Hi my name is Adel and i'm not a recoverd Software Developer.
It would be fun to know how your friend actually reacts to this graph because, as always, these graphs then to be a bit biased in some way or the other.
But it any case; nice digging and a good find.
Thanks MikaelSand for the comment, but i strongly disagress.. as the reseatch collected based on the following:
The Microsoft Security Bulletins web page
The Oracle Security Alerts web page
The CVE website at Mitre.
The SecurityFocus.com website
which is all reliable resources for discoverd flaws.
- If you're building a (web)service, you don't have to deploy it on every machine available, just the server. On the clients you could add a "web service reference" to your WCF basicHttpBinding.
- In the future, other apps could connect to another WCF endpoint, like wsHttpBinding or nettcpbinding.
- It is, but that doesn't count ;)
- No idea yet if they're going to push it as critical update. In other words, if every user will download it. But is that neccesary? Are you going to roll out your app to the world? Or just internal at some company?
Dennis
You could still ofcourse use WSE3 to help out. This also gives you transport neutral soap communication.
good point, my app will take place in our clients machines only so it doesn't matter i just widen the comparison a little.
thanks.
Очередные программные находки, которые могут помочь в повседневной работе.
Мы рады, что Вы нашли его полезным
Google Translate is awsome :D
Be cool Adel,When this guys ask you again , change your status to away or busy and don't answer them :D:D:P
But You know some times disorientation was happened because of magnitude information resulted from google search,you have to explain to them how to search in the right way to find the specific results.
Man! I've been there! The most irritating kind are those who do not understand that, well I don't know everything!
They ask me about printers and I say I don't know. So they think that I do it just to be mean, like I know but do not want to share...
Hahahaha, what a great story!
Mikael, been there as well! Printers is one thing I don't know anything about. When these mothers break down or just simply start bleeping that they have a problem, I don't know what to do. Go buy a new one, I can only advice! :)
Aaaawww :-)
lol, i wish it was this easy, go buy new one...
lol )))
Definitely nice and neat site you got there.
Hello, my compliments for your nice website!
Looks good! Very useful, good stuff. Good resources here. Thanks much!
Hi all!
I am really excited. Very useful, i found lots of intresting things here. Your web site is helpful. Best regards!
At you the excellent site, a lot of useful info and good design, thank.
I'm really impressed!
Well done, this site is really great. Just wanted to say hello, keep up the good work!
Great .Now i can say thank you!
Adel,
I also are a big fan of Maxthon. Same reasons: tabs on the IE engine and FAST as lightning ...
Hope to be using it for a long time
Joop
Welcome to the maxthon army :)
Well, MS has a similar tool called NGEN , its pretty cool for systems with performance constraints.
Wel as i understant NGen is an image generator which genrerates a native image from your IL but you still need the .NET Framwork, and this is not the case with Salamander .NET Linker and Native Compiler which generates native code for all the classes you have used ( BCL ) and of course your core program.
You should set TortoiseSVN's preferences to exclude these directories and the various other junk files that end up in your working copy.
My regex for what to exclude is at http://www.damieng.com/blog/archive/2006/10/12/AnkhSVN-join.aspx
[)amien
Well.. You shouldn't commit your 'obj' and 'bin' folders to your repository. These should be flagged to be ignored by tortoisesvn.
Cool...
Nice
Cool}Cool!
Interesting...
Nice...
interesting
Sneaky!
Not as bad as the old realPlayer-thing but...
Thanks for the heads up as well.
Wow, this indeed sucks! You're right, this kind of software doesn't even deserve to be downloaded!
So, what do you think about
last comments ?
So you say you're "trying out Mailinfo", but the screen shot says "SpeedBit Video Accelerator". Which one is correct?
no it's Mailinfo.. and this is the installer i double checked..
Well great I got to be COBOL...
Now I can't relate to all the cool kids :(
Don't know if this box eats html but lets try anyway:
<a href="www.bbspot.com/.../language_quiz.php"><img
src="www.bbspot.com/.../cobol.jpg" width="300" height="90"
border="0" alt="You are COBOL. You are very business-oriented. You make conversations longer than they should be, and people easily grow bored by you."><br>Which Programming Language are You?</a>
seems like it dosn;t.. :).. i did not know that.
