I had a hell of a time tracking down a problem that was occurring on a remote web service/web server today and finally came to this. Hopefully, if this helps someone else in the future, then my hours won’t have been totally wasted.

I have a webservice that is required to return a recordset (this is an old app that I wrote a lot about in the past) and has been in production for 9 months with no problems.

Since it had been written and deployed in aspnet 1.0, I just left it alone although all of my later apps were in 1.1. The application had a windows form front end and a web service backend. I finally updated the webserver at my client site to 1.1 and it broke that application.

I tracked down the problem finally to the ADODB wrapper, finally noticing that the ADODB.dll copied to my webservice was from 2/1/02 and the one on my development machine was 4/1/03. That still didn’t do the trick (grumble)

I had originally used some ASP style method for the parameters – since I have to use ADO to deal with the recordset, not ADO.NET which basically worked like this:

Dim oprm As New ADODB.Parameter
oprm = oCMD.Parameters.Item(1) ‘sampleid
oprm.Value = SampleID
Dim oprm2 As New ADODB.Parameter
oprm2 = oCMD.Parameters.Item(2) ‘testenum
oprm2.Value = testenum

Now the application was crapping out at “oCMD.Parameters.Item(1)” telling me that the object variable was not set.

This was working perfectly fine on my development machine against my w2k3, IIS6 and SQL2000 but NO LONGER WORKING on my client’s W2000 server, IIS5 and SQL7.

Finally after a lot of testing, watching sql profiler, and general state of aggravation, I found that this worked:

One thing to consider when rendering output to the browser is to htmlencode any text that you are sending out to the browser. eg. label.text=htmlencode(mystring). It’s pretty obvious to do this with direct user input – for example a search form where you spit back “Your search for ‘dogs’ resulted in 23 articles”. But consider user input that has been stored in a database. That is STILL user input! Perhaps a user profile where “favorite color” = “<script>alert(‘you are SOL dude’)</script>”. So even though the text is not coming from a form input page, it is coming from your database, you still need to htmlencode.

HTMLEncode is not always going to be the solution, but you should use it by default and then decide not to use it if you have a reason. Here is a post by Jon Box where he has a similar conundrum.

Similarly, the Page object’s ValidateRequest (in ASP.NET 1.1) which is on by default, is not going to be helpful 100% of the time but you also need to be very thoughtful if you are going to turn it off. Here is some more info on that from Don Kiely.

Peter Blum, who has a bunch of fantastic asp.net controls on the market – said he is getting read to add some new validation controls to his already fantastic validator control package. These will be for dealing with possible cross-site scripting and SQL Injection attacks. Keep an eye on his site for when he’s got them ready.

I’ll admit I was nervous going into my first DevDays talk in Hartford a few weeks ago. I just didn’t feel like I “owned” my material yet. Boston DevDays is 2 days away and I am REALLY looking forward to doing my talk. Since Hartford, there has been a plethora of output analysis and further digging into the DevDays content. I have learned a lot and also just had a chance to come to a much better understanding of the many areas that I cover in the Defenses and Countermeasures session. Also given the great volume of information that I am trying to present, I am also feeling more prepared about how to give some real value in the hour that I have rather than fly through the deck.

I will be using my TabletPC to give my presentation this time.

I will also be staying an extra day to talk about the possibilities with custom applications written to leverage the Tablet PC (in Tyngsboro) at this free event held by the folks who bring you www.tabletpctraining.com.

I recently learned about the v1.1 ValidateRequest (on by default) feature and wrote about it (though the comments to that post are the most interesting part…). Don Kiely has more to say on ValidateRequest in this quick ASPNetPro article. If you are writing aspnet1.1 sites, you should really be aware of what’s going on in the background with this and take responsibility for your applications.

From a conversation with Brian Keller, the PM on the VJ# team and some additional input from C# dudes, Dan Fernandez and Eric Gunnerson .

For further enlightenment, read Jason Clark’s introductory article on “what is generics…“ from Sept 2003 MSDN Magazine.

Q) I know I can’t code VJ# for beans, but why can’t I create generic classes in VJ# like I can in C# and VB.NET?

