The Blog of Colin Mackay

C'mon! Get with the programme!

Oracle really need to learn how to write software properly. Especially as a simple thing like a space in the file path can defeat it. All applications on my system are installed in C:Program Files without exception. That keeps everything nice and tidy and I don’t have lots of crazy folders hanging around in odd places.

Microsoft, over 10 years ago now, made a massive effort to clean up where various files should go and created an API so that any developer can get the name of one of these special directories. This is excellent because it means that you can have locale specific folder names and software still works and knows where files are located or are to be installed by default because the operating system handles it all.

Oracle Installation

That is except if you are Oracle. The company seems to think it can get away with not putting files in the right place. And…. Well…. I guess it has got away with it because I don’t seem to have a choice if I want to install their software. I must install it in a path with no spaces in it and C:Program Files has a space in it.

I know it might sound like a minor thing, but I like to keep my primary partition (C: drive) nice and clean and without clutter. Now, I have to clutter it with a folder that should, logically if not physically, go somewhere else.

This does not endear me to Oracle one little bit.

NOTE: This was rescued from the Google Cache. The original date was Saturday, 13th May 2006.

Tags: oracle installation file name problem

Downloading from Oracle

I’m currently downloading Oracle Database 10g Express Edition and I just got the oddest email from Oracle themselves. In order to download the product, I had to register on their website. There were the usual set of check boxes for various newsletters that may interest me. I ensured they were all blank. And I signed up. I’m currently downloading the 157Mb download and then my email pops up to tell me I’ve got a message. It was Oracle to tell me:

We have received a request to unsubscribe the following e-mail address, 
XXXXXXXXXXX@YAHOO.CO.UK, from Oracle e-mail communications and 
subscriptions.

If you did not request to be removed or do not wish to unsubscribe please
click here to update your communication preferences.*

*Please note, as an Oracle customer or Partner you may continue to receive
e-mail communications containing business critical information.

I don’t remember signing up for anything. But I’m pretty pleased that I’m unsubscribed from the newsletters I don’t remember signing up for.

I suspect Oracle really need to do a check before sending this email out to see if the person is actually subscribed to anything in the first place. And if not, then don’t bother with this email.

NOTE: This was rescued from the Google Cache. The original date was Saturday, 13th May 2006.

Tags: oracle subscription email

The new Model VIew Controller

I’ve always had an inkling that there was something not quite right about Model-View-Controller pattern. Something didn’t sit right with me that (1) the View ask the Controller to do something, (2) the Controller in turn manipulated the Model, (3) the Model would emit events to tell the View that it had changed and finally (4) the View would query the Model to in order to update the display.

MVC

In the traditional fashion the Model knows nothing of the View – which is just as it should be. But the View, in my opinion, knew too much about the Model.

I felt that the View shouldn’t know anything about the Model. But many books on the subject seemed to be suggesting strongly that this was the correct way to do things. It seems that many people shared my opinion which is why there is the Model-View-Presenter pattern which is now gaining acceptance.

First off, let’s take a step back. What are the Model, View and Controller?

The View is the visualisation of the Model to the user; It is the web page or the windows form.

The Model contains the business objects, although it could just be a proxy for a service layer.

The Controller is the thing that manipulates the Model on behalf of the view. In many applications the Controller gets tightly coupled to the view as it is absobed into the code behind class in Web Forms and so on. Strictly speaking, it should be a separate class. When the Controller is a separate class, it can be part of the Strategy pattern, which means that one controller class can be swapped for another if you want the view to have different behaviour.

So, what about this Presenter? Well the presenter is the replacement for the controller. In this case (1) the View ask the Presenter to do something, (2) the Presenter in turn manipulated the Model, which are the same steps as in the Model-View-Controller, but finally (3) the Presenter updates the View. In this case the Model does not emit events that are handled in the View and the View does not know anything about the Model.

MVP

Now the interesting thing is that the Presenter has no knowledge of UI controls at all. It does not depend on the view. It just depends on an interface that the view implements. This has a big benefit when it comes to unit testing. The UI class can be mocked with another class that implements the same interface and so the Presenter, which contains the bulk of the user interaction code, can be unit tested easily.