Hello Adel,
I think you got a good point here. I happen to read blog-comments often, just to see how other people think about the subject, see how the discussion evolves...
I experienced the same thing a few weeks ago, that reading comments all-of-a-sudden changed my opinion and made me doubt the reliability of the posting.
A few weeks back, all over the web I read about a "WiFi signal budle device". Boris Veldhuijzen-Van Zanten (a successful Dutch internet enterpreneur, founder of V3 and Bomega for example) blogged about it. He fantasized about having a device that could use all available WiFi-signals at once. That way he could multiply his bandwidth, at least, that's what he wanted.
An acquaintance of his took the challenge of building such a device for him. He created the "Slurpr" which is a box that receives 6 WiFi signals at the same time and bundles it into one big connection to the router's client. It seems a great device to me and I could imagine that a lot of people were willing to pay $1.000,= for it.
However... when reading the comments underneath all of these articles, I noticed more-and-more people saying that it is just NOT possible to have a device doing that. Now I must say that many of those comments went into the technical details too deep, so I could not understand it all, but seeing that so many people thought they could explain WHY it is IMPOSSIBLE to create such a device made me believe that this could be a hoax.
So reading the articles themselves really made me enthusiastic, but after reading several comments my opinion got almost turned around 180 degrees...
I must say that today I still am not convinced on who is right: can such a device be made or is it just a big hoax? (No need to discuss that here by the way, just wanted to illustrate what comments did for me.)
To see what I'm talking about, visit these sites:
www.bomega.com/.../who-will-build-me-a-wi-fi-canalizer (Boris' initial request)
geektechnique.org/.../slurpr-the-mother-of-all-wardrive-boxes (Slurpr project site)
www.veign.com/.../slurpr-wifi-access-point-which.html (Another blogger not sure if it's real or a hoax)
Regards,
Robin Paardekam
Cool. I hope there's not much more from 3.11 that will show up in Vista... ;-)
Small note: screendumps like that in PNG format get rather large. Try saving 'em in JPG-format as they now are more then 500Kb each.
Me neither, nor do I agree with being COBOL :(
Still the same as in Windows XP and Windows 2000. Nothing changed.
@Robin good point about the PNG format, i guess i'll be watching out for this.
so you have been through the same thing, reading blog comments, researching the subject on different places is a must for not tolerable issues.
buling a foundation on top of other's brains is something you don't wanna do unless you have looked this information up on multiple places.
Hilarious. I see so many of this in my current project.
Can you name names ? :)
LOL - if you're looking for relative percentages, everyone can already tell you that practically nobody uses FF - IE6/7 rule the market, and for good reason - no sane person would install that bug-ridden, incompatible hack - go get IE7 and see you web site the same way all your customers do. And safely.
Talk about security!
That's good to know.
India, you better watch out :)
Basha, I searched for the words in that screenshot and found the page!!
It's an admin page!! open to the public!
From the left Waleed Abd Al Wahab, Hossam Al Din (CriticalSites), Omayma Masrefy (Clip Solutions), Mona
Cool!
Cool.
Thanks for your nice comments
Sorry :(
you welcome.., thx for the day.
Hi Adel,
Although I get your tip, I'm not quite sure I agree. Probably because you don't post why you should do this. ;)
I think the user is the one who, as soon as he/she chooses to change his/her password, is responsible for choosing a good password.
And by the way, my hotmail and Gmail passwords (for example) have been te same since I got an account...
The idea is good, but it's not really safe to keep the passwords itself in the backend. A much safer approach would be to hash it before it goes into the database. Then, at login you compare the hash of what the user entered with what's in the database.
If you want, you then keep a log of old password hashes to prevent an old pw from being chosen again.
Even better is to use a so-called 'salted hash'.
@Rick van den Bosch
The reason you may wanted to do this..if your password base compromised you wanted to change the password for your clients to something tempporary and also prevent them from changing this back to the old compromized one, however you also will benfit from this stratigy to force users to never having the same password they already changed - why they change their password on the first place - to be using it again...