A) VJ# can consume generics but cannot create generics.

Q) But Generics is part of the CLR. Why is it acting like it is only a language enhancement for C#, VB.NET and C++.NET?

A) Generics is baked into the CLR as much as other data types are built into the CLR and IL. The way generics are implemented is that when you use a generic type, a “placeholder” is added where the generic value will be used in the resulting IL.  Only on first execution is a specific version of the specialized class created.  Once you get to the IL level, there is nothing language specific going on, it’s all the CLR.  The BCL has several examples of generics including collection classes available in the System.Collections.Generic namespace and ObjectSpaces, an object-relational mapping tool is using generics for their underlying data structures. Generics are present at the IL level – that is, if you declare a parameter as a List<int>, you will get that type if you use reflection on the parameter.

Q) So if it is in the CLR and I can’t fully use it in VJ#, does that mean it is up to the language developers to leverage it (or not)

A) Correct, generics were not added to the Common Language Specification because it puts a large onus on language developers that would then need to implement generic data types in their compilers. It will likely be added to the CLS in the Orcas timeframe (following Whidbey).

Q) Aha! This is definitely a point of confusion/contention because at first many people kept saying that generics is a C# language enhancement and suggesting that it did not exist in VB.NET, which pissed off a lot of VB people. Even Elden Nelson wrote something that was interpreted that way in an editorial for ASPNetPro. Then the word was “no no no – generics is part of the framework and therefore available everywhere…” But that statement doesn’t quite work as we see with the lack of the implementation in VJ#. So what we are really seeing is variations on implementation: C# does it one way, VB.NET does it another and VJ# does it another. The lack of the “consuming“ implementation in VJ# is not really any different than the language difference, for example, between how we declare a variable in VB.NET and how we do that declaration in C#.

A) You are correct, C#, Visual Basic, and C++ will support creating and consuming generics.  J# will only support consuming generics at this time, largely because the Java community has yet to start using generics.

Q) Let’s qualify “Consume generics” for our audience: does that mean if I have an assembly that I wrote in VB or C# and it contains some generic custom classes, then I can use those from a VJ# assembly just as I would access the system.collections.generic classes?

A) Correct, you can use these classes, you simply cannot create your own.

For some reason, I have not been that interested in code generation up until recently. I have looked only briefly at some of the tools out htere and not at all at others. I guess I saw them as an all or nothing situation – rather than leveraging code generation for bits and pieces of my development and then going back to my old control freak usual self for the rest. However, recently two things have been turning my head. One is constant exposure to it through Kathleen Dollard and the other was seeing an example of code generation that Jason Beres showed in our user group meeting on Monday. I watched him, with a button, create pieces of code that I am writing by hand – the way I would write them. It was a “v-8” moment. Can’t drop everything and play with it at the moment, but it will happen – hopefully before the next time I start coding up a class full of properties that are more than 50% matching the structure of a table in my database.

I have been using Anil’s fantastic weblog as a study guide in my attempt to make myself more knowledgeable and hopefully helpful at my next DevDays talk (Boston 3/16).

From Ali the plumber:

http://www.aliaghareza.com/2004/03/writing_a_multi.html

[Warning – I am NO Indigo or ws-messaging, etc. wonk , but] this post, by Rich of the indigo team, which references a post by Omri, caught my eye.

I learned a while ago why DIME can suck – if you have a large attachment, you can’t truly leverage the fluidity of streaming since the entire thing needs to get cached first.

So when someone writes about DIME and web service attachments I pay attention.

Rich Turner writes today about MTOM which is still a little wobbly but (from the best I can get from Omri’s post) will be worth the wait because of how it will be able to work with ws-security down the road.

For today, Rich says, we are still stuck with DIME (if Simon Fell ever followed me to my new blog, surely he is cringing with that statement… :-)) and its limitations and (though I recommend you read Rich’s and Omar’s entire posts) do heed Rich’s advice: “…we strongly urge you to consider chunking your messages into smaller payloads at the source and and de-chunking them at the destination.”