right, those websites that e-mail you your password after registration, receipts from purchases and even notifications from social networking sites you're subscribed to (to name a few).

Not only that, but because users collect Usernames and Passwords like Pokemon, and all those are collected under your e-mail providers password, you're essentially keeping all your eggs in one big persistent security basket.

This opens a whole world of security problems such as detailed in Jeff Atwood's recent post. The best way to ensure information is secure, is to remove it.  Simple!  But without enforcing this, how many users will actually do it?

Tuesday, 5 October 2010

C# Conditional Operator ( ?: ) and Null-Coalescing Operator ( ?? )

After spending a couple of years in the software industry its becoming more and more apparent  to me just how little I actually know.  It seems that every time I learn something new, something groundbreaking, a new world of possibilities opens up.  One such event occurred today.

A little known operator (??) can do away with bulky if...else statements and tidy up the source code.  Suppose you want to assign something to a variable, but only want to do so if that value isn't null?  Its something I know I do pretty much every day, usually with code such as:

   1:  if (x != null)
   2:       {
   3:         y = x;
   4:       }
   5:       else
   6:       {
   7:         y = "";
   8:       }

This can be completely replaced with:

   1:  y = x ?? "";

How cool is that?

In addition a single (?) can be used as a boolean conditional operator, so instead of testing for null it can test for any boolean to be true.  For example:

   1:  y = x != null ? x : "";

This article was written because of inspiration from both here and here

I'm going to be using these quite a bit I think.

Monday, 13 September 2010

Preventing Arrow Code

One of my pet hates in software is arrow code, that is code that contains excessive nesting of conditional statements and loops.

Take a look at this unwieldy mess:

   1:  Private Sub returnCodes()
   2:          code.Items.Clear()
   3:          If IsNothing(mycls.Dates) = False Then
   4:              If mycls.Dates.Rows.Count <> 0 Then
   5:                  Dim myrow As DataRow
   6:                  Dim myindex As Integer
   7:                  For Each myrow In mycls.Dates.Rows
   8:                      If getId(Input.Text) = Trim(myrow("id")) Then
   9:                          For myindex = 0 To code.Items.Count - 1
  10:                              If Trim(code.Items(myindex)) = Trim(myrow("year")) Then
  11:                                  Exit For
  12:                              End If
  13:                          Next
  14:                          If code.Items.Count - 1 < myindex Then
  15:                              code.Items.Add(myrow("year"))
  16:                          Else
  17:                              If String.Compare(Trim(code.Items(myindex)), Trim(myrow("year")), True) <> 0 Then
  18:                                  code.Items.Add(myrow("year"))
  19:                              End If
  20:                          End If
  21:                      End If
  22:                  Next
  23:                  code.Sorted = True
  24:                  If code.Items.Count > 0 Then setCode(code.Items(0))
  25:              End If
  26:          End If
  27:      End Sub

Pretty ugly huh? A couple of problems with this:

There are a high number of distinct paths through the code
The amount paths through a section of code is directly correlated to the chance of it containing a bug.  You can't realistically test every single possible scenario on your code - its simply not possible, therefore the only answer is to reduce the possible paths your code can take.

Excessive looping
Loops use up resources - fact.  A piece of code that loops 5 times is quicker than a piece that loops 500.  It is therefore important to use looping carefully to efficiently use resources.

Its hard to debug
Chances are you won't be the only person who will have to read and understand your code. You might understand it fully when you write it, but what about a year down the line? What about your colleagues when you aren't about?

Coding like this will only contribute to a slower, harder to debug, error prone software.

So that I could ultimately understand and subsequently modify, I had to simplify it whilst also keeping in mind the above points.


   1:  Private Sub returnCodes()
   2:          code.Items.Clear()
   4:          If IsNothing(mycls.Dates) Then Exit Sub
   6:          Dim myrow As DataRow
   8:          For Each myrow In mycls.Dates.Rows
   9:              If getId(Input.Text) = Trim(myrow("id")) Then
  10:                  If Not code.Items.Contains(myrow("year")) Then
  11:                      code.Items.Add(myrow("year"))
  12:                  End If
  13:              End If
  14:          Next
  16:          code.Sorted = True
  18:          If code.Items.Count > 0 Then setCode(code.Items(0))
  20:      End Sub

Not only is the code easy to understand, I actually increased performance dramatically.  This process reduced loops from 2480 to 509

The most important lesson I've learnt is that there is simply no excuse for any good developer to submit code without  removing the unnecessary crap.  See this article for some of the hints on cleaning up your own code.

