# Friday, 13 March 2009

If you see the things that go around the internet that everyone's seen, then you've probably seen the list of things you should have seen by now, but maybe not? A neat way to see how many of the memes you've picked up. Me, I'm kind of an old fogey at this stuff, but there are a dozen or so here that I have indeed seen (thus saving me, I hope, from being a loser or old or something). Have you?

Kate

Friday, 13 March 2009 17:06:51 (Eastern Standard Time, UTC-05:00)  #    
# Wednesday, 11 March 2009

Most of the developers I know think of SQL Server Express as something you use while you're developing, if that's simpler than getting a full SQL onto your developer machine. They naturally assume that when you want to go into production, or if you want to use some of the higher-end features, you'll need to buy a license of SQL rather than deploying to SQL Express. Well, you may want to, but you may not have to. For example, you can use Reporting Services with SQL Express. That surprised me. The details on what sets Express apart are at http://www.microsoft.com/sqlserver/2008/en/us/editions-compare.aspx and http://www.microsoft.com/sqlserver/2008/en/us/editions.aspx. Worth a read for sure and SQL Express is a valid choice in many data situations where you need a free product, such as distributing with your own applications or for low volume, low budget projects.

Kate

Wednesday, 11 March 2009 17:03:13 (Eastern Standard Time, UTC-05:00)  #    
# Monday, 09 March 2009

Here is an interesting video featuring Kevlin Henney (a confident speaker I've seen at SD West before) discussing some philosphy around good and bad OO design. I don't agree with everything he's saying, but I sure am glad he's saying it. The examples are in Java but that will hardly kill you. Worth a watch.

Kate

Monday, 09 March 2009 16:50:05 (Eastern Standard Time, UTC-05:00)  #    
# Saturday, 07 March 2009

A lot of applications like to know what version of the operating system they are running on. Sometimes (especially older applications) it's so they can flat-out refuse to run if you're still on, say Windows 98. This is now frowned on, by the way, and if you want a Windows 7 logo you must not refuse to run based on a version check. Other times (and this is bad too) it's as part of some arcane roll-your-own strategy. For example someone I know planned to work out the default hard code paths for user documents (C:\Documents and Settings\ ... vs C:\users\... ) based on OS versions. This is insane! There's already a function you can call that will get you that path, and it works even if the user has changed it from the default.

But there are still legitimate reasons for version checking. If you're using Vista or Windows7 light-up features like the Task Dialog, Restart and Recovery, or Taskbar Jump Lists, you'd better make sure you're on an OS that supports those features. It's pretty easy from managed code: just call System.Environment.OSVersion.Version.Major and System.Environment.OSVersion.Version.Minor. From native code, GetVersionEx() does the same job. Then you have to do some comparing. That's where things can get weird.

For example, a huge incompatibility bucket for Vista was applications whose code checked that the version was exactly 5.1. If not, it would pop up a message box saying it only ran on XP SP2 or better. I've seen these apps in the wild and I just can't keep from laughing. The error message itself says "or better", and that was presumably the intent, but the code is checking for equality. The magic of >= fixes this "incompatibility" bug in the code, and often these applications don't need any other fixes to make them work on newer OS versions. (That's why the logo people frown on refusing to run. How can you know you won't work on a later OS that doesn't exist yet?)

Even if you grasp the magic of >=, comparing major and minor versions can bite you. Larry Osterman shows us this code:

// Example in C#.
 
internal bool SupportsTaskProgress() {
    if (System.Environment.OSVersion.Version.Major >= 6) {
        if (System.Environment.OSVersion.Version.Minor >= 1) {
            return true;
        }
    }
    return false;
}

He rightly points out it will return false if the version is 7.0, or 8.0, or any other .0 that's larger than 6. (Yes, Windows 7 returns 6.1 for the version #, that's a long story and well covered elsewhere.)

Version checking is hard. If you can, use a library that does it for you. Vista Bridge, for example, not only wraps up cool new OS features for easy access from managed code, it also does some checking to see if the feature is there for you or not. Don't reinvent wheels. Also, check for the feature rather than the OS if you can. Larry discusses this in his post for Taskbar features. Any feature you plan to use, you should know how to check for. I hope to post some more links and examples on this soon.

Kate

 

Saturday, 07 March 2009 10:45:31 (Eastern Standard Time, UTC-05:00)  #    
# Thursday, 05 March 2009

A quick glimpse of what you'll find if you search for C++ on the Tech Ed Sessions page:

I'm looking forward to it once again!

