Oracle just ain’t no damn good
There’s No Place Like 131.107.2.200: Oracle keeps on sucking
Matthew is having some problems with Oracle. I don’t know why he would inflict that kind of pain upon himself, but my guess is it’s client driven. Damn clients.
I briefly had to work with Oracle 8i at a previous job. I couldn’t figure out any of their gui tools, half of them wouldn’t install correctly and I think it took about 2 hours to get to the point where I realized I couldn’t install them. (This was back in the Win2K days, not the halcyon days of hmmmm, damn guess I’m still using Win2K. In any case RAM was more expensive so we didn’t have a lot.) I ended up just writing all my DB creation scripts in ViM and running them in SQL+(I think that’s right).
Then they laid off the DBA, who promptly too the admin password with him off to Vegas (Las Vegas, NM). Of course when we called him up and asked him for the password he couldn’t remember it. Thus began our forced migration to SQL Server. I couldn’t log into any admin interface in Oracle, but we did have a user account that had read access to all of the databases. Yay! So I ended up linking them Oracle server to my SQL Server and using DTS to migrate the data over.
SQL Injection via SQL Parameters?
Possible SQL Injection via SQL Parameters?
Pick up “Writing Secure Code v.2″, They discuss how a SQL parameter can be used as an injection attack.
Mostly, the examples I’ve seen center around the “exec” statement, either embedded in the code or in an SProc.
sqlString = "exec sp_DoSomeStuff '" + inputFromUser + "'";
SqlCommand cmd = new SqlCommand(conn,sqlString)Wesley might have made a few mistakes…
The Code Project – C# Performance: Mistakes My Friend Makes – C# Programming
But Ellery makes a couple of his own.
Prefixing your variables with the type (i.e. sName), is not very .NET. Reason for this being that your variables are suppose to have meaningful names which allow their type to be identify without the need for a prefix. Itís pretty easy to see the variable types of firstName and dateOfBirth. I believe most people who do this are/were VB programmers who canít get rid of the habit.
So what’s the type of dateOfBirth? Does it return a string? Is the date it returns a DateTime short date string or long date string? Does it return a DateTime type? Do you have to hover over the var name to find out? How much time does that take our of your day, trying to find the right hover spot in Visual Studio?
In Wesleyís code, the SqlParameter does nothing but introduce unnecessary overhead and code complexity. You can provide parameters to a stored procedure by simply executing it in the SQL code (i.e. ěEXEC usp_GetUserDataByID 257;î).
Yes, that’s a great idea provided that Wesley doesn’t care about SQL injection attacks? Concatinating together an “EXEC” statement to execute a stored procedure is almost as bad as concatinating the SQL string together.
Although not seen in this code example, he ALWAYS sets the CommandType property of the SqlCommand objects, even when he needs CommandType.Text. Text is the default value for that field. No need to set it.
You should never rely on the default properties of classes and methods. What happens to your code if the default property or the underlying enum is changed? Ellery has some learning to do to.
ObjectSpaces and WinFS and vendor lockin
ObjectSpaces and WinFS Part 2 – Apples and Apples
Hank Fay hits upon a key piece of information that no one is mentioning in all the press/blog entries surround the rolling of Object Spaces into WinFS.
Question: will this merger create unbreakable tie-in between ObjectSpaces and WinFS, such that other relational datastores (think Oracle, MySQL, PostGreSQL, DB2, Firebird, etc.) are no longer in the picure? Or am I missing something here?
Nope Hank, I’d say you are right on target. Unless MS plans to make the ObjectSpaces provider pluggable (e.g. a FileSystem provider, a Sql Provider, a Exchange Mailbox provider, etc…) I’d say that’s exactly what Microsoft is hoping for.
Udi on strongly typed collections
Udi Dahan – The Software Simplist: Code breaks, automated code breaks automatically
Good point Udi,
My concern about the memory usage was not only the memory used by the static collection itself but also the fact that you end up creating the same collection in memory twice. Once when you create the DataSet/DataReader and then again when you create the strongly typed object for each row in your dataset. Since I’m working in a web based environment I end up creating everything on each page load unless I cache the collection. This works when the contents of the collection are shared by every user of my system, say if I cache the strongly-typed collection that is the data source for a drop-down control. If the contents of the collection are specific to a user, in my example a collection of patients that the user is allowed to see, then I have to cache each collection seperately.
I explain myself a little better in this comment.
Securing connection string using the DPAPI
So when you are storing the registry key in a ACL’ed registry key, who has access to the key? What profile? Doesn’t user profile running your web application process have to have access to the ACL’ed registry key containing your connection string? What happens if someone compromises your web application and can run code under the web apps user profile, don’t they gain access to your encrypted registry key anyway?
“Sure, but it’s encrypted.” Well, if they’ve gained access to your web apps user profile, meaning they can run the web application, don’t they have access to the decrypting code too?
Along those lines, if they also gain access to your web config and the ability to decrypt your connection string store in it.
Little things like encrypting connection strings are only the first step in securing your web applications. If you encrypt something and leave the key sitting around, is it really still secure? Think about the security of the infrastructure as well as intrusion points in your applications. It’s not just about prevention, it’s about containment as well. That’s the reason prisons not only have bars on the cells, but have a big wall outside.
Ad
.NET HTTP Abstractions group
|
| Subscribe to .NET HTTP Abstractions |
| Visit this group |
Tags
O’Reilly Blogger Review Program
Books I’ve worked on
Contributors
Links
Herding Code Podcast
- Herding Code 132: Phil Haack, Keith Dahlby and Paul Betts on Git for Windows developers 1/20/2012
- Herding Code 131: Chris Williams and Matthew Podwysocki on the Javascript community 1/4/2012
- Herding Code 130: Dave Weaver on Loggr – a realtime analytics service built with MVC, MongoDB and SignalR 1/2/2012
- Herding Code 129: Rob Reynolds on Chocolatey and the Chuck Norris Frameworks 12/13/2011
- Herding Code 128: Corey Haines on Global Day of Coderetreat (December 3) 11/26/2011