Tuesday, 31 August 2010

The difference between validation and verification

This one is kind of a rant.  There is a subtle difference between the two key words validation and verification. They are not the same thing, and the difference is taught as low as GCSE IT level.

I just felt like I needed to say that as there is a lot of "validate this" and "validate that" knocking around when in fact verification is what is required.  Don't know the difference?

Lets clear this up:

  • Validation: The process of checking of data to ensure that it is acceptable for it or not.
  • Verification: The process of checking of data to ensure that it is the correct value

So when you go down to the ATM and enter your PIN to get cash out its important to understand that any four digit number you type on the keyboard is in fact valid, whereas after checking it is actually yours means it has been verified.

Just so that no one gets this mixed up here are some more examples:

Validation Verification
Password Any text at least 7 characters Comparison with actual password
Phone number Correct amount of numbers between 0 - 9 Dialling gets through to the right person
Television channel Any number of correct length Selecting the channel you wanted

For those who should know better Regular Expressions are for validation (thats all they do) and not verification!

I finally have somewhere to point those people who mean one thing, but say another...

Tuesday, 25 May 2010

Internet Explorer window.close(); does not work after print preview

It appears that a call to window.close(); or self.close(); doesn't do a single thing after opening print preview in Internet Explorer.  Apparently this bug goes from versions 6 - 8 (9 has yet to be released).  If anyone has any work arounds for this bug I would be very greatful.  It astounds me that such a simple bug can span multiple releases.

Monday, 24 May 2010

Overlooking the security aspect of the query string

Recently whilst debugging a mission critical, public facing, financial web application I uncovered a very serious security hole.

As one of its features the application contained a content management system so that relevant departments can upload and change content which appears on carefully selected parts of the site.  This meant that certain folders must be open to the departments which are available to be edited through the system.  The folder currently being worked on was contained in the query string.

For those that do not know what the query string is here is an example.  When you google something, for example 'blog' the page you are sent to is That bit after the ? is called the query string (in this case q=blog) which contains my search.  I can do what I want with this string and resubmit it.  So if I change the query string to q=blogspot and submit it, I am returned the google results for 'blogspot'.  Anyone can manipulate the query string.

In the web application this meant that anyone could simply change the query string, and that would change the folder currently being worked on.  Only a few guesses are needed to view the contents of restricted folders.  Doing this I managed to download the full source code for the application, something which would be very valuable to an attacker...

So if in doubt use server side variables instead.

Tuesday, 19 January 2010

Validatation for Custom User Controls

Recently I stumbled across the problem of needing to validate user input supplied to a Custom User Control.  Usually validation is simply the case of dragging one of the excellent validation controls onto the page and pointing it towards the control you wish to validate.

Custom User Control's however are a different story.  These are controls written by a developer to carry out a function which no other existing controls can.  As they have been written from the ground up, they cannot be simply associated to a validation control without further work.

To allow a Custom User Control to be validated the first thing which is required is the addition of <ValidationPropertyAttribute("value")>.  This specifies the property which supplies the string to be validated, where "value" is the name of the property.

Secondly the ControlToValidate="" property of validation control on the page should be the ID of the user control, colon(:), then the ID of the control to which 'value' is associated.

For example I had a control named cboTask which had <ValidationPropertyAttribute("value")> defined within it where value was a property which returned the current value of a DropDownList (DropDownList1) which was contained within cboTask.  In order to validate that the user selected an option I used the RequiredFieldValidator with the ControlToValidate="cboTask:DropDownList1".

   1:  <ValidationPropertyAttribute("value")> _
   2:  Partial Public Class ctlDropDownList
   3:      Inherits System.Web.UI.UserControl
   6:   Public Property value() As String
   7:          Get
   8:              Return DropDownList1.SelectedValue.Trim()
   9:          End Get
  10:          Set(ByVal value As String)
  11:              Dim llistitem As ListItem
  12:              DropDownList1.ClearSelection()
  13:              For Each llistitem In DropDownList1.Items
  14:                  If RTrim(llistitem.Value) = RTrim(value) Then
  15:                      llistitem.Selected = True
  16:                      Exit For
  17:                  End If
  18:              Next
  19:          End Set
  20:      End Property
  22:  End Class

   1:  <asp:RequiredFieldValidator ID="rfvTask"
   2:         runat="server"
   3:         ErrorMessage="Task cannot be blank"
   4:         InitialValue=""
   5:         ControlToValidate="cboTask:DropDownList1"
   6:          ValidationGroup="page">*</asp:RequiredFieldValidator>

Doing this allows both client and server validation, and allows you to use the validation controls as you would with any of the existing .NET controls.