You’ll notice that in the second diagram there were no events being fired by the Model. This can still occur if necessary. For example, if there are many views open and the user updates one, the model can emit events that the presenters responsible for the other views can pick up on. So, the difference is just in which object receives and handles the events.

If you want to se a practical demonstration of the Model-View-Presenter pattern then you might like to download the dnrTV show by Jean-Paul Boodhoo on the MVP pattern.

NOTE: This was rescued from the Google Cache. The original date was Wednesday, 10th May, 2006.

Tags: mvc model view controller mvp model view presenter ui presentation layer business layer model view controller presenter design patterns design

Banks need to get more serious about security

I promised a couple of months back that I’d blog about a “security incident” with an agent of my bank once the transition was complete. Well, the transaction completed last week and then something similar happened with my credit card company. Anyway, I’ve calmed down now so here’s what happened….

I re-mortgaged my house in order to (1) get a better deal and (2) free up some of the equity so I could do some improvements. The improvements have started – I’m repainting some rooms and at the weekend I ordered the new carpets.

My new mortgage provider, lets call them Intelligent Finance (because that’s their name), said that they’d have a firm of surveyors call me to arrange a time to come and value the property. A couple of days later the company phoned me. The woman who I spoke to said she was from the surveying company and she’d called to arrange a time and would I give her my credit card number so that the survey would be paid for in advance.

I didn’t know who this person was. They could have been anybody who might have happened to find out I was re-mortgaging – it wasn’t exactly a secret that I was doing that. So I said that given that I wasn’t able to verify that she was who she said she was I wasn’t going to hand over my credit card details to some one who phoned me.

This is an issue I feel very strongly about. Despite what many people believe, it is well known that one of the least safe credit card transactions are over-the-phone “Cardholder not present” transactions. I’m not keen on giving my card details over the phone when I’m initiating the call, but when someone calls me and I have no way to verify who they are then I will never give out any details.

So, I phoned IF to get the phone number of their surveyors and said how disappointed I was in the complete lack of security. I phoned back the surveyors with a number that I knew came from a trusted source (my bank) and paid for the survey.

Now that my re-mortgage is through, I stated to buy the things I wanted for the home improvements I was doing. So, I went to buy a new carpet for my lounge, hall and bedroom. I was asked to pay a deposit (if you can call 80% a deposit) and the card had to be authorised over the phone with the bank. When I got home there was a message waiting for me on my voicemail to say that my card had been used in an unusual transaction and could I call my bank’s fraud department.

This bank, lets call them The Royal Bank of Scotland, ask in the voice mail to call their fraud department on a specific phone number. So, I look on my card to verify the number. It isn’t there. I look over my old statements to verify the phone number. It isn’t their either. I cannot verify that the phone number given to me belongs to the bank. So I phone their customer services department to say that I apparently had a call from their fraud department but I wasn’t able to verify that it really came from the RBS or not. The woman I spoke to confirmed that it was them that had phoned.

Now, there are many vulnerable people out there who don’t take security issues all that seriously and would blindly call a phone number like that thinking there was something wrong. I suggested to the person that I spoke to that a better message might be to say to phone the phone number written on the back of the card or written on the credit card statements. If people start getting messages like this that are genuinely from their bank then they become desensitised to the potential security risks and are more likely to give out their credit card details to the wrong people without realising or even thinking about it.

The excuse by the RBS was that they ask very specific security questions. Really? How is the average consumer meant to know that? How is the consumer meant to verify that the person asking these questions is, in fact, an authorised employee or agent of the bank? In order to carry out a malicious transaction all a con-trickster need to know is the credit card number, expiry date and the 3 digits on the signature strip. If they want to know more they can ask the most common security questions like: What is your mother’s maiden name? What is your Date of Birth? What was the name of the first school you attended? If they know the bank’s procedures well enough they can be quite convincing by asking other security questions related to that bank.

I think that on the whole banks are taking security seriously – However there still remains the issue of trust. How can the consumer trust that the person who phones them is a genuine agent of the bank who is authorised to carry out the task at hand?