Kate

Thursday, 05 March 2009 14:52:05 (Eastern Standard Time, UTC-05:00)  #    
# Wednesday, 04 March 2009

Here's an interesting post from Rick Segal. Even if you don't want VC money, it's an intruiging exercise to see how you look from that point of view. Let's see how gregcons does:

  1. Our website, www.gregcons.com. "Does the web site's home page tell you what the company does?" Yes: "We program in Visual Basic.NET, C#, Visual C++ (Managed and Classic,) Java, ASP, ASP.NET, XML, XSLT, XSL-FO, HTML, Javascript, Perl, and CGI. We mentor, provide architectural vision and inspiration, write, edit, train, develop courses, design web sites and act as general internet consultants. "
  2. Google "Gregory Consulting" and "gregcons". Our site, some sites of other Gregory Consultings in the world (note to self - if I want VC funding, create a sub with a weirdo name with extra vowels or not enough vowels), and some folks linking to blog postings of mine. Not a soul who's actually discussing us as a company. Fine by me but probably an issue if I wanted investors.
  3. Google "Kate Gregory" and "Brian Gregory". You can see who the public face of this company is - not one of the Brian hits is the right Brian, and all the Kate hits are me speaking, writing, and general experting. Interestingly Google (which I never use for my own searches but am using in the spirit of Rick's blog) doesn't find the "other" Kate Gregorys that Live tends to return. I'm not actually the only one on the planet.
  4. The mission statement. Um. Well, we have a tag line on the website "Leading your developers forward" so I'll give that a try. Interesting way to discover who is mirroring your old content chrome and all, but you don't learn much about us from it.

I think we pass the test of being discoverable on the internet, but it's clear people don't talk about us as a company much (they do talk about me from time to time). Fun exercise. Try it yourself!

Kate

Wednesday, 04 March 2009 09:16:49 (Eastern Standard Time, UTC-05:00)  #    
# Tuesday, 03 March 2009

I've been accumulating some links that might be relevant to folks looking for work. I got a lot of traffic to a post last year about trick questions in a job interview, so I thought I'd share these as well.

These posts are very different, but they all have useful information for you.

Kate

Tuesday, 03 March 2009 09:06:48 (Eastern Standard Time, UTC-05:00)  #    
# Monday, 02 March 2009

Programmers make mistakes, we all know that. But some are worse than others. Say you hardcode a file name, and you make a typo in the name. When you do your own testing before passing it off to others, you'll discover the typo because it keeps the application from working. But if you fix the typo, there's a good chance no-one will notice the other mistake - hardcoding the file name - for a very long time. In fact, if the file never moves, under some circumstances you could claim it isn't even a mistake to hardcode the name. But if the file does move, hardcoding the name is a much worse mistake because it causes a bug that a customer discovers - and that is always bad. Writing your data access code so it brings back the wrong records (say, forgetting to filter by date) will show up the minute you hit F5, but writing your data access code so it's vulnerable to SQL injection is far worse - you'll think the application works, but when you put it into production you'll have opened a large hole into your database for bad guys.

The SANS Institute has created a list of what they consider to be the 25 most important programming errors of all time. There's a lot not to like in this list, to be honest. First, it's not so much a list of errors (John typed this line of code in that application) as it is kinds or categories of errors. Second, a lot of them look like the same error over and over (trusting stuff that people give you as input, for example). Third, the post spends pages and pages on credits, acknowledgements, explaining why they are important, predicting how the world will be made better by this list existing, and so on before finally getting to the errors. Fourth, the names are flat-out weird in a lot of cases. But with those disclaimers in mind, I still think the post is worth reading and the errors are worth thinking about. Here are the 25:

  • Improper Input Validation
  • Improper Encoding or Escaping of Output
  • Failure to Preserve SQL Query Structure (aka 'SQL Injection')
  • Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
  • Failure to Preserve OS Command Structure (aka 'OS Command Injection')
  • Cleartext Transmission of Sensitive Information
  • Cross-Site Request Forgery (CSRF)
  • Race Condition
  • Error Message Information Leak
  • Failure to Constrain Operations within the Bounds of a Memory Buffer
  • External Control of Critical State Data
  • External Control of File Name or Path
  • Untrusted Search Path
  • Failure to Control Generation of Code (aka 'Code Injection')
  • Download of Code Without Integrity Check
  • Improper Resource Shutdown or Release
  • Improper Initialization
  • Incorrect Calculation
  • Improper Access Control (Authorization)
  • Use of a Broken or Risky Cryptographic Algorithm
  • Hard-Coded Password
  • Insecure Permission Assignment for Critical Resource
  • Use of Insufficiently Random Values
  • Execution with Unnecessary Privileges
  • Client-Side Enforcement of Server-Side Security

The full details are in the linked post and it won't take more than a few minutes to read the description of each error. Pat yourself on the back, or go do a quick code review so you can say you don't do any of these.

Kate

Monday, 02 March 2009 08:48:48 (Eastern Standard Time, UTC-05:00)  #