ASP.NET Programming
How to save changes to your web.config appSettings section
by Andrew Taylor on Feb.06, 2010, under ASP.NET Programming
From time to time you may need to be able to save settings to your web.config file. Yesterday I had a need to do this, and I thought I would check the internet and see if I could find any good examples of how to save settings back to the web.config file.
After viewing the first couple dozen entries, I found one thing in common. Most of the ideas were either “don’t do it” or very complex without the need to be.
The fact is that there are many times when you may want to save changes to your web.Config or other config files. Most open source applications for example save settings to a config file rather than a database file. This makes it easier for people to make changes to the config file without direct access to the database. Perfect case in point is this WordPress Blog which has a config file.
So today I want to show you in just 5 lines of code, how you can save a setting back to your appSettings section of your web.config file.
//Save to Existing Key
System.Configuration.Configuration config = System.Web.Configuration.WebConfigurationManager.OpenWebConfiguration(Request.ApplicationPath);
AppSettingsSection appSettings = config.AppSettings;
appSettings.Settings["UserName"].Value = txtUsername.Text;
config.Save(ConfigurationSaveMode.Modified);
ConfigurationManager.RefreshSection("appSettings");
And there you have it, 5 lines of very uncomplex code, and we’ve saved a value back to our appSettings section of our web.Config file.
In this case the appSettings collection that we have defined works like any standard collection, I can do appSettings.Settings.Add(Key, Value) to add a new key, I can remove, I can clear, etc.
Of course you will need to make sure that your IIS User has write permissions to the folder for this to work properly.
Creating ASP.NET Master Pages from a purchased template – Part 1 (for Sitefinity)
by Andrew Taylor on Feb.04, 2010, under ASP.NET Programming, Sitefinity
This is the first video in a series of videos that are geared to teaching you how to use a purchased website template in combination with Adobe Photoshop, Microsoft Visual Studio, Telerik Sitefinity, CSS, and HTML to create a real usable ASP.NET Masterpage and Theme.
During this tutorial series we will examine each part of the creation process from the beginning PSD file in Photoshop to the last line of CSS, and combining it all together in Sitefinity to make a real live website.
You can view this video here through Silverlight HD, or you can download the full size video by choosing a version: AVI (250MB) or WMV (60MB).
To Web Site or Web App, that is the Question
by Andrew Taylor on Jan.12, 2010, under ASP.NET Programming
No doubt since Visual Studio 2005 came out, you’ve probably wondered whether you should choose to use a Web Site Project or Web App Project when creating your next website. You might have even been so brave as to do a Google search and read some of the many articles on the subject.
So what did you decide to do? And more importantly why?
Personally I always use the Web App vs the Web Site, and I have many reasons for doing this, most of them are personal preference, but some are performance and security.
Personal
I personnally like the more structured design of the app. I like being able to put my classes where I want them, not just in the App_Code folder, and I guess I just find it more clean and probably a bit more of the style I’m used to. (This from someone that used to be a diehard VB 6 programmer).
Technically
On a more technical note, I have a few reasons for preferring the Web App to Web Site.
DLL’s: I like my site in a DLL vs individual code files, there is a small performace boost I’m told, and it gives me the ability to access that DLL through other tools if I need to.
Security: DLL’s can be obfiscated and it’s easier to secure 1 folder than dozens or hundreds. If your site is hacked, it’s going to be a lot easier to change you .cs file, than it will be to figure out an obfiscated DLL, modify it, rebuild it, and post it back your server.
Keeping Busy Bodies Out: Even without obfiscation, it helps keep busy bodies out of my code. Last thing I need is some junior HTML guy deciding he can modify my code behind. (No offense Junior HTML guys)
So now you know my thoughts on it, share with me your thoughts and why you do what you do?
The Proper Way to Run a Query (Preventing SQL Injection Attacks)
by Andrew Taylor on Jan.08, 2010, under ASP.NET Programming
It amazes me to this day how many programmers I come across that have absolutely no understanding of what of what an SQL Injection attack is, or how to prevent it and protect their clients.
Primer:
An SQL Injection attack takes place when someone inserts SQL code into a field on a web page that is then passed on to the database. For example if I had a grudge against some company and their site wasn’t secure, I could insert an SQL Injection attack on their unsecured website and delete all the data in their database, or possible steal all their credit card numbers.
Preventing an SQL Injection attack is as simple as using proper coding standards when accessing your backend database. Using these methods doesn’t add significantly to your development time and in many cases actually reduces it, because it reduces many opportunities for errors, and allows for better error handling.
Sample Bad Query:
strSQL = “SELECT * FROM CUSTOMERS WHERE EMAILADDRESS = ” + txtEmailAddress.Text;
In the above C# code, basically we are taking input directly from the web field containing the user entered email address and passing it straight into our query without any checks. If for example I had typed in ” 1′; DELETE FROM CUSTOMERS; “, it would have selected the customers where the email address equals “1″ and then deleted all records from CUSTOMERS.
This vunerability is amazingly common even on today’s modern websites and most of them don’t even realize it.
The Solution:
Solving this little problem is as simple as changing the way you make your query. Instead of contactenating your strings to build a query, simply use an SqlCommand object and parameters. Not only are you gaining the added security and protecting your business, you will actually make your site more efficient because queries using parameters are compiled for future use by SqlServer and therefore have better repeat performace.
Sample Proper Code:
cmdTemp.CommandText = “SELECT * FROM CUSTOMERS WHERE EMAILADDRESS = @EMAILADDRESS”;
cmdTemp.Parameters.Add(“@EMAILADDRESS”, SqlDbType.Varchar, 50).Value = txtEmailAddress.Text;
Yes you have one extra line of code, but that line of code actually helps you out. For example if this was an INSERT instead of a SELECT then it would automatically prevent me from sending a string that was to long for the field to the SQL Server, allowing me to catch the error on the business logic side. The same would hold true if for example I was trying to pass a string into an int field.
Take this simple step, it’s not only a better way to code, it could potentially save your company millions in lawsuits and hundreds or thousands of people the pain and suffering of having their credit card numbers stolen.