NOTE: This was rescued from the google cache. The original was dated Tuesday 10th January 2006.

Tags: bank security fraud royal bank of scotland intelligent finance rbs

Wading through someone else's source code

A copy of one of my posts in Code Project:

Tintin92 wrote: Add upload ability for users who dont want post article, but add a small sample project at their question.

If I see a question on a forum with a “small sample project” attached I’d ignore it. It is difficult enough to help people as it is without wading through tonnes of source code to try and find their problem. It is much better training for them that they can detect where the problem lies in the first place and present it well than be told to change line 1437 of xyz.vb in order to get their program to work.

In order to help people I already wade through poor descriptions of problems that frequetly lack the error message, what the code is supposed to do, what happens, where the problem is, and so on; poor language skills (and I do try and make allowances for people whose first language is not English); the entire file posted (despite the Code Project forum warning the poster that the post is excessive in size); and many other things that make it more difficult for the person trying to help actually help.

Configuring Clear Type

For most LCD monitors turning on Clear Type makes the fonts look much smoother and easier to read. For some, however, it makes the font look awful. This is because Clear Type works by operating on the sub-pixel level. It tweaks the individual red, green and blue dots on the monitor to improve the resolution of the text. However, not all monitors are made the same and the positioning of those dots may make the text appear fuzzy round the edges as the text is rendered incorrectly for the monitor.

Help is at hand. You can configure the way Clear Type is rendered by using Microsoft‘s ClearType Tuner, a four step process to setup ClearType for your monitor.

NOTE: This was rescued from the Google Cache. The original date was Monday 29th May, 2006.

I have never been so frustrated in all my life

A short while ago a guy I was helping out on Code Project commented that “I have never been so frustrated in all my life!!!!!”. He’s just starting out programming, probably lesson 2 or 3 by the looks of the questions he was asking, and was naturally having some initial difficulty understanding the concepts being taught to him. Although I’m trying to be as helpful as possible it did take a lot of effort not to say something along the lines of “Welcome to the club” or “That’s normal, I’ve been writing programs for over 20 years and I still get frustrated by things on a weekly basis”. I said, hopefully encouragingly, “Yeah! But is is such a wonderful feeling when it all works out!”

NOTE: This was rescued from the Google Cache. The original date was Sunday 28th May, 2006.

Some of the original comments:

Yeah, I well remember that sense of bewilderment when I was starting out. It just didn’t seem to make sense that one had to move the contents of memory into the accumulator to perform an operation on it and then move the result back to memory. *shrug*

The move to message based programming was similarly bewildering. Getting used (in the Windows context) to the idea that not only did my program call into the O/S but that the O/S could and would call back into my program took a while.

5/28/2006 1:51 AM | Rob

Looks like he never had a stubborn girlfriend 🙂

5/28/2006 5:34 AM | leppie

Mmmmm… looks like someone else might need to learn about time out with a camera to repair the frustrated, overworked brain 🙂

5/29/2006 3:57 AM | Meg Forbes

Oh No! More on SQL Injection Attacks

I’ve not written about this in a while becuase it seemed that people were getting the message. But today I was asked, on Code Project, “I am wondering why injecting values into the [SQL] string is considered a security risk?” Here is my response: Because if you inject strings into the SQL, especially ones that come straight from the user interface, then an attacker can produce malformed SQL and gain access to your system. (Where do you live? I can come and do one of my SQL Injection Attack presentations in your town if you want a real live demonstration where I compromise a SQL Server into divulging the inner most secrets of the server it is running on. And I mean the whole server, not just the SQL Server process.*) Lets say you have a simple bit of SQL like this:

cmd.CommandText = "SELECT * FROM Products where Name = '"+txtSearch.Text+"'";

What happens if the user types in the following?

