Good2Know: ASP.NET MVC, WCF Services and Beyond

Yesterday I attended an MSDN Event that covered an assortment of pretty cool topics (IIS 7, ASP.NET Administration Services, etc). Later that day I also attended the monthly HDNUG (Houston DotNet Users Group) meeting where another cool topic was covered (ASP.NET MVC Framework). I got so much information within such a short span of time that I had to come here and tell you all about it. So here it goes.

ASP.NET 2.0 MVC Framework

ASP.NET MVC Framework (Part 1)

ASP.NET MVC Framework (Part 2): URL Routing

ASP.NET MVC Framework (Part 3): Passing ViewData from Controllers to Views

ASP.NET MVC Framework (Part 4): Handling Form Edit and Post Scenarios

Basically, this framework allows you to implement a way of separating your logic from the presentation layer so well that makes code behind pages a thing of the past. It also allows for intuitive URL routing which basic means that instead of having http://servername/someappname/GetItems.aspx and http://servername/someappname/GetSingleItem.aspx, you would have http://servername/someappname/Items/GetSingle and http://servername/someappname/Items/GetAll. More specifically for our environment you setup applications such as http://servername/someappname/Items/Get/27 or http://servername/MyItems/GetAll/username. You get the idea. The URL becomes a more intuitive part of the application in not only how the application is accessed but also how it is navigated. The framework also simplifies the layers between the actual HTML code and the logic behind every page.

Windows Communication Foundation (WCF) Services

Hosting and Consuming WCF Services http://msdn2.microsoft.com/en-us/library/bb332338.aspx

WCF takes what exists in the Web Services world beyond the HTTP protocol to a host of other protocols such as TCP, Named Pipes, etc. Since it does not run under IIS the only mechanism for communication with the service is the protocol itself (such as net.tcp://servername/ServiceName or net.tcp://servername:8080/ServiceName.

Good Tutorial

http://msdn2.microsoft.com/en-us/library/aa480190.aspx

Main Security Threads In Web Apps

XSS (Cross Site Scripting) Attacks

Where the user uses lack of validation to insert scripting in a text area to get information from the state of the page. If you do not validate input well enough, your application might be vulnerable to this attack. Just add // to any textbox and see what happens.

Prevention:

Use .NET 2.0’s builtin AntiXSSLibrary

SQL Injection

Where given the url http://SiteName.com/getitem.aspx?id=22

And the code “select * from tablename where id=” & Request.QueryString(“id”) without validation

The attacker can add to the URL http://SiteName.com/getitem.aspx?id=22;delete from tablename where id=22 or even run stored procedures against the database.

Prevention:

Good article here

http://msdn2.microsoft.com/en-us/library/ms998271.aspx

Good article about security

http://msdn2.microsoft.com/en-us/library/ms998372.aspx

That’s all folks!