Avinashsing Sunkur

Applications which require users to register need to store the user details in some kind of data store and if you’re storing sensitive information like passwords, it is imperative that the passwords are encrypted before you store them. Often, it is easier to just store the passwords as clear text to avoid the hassle of having to encrypt/decrypt the password before using them but this will eventually lead to a BIG security flaw in your application.

Some people think that because they’ve got a small web app, they are not really at risk of hackers but the truth is that there are sick people out there who enjoy looking for vulnerabilities in your website. Of course there’s a password to access your dababase and that provides a first level of security but if that database password is compromised, then all your users will be at risk. You might be thinking what’s the worse that can happen if somebody manages to get the passwords of your users, right? Well they will have the power to impersonate that user on your site first of all, but wait this does not end here. If your website just allow registered users to post comments, it’s not just the fact that the hacker will be able to post comments on your site but research has found that many people use the same passwords for a lot of sites. Surely the hacker can get the email address of the person and if he can get into their email, he might also be lucky to find other sites which he can log into as well, pretending to be the said user. This is not something that you wish happen to you, so security is the first thing that we need to think about.

It is important to note that if you have a database administrator, he will have unrestricted access to your database and will be able to read your users’ passwords and may use them in unethical manners (hopefully he won’t,  but you should never take the chance).

Encryption/Decryption

Instead of storing the passwords as plain text in the database, you could encrypt the password and that would add a nice layer of obscurity to it but if you can encrypt it, then you can also decrypt it the same way that it was encrypted. This is because encryption/decryption engines use a key to do the work and the key can be guessed or found and this will make it easy to get the password.

Hashing algorithm

A much better way to secure the passwords is to hash them. Hashing is a one way algorithm in the sense that once you’ve got it encrypted (hashed), you cannot get it decrypted. When the user enters his password on your site, you hash the password that he entered and check the hashed value that you get against the hashed value in the database for the user’s record. It it matches, it means the user has entered the correct password.

That’s all good but because many people tend to use common names found in dictionary as their password, hash tables have been created to perform a dictionary attack on the passwords which have been hashed. Say you’ve hashed the password ‘prince’ with SHA1 and a hacker manage to get a positive sign that his hashed password ‘prince’ matches your one. This means that he will know the password. Therefore it is advisable to salt the hash to make dictionary attacks less successful.

Hashing with a salt

Before you actually hash the password, you add a salt to it, so you hash (salt + password). It is better to add the salt at the beginning of the password rather than the end. A salt is just a random word. You can create a random set of characters to use as the salt and store them together with the password in the database. The added benefit is that is two users have the same password, the hash value of their passwords won’t be the same because you’ve got a random salt added to their passwords which means a hacker cannot for sure know whether people are using the same passwords.

It is better to use a random salt rather than a single salt because the latter will make it that little bit easier to crack the password but with a random salt, the hacker will need to perform comparison for each password by using the salt and hashed password. This will increase the time taken for them to get the passwords and give you time to notify your users to change their passwords, if you know that your site’s been compromised that is.

Which cryptography to use?

MD5 has shown weaknesses and there are concerns around SHA1 because of some vulnerabilities. I’d consider using SHA256 although SHA512 is more secure. The reason is SHA512 takes twice as long to compute and I believe SHA256 is good enough for security at the moment. Let’s see what SHA-3 will give us, eh?

Quite a few people have recommended NHibernate to me and because I am currently working on a new project, I decided to try it out. In the past, I’ve used the Data Access Layer (DAL) of the company I was working for. It was brilliant because it would take strongly typed data and return either a collection of your entities or a single entity to you based on what you were doing. That was all good except that it was difficult to customise the DAL. NHibernate seems a very good option but the learning curve is quite steep because you really need to understand how to set it up and configure your entities. The XML mapping is the hardest I’ve heard!

I like simple things and want to get on as quickly as I can with my project. When I researched, I found that the alternative to the laborious xml mapping was Fluent NHibernate. So I’m going Fluent now as I don’t want to be wasting time on writing XML mappings when Fluent NHibernate can do it for me and much more.

Creating your entity is pretty straightforward and doing the mapping is easy to digest as well. However the first time I tried to compile, I ended up with a few errors. Well I needed references to NHibernate.dll, FluentNHibernate.dll and NHibernate.ByteCode.Castle.dll (for lazy loading) to make the web app compile. All in all so far it was easy. It’s amazing that you can just do something like Session.SaveOrUpdate(customer) and your customer data is saved (less code is good). How wicked is that?

