Creating An ASP.NET RSS Feed, Using Data From SQL Server And HTTP WebHandler
There are a couple of ways to create an RSS feed from a SQL database store. Over at 4GuysFromRolla.com, there’s a post explaining how to create an RSS feed using a regular old ASP.NET Web Form.
Another option would be to write a script that creates an actual XML file on some periodic basis (probably just before the recommended “time to live” setting of the feed). The benefit of that is, one taxes the database server a little every now and then, and a “real” XML file does the work.
But as a rule, for ASP.NET applications, Microsoft recommends using HTTP handlers or modules whenever one wants to present data other than HTML.
(Aside on handlers vs. modules: A handler is a special ASP.NET Web page; a module is a plug-in one can install in Internet Information Server. If you’ve got a lot of different, special-case Web processing, or one need that is near-constant — such as processing images stored in a database every time a specific page is called — then you’ll want to consider a module. For occasional or lightweight processing, such as serving up a low-use RSS stream, a handler will do fine. End of aside.)
So that’s what we’ll use here. Let’s begin by creating an ASP.NET HTTP handler, which is written in the same way one would write the code behind for an ASP.NET page, but uses the file extension .ashx.
Continue reading: Creating An ASP.NET RSS Feed, Using Data From SQL Server And HTTP WebHandler »
Getting QueryString Values From A Rewritten URL / ASP.NET Routing URL
During today’s similcast of the ASP.NET Firestarter in Atlanta, G. Andrew Duthie discussed .NET 4′s new support for routing — or, what everyone in Web development calls “URL rewriting.” *
Someone online asked, “If I use routing, can I access query string variables using JavaScript?”
The question isn’t as confused as it sounds on the surface. Of course, if one uses routing / URL rewriting, it’s to remove query string variable and make them part of what appears to be a permanent file structure.
In other words, this:
http://www.server.com/path/to/file.aspx?v1=foo&v2=bar
Becomes this:
http://www.server.com/path/to/file/v1/foo/v2/bar/
The questioner really means, is there a way, after rewriting a URL, to extract key->value pairs from it via JavaScript? The answer is yes; rather than using the location.search property, which allows JavaScript to get the querystring parameters of a URL, we use location.pathname to get the part of the URL that follows the domain, and use that to create our key->value pairs.
Continue reading: Getting QueryString Values From A Rewritten URL / ASP.NET Routing URL »
FAQ Released For Microsoft ASP.NET CryptographicException Attack
Scott Guthrie, Microsoft’s corporate vice president for the .NET platform, posted on his blog late Monday a FAQ about the ASP.NET CryptographicException vulnerability.
Highlights:
- All versions of ASP.NET are affected. That includes WebForms and MVC versions 1 and 2.
- Sharepoint is affected, too. A workaround on how to employ a new generic error document for Sharepoint is detailed at that team’s blog.
- Everyone should employ the recommended workarounds.
- You have to route all HTTP errors to the workaround’s generic error page. Otherwise, the hack still works.
- A patch will be released as a Windows Update hotfix, but no release date has been set yet.
- Check your logs for CryptographicException errors. If you see them, it’s possible you are being probed.
I take this very seriously. There’s a tool and video tutorial out there detailing how to run this exploit, so every script kiddie in the world is looking for sites to exploit, I am sure.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/faq-released-for-microsoft-asp-net-cryptographicexception-attack
Major Security Hole In ASP.NET Requires Error Redirect Workaround
A major security flaw in ASP.NET was announced on Friday — one that affects all versions and can allow an attacker to see ViewState and web.config data in clear text.
As such, everyone who has made an ASP.NET Web site should take this threat very seriously.
Microsoft is putting together a patch. Until then, they suggest a workaround of turning on customErrors, and having it point to a single error file.
For ASP.NET versions 1.x, 2.0 and 3.5, create a single HTML-based error page, upload it to the root directory of your Web site, then add or change the customErrors section in your web.config file with the following:
<configuration>
<system.web>
<customErrors mode="On" defaultRedirect="~/error.html" />
</system.web>
</configuration>
Where, of course, error.html is the name of the error page you made.
If your site uses ASP.NET 3.5 SP1 or ASP.NET 4.0, use the custom ASPX error page located on Scott Guthrie’s blog (VB and C# versions), and change the customErrors section of your web.config file thus:
<configuration>
<system.web>
<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/error.aspx" />
</system.web>
</configuration>
Where, of course, error.aspx is the name of the error page you created.
To make things easier, I have zipped up copies of the three error documents — error.html, and the VB.NET / C# versions of the ASP.NET error files — for download. I distribute all code under the GNU GPL.
I’m taking this threat very seriously and have patched all my ASP.NET sites as advised.
All links in this post on delicious: http://www.delicious.com/dougvdotcom/major-security-hole-in-asp-net-requires-error-redirect-workaround
Designers And Developers: Donate Your Time, Talent At New England GiveCamp, June 11-13, 2010
One of the things I found out about at Tuesday’s MSDN Northeast Roadshow stop in Augusta is the first New England GiveCamp, June 11-13 at Microsoft’s Northeast Research and Development center in Cambridge, MA.
I’m attending, and I’d urge you to do so.
A GiveCamp is basically a gathering of developers, DBAs, project managers, designers and other IT folks in a given place, to donate their time and skills to charitable projects.
In the case of the New England GiveCamp, typical projects include upgrading Access databases, or converting Excel spreadsheets to Access; integrating open-source tools, such as Joomla, Drupal and Django, into existing Web sites; adding various gizmos to and tuning up existing Web sites; and several requests to spruce up the look of various types of collateral.
I believe the biggest mistake you could make in deciding whether to participate is thinking that you don’t have the kind of skills needed. From what’s been said at the GiveCamp’s Web site, there’s going to be plenty to do, whether you’re Linus Torvalds or Linus Van Pelt.
I think this goes doubly for graphic designers. Trust me, if you are an artistic person, no matter how little you think of your work, your worst effort is 10 times better than the best design ever produced by a programmer. I am speaking from extensive personal experience here. We’re the people who gave the Internet Comic Sans, animated GIFs and the <marquee> tag, remember. Please, save us from ourselves.
As the Northeast GiveCamp put it, “If you have the passion, we’ll find a place for you.”
In addition to the technical work on site, there are a myriad other volunteer opportunities both before and during the event, including registration, sponsor solicitation, organizing the development teams and matching them to non-profit organizations, handling logistics for food and snacks, and others we’ll discover along this journey!