@Arjan Zuidhof
exactly how this should work.
q reverse mortgage <a href= reversemortgage.vdforum.ru >sales reverse mortgage</a> [url=reversemortgage.vdforum.ru]sales reverse mortgage[/url]
You sure should contact them about the possibilities of a web-facelift! :) They seems to appreciate those emails, considering the footer on the front-page: "If you have any comments about our WEB page, you can either write us at the address shown above or e-mail us at berkshire@berkshirehathaway.com. However, due to the limited number of personnel in our corporate office, we are unable to provide a direct response."
BTW: Warren's companies GEICO and Borsheim's seem to have rather nice sites. But what the heck, as long as you're contacting them about Berkshire Hathaway Inc, why not also mention the other two? :)
tadalafil online <a href= tadalafil.blog.drecom.jp >tadalafil buy</a> [url=tadalafil.blog.drecom.jp]tadalafil buy[/url]
nice one :D
You've been kicked (a good thing) - Trackback from DotNetKicks.com
cards credit chase number <a href= chase-credit-cards.flyfolder.ru >credit cards chase payment</a> [url=chase-credit-cards.flyfolder.ru]credit cards chase payment[/url]
Nice stuff! However, it seems it only works on IE. They will have to invest more for Firefox.
i didn't implement it myself but i guess over HTTP won't be a problem to work with FF.
Thanks Adel, I needed that.
No kind words for the people that feel stuff is not going nearly fast enough?
I mean, everyone that waiting for the first CTPs of Rosario, while being bored with Orca's, lambda's, linq and all the stuff we have been using for ...what seems like ages now!
;-)
Technology vs. Life:
The daily battle to keep up with the technology while still managing to not miss out on everything else!
Pat Hynds
Amen, i totaly agree with u
the game is all about focus
focus on one technology at a time till u master it then move to the next one, if u jump from something to another randomly u will never master anything and u will never be productive
"You DO NOT have to..."
But you should strive for it! ;-)
"You DO NOT have to memorize and understand every patten the gang of four have catalogued."
Oh, those are old school these days ;-)
Good work!!!
Welcome dear friends on tne my blog with Samira!!!
Is vs. As Performance
So all you really needed to do was open the solution and .webmap file of that project change it and be on your mary way...
Sometimes I get tired of the .Net 1.1 solutions... then I remember I need to EAT!
make sense -:)
It's a tiny tip, but an excellent one! I'm developing on the compact framework and that doesn't support the StrongNameIdentityPermission attribute. It didn't occur to me to use the InternalsVisibleTo until I read your post.
Thanks,
Jeffry
And i now learned a new case where InternalsVisibleTo is the savior, Thanks
Security? Member visibility has little to do with security; am I missing something?
if you don't have internal keyword or you don't know how to use it with the InternalsVisibleTo attribute you will end up forced to have most of your types declared as public so you can take advantage from that specific assembly, and that allow any other code to access those assemblies as well.
When you design with security on mind you have to work with least permission sets, least visibility .. and so on.
Pingback from clipmuses » Blog Archive » Is C# getting old ?
maybe the Developers thought that java is be know by everyone, Or too like Java.
hehe!
Exist any other alternative? The price is insane!
Grant Holiday has some excellent posts about the new TFS Rosario stuff. And Camano looks awesome!
Pex does what is called 'dynamic symbolic analysis', which could be seen as a on-the-fly static symbolic analysis.
Pingback from Pages tagged "Diverse"
the only benefit I've ever seen for using stored procedures instead of dynamic sql is when more than one database server is involved. Using stored procedures and views can over come the burden of trying to mash together two separate databases within your application.
Within the stored procedure or view you can access all the linked servers that you want while still working from within a single database. This means that your application only needs to connect and use a single datasource.
Ever better is you are not limited in using linked servers, stored procedures and views to connect to other MS SQL databases, you can also connect to other database engine such as Oracle.
In the coldfusion project I'm working on right now I'm using linked servers and views to connect and mash database between MS SQL and Oracle. The view calls both database to mash data together. I also use views to insert data into the Oracle database, this could be accomplish using stored procedures, but I like using views instead.
This is a very poorly written and constructed article.
The paragraph about SQL injection is nonsense.
Executing a stored procedure is much like calling a simple SQL statement; it can be done in insecure ways (dumb string concatenation like in the example) or in secure ways (e.g. JDBC parameters), and both styles of SQL are equally exposed to SQL injection.
