My good buddy (actually my best friend from High School), "The Witt" complained that I wasn’t being helpful to programmers who are trying to learn the craft when I posted two weekends ago on "A Question you should ask when hiring a non-entry level developer." (OK, he wasn’t the only one... but, hey, we have a history, so he can get me to post a response, and you can’t... deal...)
I decided that our subsequent conversation in email would make a good followup post for those who want to know what they should be doing, and with his blessing I am posting an edited version.
[It started with this comment]
The Witt - OK I know that I am new to the ASP codeing info.
I understand the security issues ( or at least, what might happen with leaving every thing wide open). BUT, Having just completed two semesters of nothing but ASP I just don’t see what wrong... I AM NOT a seasoned programmer...and my classes taught us to connect inthis very manner you discribe...
can you eleborate for those of us that are trying to learn? show us what you would do instead?
thanks in advance
Jay (in Email now)- I know I probably made some harsh statements there (in my blog post). I meant it to be hard, but it was as much about seeing some consultant coming in and writing crappy code against my APIs and leaving HUGE security holes in my website.
The major point is for ASP.NET that you should always use Command objects with parameters... something like this (code may not compile cause its off the top of my head... there’s probably an error in there somewhere...)
1: Dim query as string = "select field1, field2, field3 from someTable where ID = @TableID"
2: Cmd.CommandText = query
3: Cmd.Parameters.Add(new DbParameter("TableID", cbo.Value)
4: ' Code continues....
The trick is in using the "@" variable in the query, and using the Parameters collection. When this gets shoveled down to the database it gets sent differently and if someone tries to change that "cbo.Value" within the http post by trying to add their own SQL it will fail.
I know that changing the variable in the http post statement sounds advanced... go here --> http://www.bayden.com/TamperIE/, download the TamperIE tool (for IE) and try it out... You’ll see that you can in fact force whatever values you want into the post.
As far as other dev environments go (I know you deal with a couple others), you want to figure out how to send a prepared statement to whatever SQL Server you are dealing with (ms access has these as well, so does Oracle and everything else I can think of... even the free PostgreSQL has them).
Anyway, I see you as someone who’s growing as a developer... you’d not go into an interview and present yourself as more than you are... that too is the problem...
Do you mind if I post this (more or less?) as a new blog post?
The Witt- I don’t mind in the least…
Like I said I am trying to learn. The “@” tucked in front… I always thought that was just to get the info from the current page. It’s nice to know what that really does. I do use that for most of my sites. I just never knew all the reasons.
I think that is the problem with a lot of the schools today. They are just pushing the students out and they really don’t know what they are doing. (Not that I always know what I’m doing).
Ok. it’s not all that edited. One more thing I forgot to mention. If you use an ORM or something that builds classes for you, then you probably are getting this type of functionality (just about every ORM I know of uses prepared SQL statements to push data). My favorite ORM is SubSonic (and I know others rave about NHibernate)... It the Java world I use Apache Cayenne (and people rave about Hibernate over there)
BTW, I take great pleasure in mentioning that The Witt turns $28 (that’s hex) in a little less than 2 months... unfortunately I turn $28 about 2 weeks before him.
| posted on Tuesday, June 24, 2008 9:15 PM