March 2008 - Posts

• FWDNUG Meeting Notes and Slides

  Thanks to Stephen and the other members at the Fort Worth .NET User Group for having me speak.  I enjoyed it and hopefully my audience did too. I'm sorry this has taken a while to post, but as promised I have all the slides and a list of resources like Fowler's POEA book in a big zip file.  Also there is a VS 2008 solution with a code snippet using ADO.NET Entity Framework Beta 3.  You can download the whole thing here: http://www.dotnettricks.com/downloads/orm_presentation.zip Finally, Kevin here at Enilon was kind enough to record the whole session for posterity.  So if you missed it, you can listen to it on your mp3 player: http://www.dotnettricks.com/downloads/FWDNUG-03-08-MP3.zip Thanks, Craig Posted Mar 25 2008, 08:56 AM by Software Theosophy Filed under: General Programming, News, OOP, O/R Mapping, Databases

• I'm speaking at the Fort Worth .NET user group

  On March 18th I'll be speaking at the Fort Worth .NET user group at Justin Brands.  The topic will be a favorite of mine: O/R Mapping Patterns and Tools.  Come by say hello or throw tomatoes.  Info is below: http://fwdnug.com/blogs/meetings/archive/2008/03/11/march-2008-meeting.aspx Posted Mar 12 2008, 08:11 AM by Software Theosophy Filed under: General Programming, News, OOP, O/R Mapping, Sql Server

• Warn3d By CrueLSaw

  Today I got a very interesting request from my boss.  There was one of our sites that had suddenly been defaced with the following text: "Warn3d By CrueLSaw" After some research by one of our Senior Developers (Thanks Pete) he found that this CrueLSaw guy was very busy hacking into and defacing classic asp and even a few PHP websites.  It was our old friend sql injection--the guy had found the admin part of our site, and plopped in some sql into the password text box like this: ' OR 0=0 -- Of course the long gone developer of this code didn't parameterize their sql or use a stored procedure.  This effectively let him into our site to deface it.  We're lucky that CrueLSaw only warns people and didn't truncate our tables.  To be fair, this site was a Classic ASP website done around 6 years ago and the developer back then probably didn't know a thing about sql injection, because few people did at the time. But some lessons are painfully learned.  The solution was simple--just use a stored proc or a ADO provider that allows paratmeterized SQL. If you're company's website is having this problem, then fire me an email here and I can fix it for a small fee: http://www.craigbowes.com/Contact.aspx Thanks for the warning CrueLSaw. Posted Mar 10 2008, 05:37 PM by Software Theosophy Filed under: General Programming, Web Development, Rants