Pingback from Stored Procedures vs. Dynamic SQL - The never ending debate? « blog.jemm.net
In general if your write crappy code/have poor indexes/didn't set up SQL Server correctly it won't matter if you chose SPs over sql. This is a real secondary thing.
I do think though that stored procedures help out a lot as units of deployment/organization as fixes/releases come into play. Plus they abstract your code slightly as do views do.
SP's do take longer to write, but it pays off in the long run if you end up with a big application -- it'll be easier to maintain.
If a SP isn't portable between various DBMS's, then your ad-hoc SQL probably isn't portable either.
SP's aren't a guarantee for perfect security, but they're still much better than ad-hoc SQL. You have to give a user account much higher SQL permissions than you would if you were just using stored procedures.
Writing code like "EXEC sp_GetCustomerByEmail '" + txtEmailAddress.Text + "'"; isn't nearly as secure as using an SqlParameter -- the ideal method to call SP's is to call your SP and pass all its parameters as an arraylist. There's much, much less potential for injection.
Also, with SP's, you don't have to recompile your ASP.NET application, you have better layer abstraction, and the best benefit -- you have a lot less transferred data. Instead of transferring big, bulky ad-hoc SQL, you can transfer a stored procedure name and its parameters to the SQL server.
>This is a very poorly written and constructed article.
I think it is rushed a bit, but all points it touches are good.
@Andrey Shchekin
I may haven't spent the time required for this to turn out great article but i wanted to get my view on this ASAP.
This article makes the author appear ignorant.
If you were to blindly follow the authors advice you could end up in a world of hurt.
For example - the execution plan for a stored procedure is created and cached stored once. The execution plan for an ad-hoc query is stored for each variant of the query. So if the code has a query to get user details:
select * from user where email = 'bill@microsoft.com'
The execution plan is generated and cached every variant of the query (i.e every time a user logs in) Imaging if gmail used ad hoc queries in this manner.
I am not saying that the use of ad-hoc queries is bad, there are work arounds for this issue such as parameterised queries. I am saying that this article is poorly written and should be taken with a grain of salt.
Agree with the points in the article for CRUD style operations.
For intensive "batch" processing tasks such as collecting payments over 1 million customers, stored procedures significantly out perform dynamic SQL due to the latency between the application and the database. Caching of query plans isn't the issue in this situation.
While I do see your points there are a few things I see differently:
The biggest reason for SP:s in my point of view is ensuring data consistency. Limiting the surface area to the data.
In larger projects where many people/even multiple teams are involved it's simply stupid to put the responsibility for query writing to the
developers. Sooner or later they will forget that CREATED column should not be changed when UPDATING etc. The biggest asset lies in the data (not the app), and data should be protected for consistency by all possible means.
You say: "Minor change to the design require changing in both the SPs and the DAL code." You see it as something negative, I see it as something positive.
I would rather have compilation error, or even app crashes than inconsistent data because developer (me maybe) forgot to change a SQL statement.
Kind of type safety...
With a good code generator (generating sp calls from meta data) it really doesn't have to be that much of a burden. Although I do really agree on the "Versioning sp code" point.
Last I fully agree with Sean, "Not having to recompile your ASP.NET application" - saved me a couple of times,
"you have better layer abstraction", and "lot less transferred data"
Adel sorry but i must disagree with you
hard coded sql statements in the DAL is worst thing i could think of for the following reasons
1- when ur sql code is large and what mean by large is more than 1000 line it's not a good idea to write it using an VS IDE
2- who said there is no versioning tools for sql? VSTS now offer support for SQL projects
3- it's always a good practice to encapsulate the database functionality in stored procedures, so when ever u need to change ur database design u can do it and change ur stored procedures without rebuilding and deploying the project, and i'm not talking here about the projects that need 5 min for deployment, i'm talking about projects that take days and sometimes requires staff to travel abroad to deploy it
4- i don't think VS is better than the sql studio from the productivity aspect to write sql statements
unless u r talking about statements like select * from products
5- "It's impossible to cover every single scenario" who said so? the same way you can make ur ad-hoc sql statements dynamic you can make stored procedures dynamic too, stored procedures have parameters for a reason
6- "string s = "EXEC sp_GetCustomerByEmail '" + txtEmailAddress.Text + "'";" i've never seen a developer stupid enough to do that :D
simply because if u use stored procedures with security in mind and u know that hard coded sql statements is BAD and vulnerable to sql injection, the u will never take the effort to implement a sql stored procedure then execute it from a hard coded sql statement
7- you can't use transactions in hard coded sql statements the same way like stored procedures, u will have to handle these transactions ur self from ur DAL code, which is something i don't recommend
8- if you implemented your transaction in ur DAL layer which is again something i don't recommend, if ur web application failed for any reason u won't be able to roll back specially if that failure reason was that the database is gone offline, which is again if u r dealing with money that would be the worst dream from the business aspect
9- stored procedures still maintain a higher performance for a simple reason "less round trips"
if u hard coded sql statements in ur DAL this will means lots and lots of round trips between you sql server and your application server when ever a user clicks a button on ur asp.net pages
Ted,
Why do you think it is a poorly written article? I think it touches on valid points and is in-line with my experience. SPs are teh suck.