Now the problem for me was trying to figure out where NHibernate would be sitting in my application. It replaces the DAL, so do I just have a Business Logic Layer (BLL) now? How am I going to manage the NHibernate sessions? Many people have suggested that you create a session everytime there’s an HTTP request. So you basically write an HTTP module which would intercept all the requests to the web server and inject your logic in it, that is, create an NHibernate session when the request starts and close it when the request ends. The method works fine but I don’t want to be opening a session everytime there’s an http request, I’d rather open a session when I need information from the database. Therefore I’ve decided not to go down the HTTP module route but instead write an NHibernate Session Management class to handle the sessions. Note if you’re using AJAX, you’ll have problems with the HTTP module method because your session will be closed at the end of the request (when flushing out the content to the browser), so your ajax call will fail because there’s no session associated with the http request anymore.

Creating NHibernate sessions is an inexpensive task so you can create as many as you want and close them afterwards but creating the NHibernate SessionFactory object is what consumes the resources. It is therefore advisable to create the SessionFactory in Global.asax file so that it is only created once but available for the lifetime of the web application. Only when your web server reboots would the session factory object be recreated. The session factory would create in memory representation of your dabatase and the relationship between the tables.

Now all the entities share pretty much the same CRUD methods (Create, Retrieve, Update, Delete). Therefore it makes sense to use the Repository Pattern with NHibernate to make these methods available to all the entities. So if we create an IRepository interface, we could have the Repository do all the work for us as shown below:

I have a computer (PC) in my home office and my laptop. I have installed SQL Server 2005 Developer edition on my work computer and created the main database that I’ll be using for development work. I’ve also got SQL Server installed on my laptop but I’ll be only using the SQL Server Management Studio on the laptop to keep things simple. I do not want multiple copies of the database everywhere as it would be hard to to keep them updated all the time. The idea behind this is that I will be programming from both my PC and laptop and will be accessing just the database on my PC. However I ran into problems when I tried connecting to SQL Server 2005 on my PC from my laptop. I just couldn’t see the database engine either in the local or network servers.

Here’s what you need to do if you’re having the same problem. First make sure that the instance of SQL Server that you’re trying to connect to has got remote connections enabled. Go into SQL Server Surface Area Configuration and click on ‘Remote Connections’ and make sure that you’ve selected ‘Local and remote connections’ and also TCP/IP or both TCP/IP and Named Pipes. If things don’t work out, then I suggest you disable Windows Firewall and test again. If that works, then you need to create an exception in your firewall to allow connections to SQL Sever Management Studio (SSMS) and open the port 1433 (or 1434).

If you still can’t find your database engine listed in the connection box, then type in the following:

tcp:<computer_name>,1433

We are explicitly telling SSMS that we’re connecting through TCP protocol and going through port 1433. I still can’t see the database engine on my PC listed on my laptop but when I type in the above name in the ‘Server Name’, it connects successfully. I’m also connecting through SQL Server Authentication rather than Windows Authentication to make things easy.

A good programmer always starts a project with source control in mind. Not only is this good programming practice but it also ensures that the hard work that you’re putting in is not going to waste. If you’re working for a reputable company, chances are that they’ve already got source control guidelines in place. However if you tend to be doing personal projects, you are more likely to get carried away and not use any source control of any sort.

It’s plain laziness, nothing more! However the consequences can be devasting. For example, I was working on a project for a week and I’d have to say that I spent probably 4 days on a single PHP page, coding and testing it and when it was time to upload it to my server, I accidentally overwrote my local copy with the outdated one from my server. I went crazy and tried to find a backup somewhere but I couldn’t get anything with my latest codes.

Lesson learned and I don’t want to spend time re-writing what I’ve already coded, so now before I start a new project, I make sure that I’ve got source control in place. For this new project that I’m tackling at the moment, I’m using unfuddle.com free service which gives me 200MB of storage for my repository. I’ll be the only person making changes to the codebase but having the source control is important to me now after what happened. I’ve downloaded TortoiseSVN to easily checkout/checking from the repository from windows interface but I might try to download the Ankh plugin for Visual Studio as well.

So far everything is going well and now the next thing that I need sorting out is to learn how to use Fluent nHibernate before the project can kick off.

There are times when you need to group records which are linked by a common field (a foreign key) together into one single row. For example if you wanted to group all orders associated with a customer into one single row, it causes a problem in mysql because you can easily achieve a similar but yet different resultset by listing all the records associated with the foreign key.

There’s something which you can use in MySql to group the results together, it’s called the group_concat function. For values which are short, this will work fine in its default mode. However if you’re trying to concatenate long text values, the result will get truncated because by default it allows 1024 bytes of data. You can set the maximum to be something like 65000 bytes which will give you roughtly 5 whole pages of MS Word documents’ worth.

To enable fulltext search on a table inMySql, the following syntax is used:

ALTER TABLE your_table_name ADD FULLTEXT (Column_1, Column_2)

Fulltext on MySql will only work on MyISAM type tables.