'; DELETE FROM Products; --

The whole string becomes:

SELECT * FROM Products where Name = ''; DELETE FROM Products; --

That will return a dataset back to the application, which is what it expects, and then deletes all the products from the database. When the next customer comes to the website what is it going to show when there are no products in the database? Okay – there may be some constraints on the table (foreign key constraints) that don’t permit the rows to be deleted. How about something equally damaging to the company. Let’s set their entire inventory to a penny! The mallicious user then types:

'; UPDATE Products SET Price = 0.01; --

The word will quickly spread around the internet and the company will soon be out of business or have a huge number of very pissed off customers. If you don’t secure your system the possibilities for attack are endless. Finally, if you want to know more, I encourage you to read my article SQL Injection Attacks and Tips on How To Prevent Them

* The demonstration is done on a server box that I own. Performing a SQL Injection Attack on a system without the permission of the system owner is a breach of the 1990 Misue of Computers Act and can carry a penalty of 5 years in jail.

NOTE: This was rescued from the Google Cache. The original date was Wednesday 7th June, 2006.

Original comments: As a MCSD I was entertained by the examples that you provided. I’m relieved however that your not a chemist or a physics guru or something… Nicely done…

7/10/2006 10:03 PM | Dee Illuminati

The simplicity of nullable types

I just discovered nullable types. Wow! They are really simple and such a powerful feature. Just see for yourself….

If you have an int or a DateTime or any other value type you’ll already know that you cannot assign null to them. But in C#2.0 you can.

You can define a nullable int by adding a question mark to the end of the type like this:

int? a = null;

However, you’ll want the new code to operate with old code which hasn’t yet been upgraded to use nullable types, so there is a new binary operator to help. The ?? (I’ve no idea how your meant to pronounce that. I just say “Double question mark”)

So, if you want to assign a (above) to a regular int you can do the following:

int b = a ?? -1;

If a is non-null then b is assigned the same value as a. If a is null then b is assigned the value on the right side of the ??. So, just like the old days where you’d make up a value to represent null for an integer (I normally used int.MinValue)

NOTE: This was rescued from the google cache. The original date was Friday, 9th June, 2006.

Tags: nullable type nullable c# value type

SQL Injection Attacks and executing dynamically created SQL

There is a very important difference between EXEC[UTE] and sp_executesql that anyone who executes dynamically generated SQL statements ought to know.

Typically dynamic SQL is generated when a particular construct is not possible by using parameters alone or when certain parts are added to the statement depending on other conditions. In the latter case, sp_executesql trumps EXEC[UTE] by allowing the developer the ability to pass in parameters to the dynamic SQL statement.

For example, consider this code:

SELECT *
FROM MyTable
WHERE a = @wantedA
AND b = @wantedB

If you were dynamically building this and were using EXEC then the code to dynamically build and execute it might look like this:

DECLARE @sql NVARCHAR(4000);
SET @sql = N'SELECT * FROM MyTable '+
           N'WHERE a = '''+@wantedA+N''' AND b = '''+@wantedB+N'''';
EXEC(@sql)

As you can probably guess, without extreme care as to the values of @wantedA and @wantedB an SQL Injection Attack is possible. However, it is possible to dynamically create the SQL statement and still use parameters within it like this:

SET @sql = N'SELECT * FROM MyTable '+
           N'WHERE a = @dynWantedA AND b = @dynWantedB';
sp_executesql @sql, N'@dynWantedA varchar(100), @dynWantedB varchar(100)',
              @dynWantedA = @wantedA, @dynWantedB = @wantedB;

As you can see in the second example, instead of injecting the value of the parameters we can just write parameters directly into the dynamic SQL statement and then pass them in.

There is, of course, caution to be exercised. Certain things cannot take parameters. For example, in SQL Server 2000 the TOP keyword must be followed by a literal value. It isn’t possible to write TOP @numRows* so if that must be dynamic then the value would have to be injected into the SQL statement like this:

SET @sql = 'SELECT TOP '+CAST(@numRows AS varchar(10))+' * FROM MyTable';

So, using sp_executesql is not a panacea that will make all issues with SQL injection go away when building dynamic SQL, but it does help in certain cases.

* This is possible in SQL Server 2005, but not SQL Server 2000

NOTE: This was rescued from the Google Cache: The original date was Thursday, 26th January, 2006.