Your security argument is very weak. The security benefits of stored procedures lie in not constructing a SQL string, in passing parameters to a procedure. SQL injection attacks are possible because people don't check their inputs when building a SQL statement. And in your argument for a weakness in stored procedures you do exactly that: dynamically build a SQL string AND don't check the inputs.
Proving that a secure technique can be used insecurely doesn't prove that it's insecure.
They have helped me out a lot. I work with people that are SQL experts but I wouldn't want them in the source code recompiling. They can update, create and help me with a lot of things this way.
Ok...let's not say SPs are great just because we have been drinking the kulade too long.
Here is why you should use them:
1) You wish to isolate users from the physical structure of your database. You need performance that views will not provide in dynamic SQL.
2) You have complicated code that is best broken down using temp tables for performance.
3) You want the pre-cache query plan only stored procedures provide effeciently. Dynamic SQL will cache a plan; but, it is dropped from Cache earlier when RAM is needed than SP Cache. It also takes more to determine if a Cached plan is useable because the query has to be compared to determine if it is the same as an already executed query. For simple CRUD queries, who cares. But if you have a database that really does something...
Here is why you should not use them:
1) To protect from SQL Injection. There are methods to make SQL Calls that do not require an SP yet provide the same protection for SQL Injection as an SP.
2) You wish to have your data access layer be More intellegent. You require a data access layer to be intimately aware of your data structure.
3) True transporability is required, and you have a middle tier that is capable of working with multiple SQL syntax.
There are many more bullets that could be added to either side of the arguement. The answer is, it depends on your situation...AS ALWAYS. This arguement is like saying everything should be written using a Factory Pattern.
These are some of the worst arguments against the use of stored procedures I've ever read. Good grief.
Pingback from Vinny Carpenter’s blog » Daily del.icio.us for January 7th
@tony petruzzi
if you used SPs you will ran into problem of SQL compatability, that's why SPs aren't portable, if you have choosen to work with Dynamic SQL, it will work on both env without any problems, but views can solve this as well.
@Timestamp
Exactly, both using SPs or Dynamic SQL, doesn't protect you from SQL Injection out of the box you have to use SQL parameters for that, the myth here is that SPs advocates always says that SPs are SQL Injection proof and Dynamic SQL isn't here I'm showing that it doesn't relate to either technique but it's all about the developer
@Horis Dinglebery
i think you misunderstood what i was saying, i only promote the use of Parametrized-Queries,
The execution plan is cached both SPs and Parametrized-Queries, and guess what even queries with no parameter is parametrized and cached (SQL Server 2000).
but any way there is ton of reasons why you should only use Parametrized-Queries.
@Duncan
it doesn't out-perform this much review Eric Wise's experiment, but to isolate specific code as in your example is a good idea, but bear in mind that using SPs mostly for abstraction isn't the way to go.
@Fady Anwar
>>> 5- "It's impossible to cover every single scenario" who said so? the same way you can make ur ad-hoc sql statements dynamic you can make stored procedures dynamic too, stored procedures have parameters for a reason
no you can't really think of the following scenario, what if you want to create update procedures for 10 tables each contain 10 columns for example, think of the combination for each column for the expression and the filter parts of the SQL Statment, if you need to prepare a SPs to update every single filed you will have 100 SPs not to mention there is still possibilities that you need difference fields on the WHERE clauses, good luck with that.