You can issue a fulltext query as below:

SELECT * FROM your_table_name WHERE MATCH(Column_1, Column_2) AGAINST(‘your-search-query’)

However for a small table with limited number of rows, you may not see the fulltext search results because of the following rule for fulltext:

“…words that are present in 50% or more of the rows are considered common and do not match”

To overcome this problem you can rewrite your query as follows:

You can issue a fulltext query as below:

SELECT * FROM your_table_name WHERE MATCH(Column_1, Column_2) AGAINST(‘your-search-query’ IN BOOLEAN MODE)

This will give you the results you are expecting. You can also try adding more rows to your table. If you have just 2 rows, adding a 3rd one might solve the problem because the 50% rule will be avoided.

To delete fulltext index:

ALTER TABLE your_table_name DROP INDEX your_index_name

To see the index on a table (including fulltext index):

SHOW INDEXES FROM your_table_name

Tried Enterprise Library Logging Application Block but i’ll have to say that log4net is easier and faster to use. So here’s how to configure it. With the log4net.dll in your bin, you will need to open your web.config file and add the following line to your configSections node:

<section name=”log4net” type=”log4net.Config.Log4NetConfigurationSectionHandler, log4net” />

The after the </configSections> or anywhere else within <configuration>,

<log4net configSource=”Config\log4net.config” />

Note: I store my log4net configuration as a separate xml file in a Config folder!

Your log4net.config file should look like this:

<!-- Logging related config options below this point -->
<log4net>
<appender name="RollingFileAppender" type="log4net.Appender.RollingFileAppender">
<file type="log4net.Util.PatternString" value="%property{logpath}"/>
<param name="Threshold" value="DEBUG"/>
<appendToFile value="true"/>
<rollingStyle value="Size"/>
<maxSizeRollBackups value="10"/>
<maximumFileSize value="10MB"/>
<staticLogFileName value="true"/>
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger - %message%newline"/>
</layout>
</appender>

<root>
<appender-ref ref="RollingFileAppender"/>
</root>
</log4net>

Note 2 : I use only rolling file appender.

In my global.asax, i have this:

private static log4net.ILog log = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);

static MyApplication()
{
log4net.GlobalContext.Properties["logpath"] = AppDomain.CurrentDomain.BaseDirectory + "Log\\Log.txt.not"; ;
log4net.Config.XmlConfigurator.Configure();
}

And in the classes i want to use log4net, i have:

private static log4net.ILog log = log4net.LogManager.GetLogger(System.Reflection.MethodBase.GetCurrentMethod().DeclaringType);

protected void Page_Load(object sender, EventArgs e)
{
log.Debug("I am logging, yeh!");
}

I’m currently moving my MySql database to SQL Server and for that reason i need to preserve the identity columns which i already have in the tables. Here’s how it’s done:

SET IDENTITY_INSERT tablename ON
SET IDENTITY_INSERT tablename OFF

So to insert the row ID=12, Name=Alfred, Age=23 in tblUsers, i would use the syntax below:

SET IDENTITY_INSERT tablename ON
INSERT INTO tblUsers (ID, Name, Age) VALUES (12, ‘Alfred’, 23)
SET IDENTITY_INSERT tablename OFF

You will need to turn the identity insert off so that SQL Server automatically generates the unique id for you afterwards.

I was trying to get the Swazz calendar to work on Firefox but it would get displayed at the top on the webpage instead of showing up just under the textbox element which required the calendar values. So while debugging it i noticed that i had the the Transitional DocType on and it was messing around with it. I googled the problem and found that the solution was to ‘px’ to the value otherwise Firefox would ignore it.

getObj(‘fc’).style.left=Left(ielem) + ‘px’;
getObj(‘fc’).style.top=Top(ielem)+ielem.offsetHeight + ‘px’;

And this is how you get the coordinates with JavaScript:

function Left(obj)
{
var curleft = 0;
if (obj.offsetParent)
while (1) {
curleft += obj.offsetLeft;
if (!obj.offsetParent)
break;
obj = obj.offsetParent;
}
else if (obj.x)
curleft += obj.x;
return curleft;
}

function Top(obj)
{
var curtop = 0;
if (obj.offsetParent)
while (1) {
curtop += obj.offsetTop;
if (!obj.offsetParent)
break;
obj = obj.offsetParent;
}
else if (obj.y)
curtop += obj.y;
return curtop;
}

Just downloaded a solution from Visual Source Safe and I was getting lots of errors due to references not being found. So I went through each project and removed the old references and replaced them with the new references. However when I finally came down to the web app, it would not compile because it was unable to copy dll to the bin because access to it was denied. I checked the properties for the bin folder and noticed that it was readonly. So I unchecked the readonly property and applied it to all sub-folders and voila, the compiler is happy now and so I am