>>>>6- "string s = "EXEC sp_GetCustomerByEmail '" + txtEmailAddress.Text + "'";" i've never seen a developer stupid enough to do that :D
no there are, check www.asp.net forums
>>>>>7- you can't use transactions in hard coded sql statements the same way like stored procedures, u will have to handle these transactions ur self from ur DAL code, which is something i don't recommend
i don't see why i can't use transaction from Dynamic SQL.
@Tim,
providing the SP executing example is to show that i can use SPs and STILL BE OPEN TO SQL injection.
This article is full of holes... the most obvious ones is the attack on SP security. If you implement SPs correctly, then this would not be a problem:
string s = "EXEC sp_GetCustomerByEmail '" + txtEmailAddress.Text + "'";
Even if txtEmailAddress.Text = "'; DROP DATABASE myDB", since the user executing that stored procedure only has rights to executing stored procedures and not random SQL... CERTAINLY not DROP rights, the Sql injection problem you mention does not exists, unless an incompetent developer creates it.
In answer to your "performance" attack, Yes.. SQL Server caches execution plans for random SQL, but not to the level that it does for SPs. SQL Server stores several execution plans for SPs and selects the best plan based on parameters, all tables and joins involved, as well as other costs calculations such as I/O and pages involved.
If you're using random SQL, you SQL statements must match perfectly in order for an execution plan to be reused.
People seem to be ignorant of, or simply forget, that using dynamic sql does note equate to injecting values. Dynamic SQL can be, and should be, used with parameters just as you do stored procedures.
If you use parameterised sql then your cached plans are just as efficient as stored procedures.
More good news that even if you haven't used params ( which you should never ) SQL Server will cach the execution plan.
Well the thing is this situation can turn into a pretty fucked up one if you were only handling files that aren't in the depo yet, with the 'add' status attached. Then you're screwed, all you can do is delete, and write those again.
Adel Khalil wrote a post about Mark Miller's latest post on his weblog. And now I'm continuing
LOL, THAT is hilarious
everyone loves boobs :D and with code, they look even more sexy :P
thanks for the blog link man, i was searching for such thing long time ago
Pingback from true or false emails
yes it does. ms hasnt fixed e problem even though its may 2008. only way is to install IE7??
cool, I'll try this out today, I hope this wouldn't be my last thing to write.
tell me about the side effects :D
nothing really but i advice against using this, just for absulote situations :D
I have a Nokia N95 8Gb, having defectd from Sony Ericsson. More features, half the price! And you don't look quite as pose-ish!
LOL, u have just made my day :D
Aus allen Bereichen kann man es wieder heraus schaffen.
Um eine neue Identität zu bekommen ist es möglich einen neuen Namen anzunehmen.
Sie können einen www.adelstitel.us oder Adelsnamen durch Heirat oder Adoption.
Bei Interess schaut einfach unter www.adelsitel.us nach und schreibt mir eine e-mail an info at adelstitel.us
Ich würde mich freuen, von Ihnen zu hören.
Graf Leonberg
Got a 404 on that link.
But I found a different solution...
www.realtime-windowsserver.com/.../outlook_2007_rss_feeds_not_upd.htm
found this page via google
The page you have requested was not found,
kant eih el story
Well.. sign your contract with a one month notice and compensate a few weeks with your holidays :)
That 4 day stuff is more ment for freelancers and are used in both directions.
I Need WINDOWS LIVE MESSENGER 14 urgent..
Any One who can help me??:(
contact:
therock285@hotmail.com
Just an update, the new poster's link is:
www.dotnetwork.org/.../1.jpg
sakia cafe ofcourse :D
Actually i have website for which i have an RSS Feed for one of the Pages. I have an RSS Feed Icon and Link on that page. but want to enable the RSS Feed Button of IE on that page only. And more over that page is an ascx page. So no head tag is present. What should i Do. Please suggest
Can we able to access mails in outlook 2007 & exchange version is 5.5, If you have any suggetion or patch , please suggest......
Regard,
Niranjan
niranjansatam@gmail.com