https://download.spidynamics.com/Products/scrawlr/

Well worth downloading and running it is free and certainly a great tool to start testing for SQL injections on a website.

**RANT**
http://efvote.wufoo.com/forms/ado-net-entity-framework-vote-of-no-confidence/

So I read Tim Mallalieu's blog he is on my RSS feed one of few select people I track and trace. (Tim if you read this I am not a stalker honest, I just think you post are cool and informative)

http://blogs.msdn.com/timmall/archive/2008/06/24/vote-of-no-confidence.aspx

So I read the following post, and fell off my chair, somebody has gone to the effort of actually putting togther a ADO.NET Entity Framework Vote of no confidence. Now forget the techie part lets just look a the practical, because obivously I am missing something. Surely and strike me down with a feather duster that if you don't like the Entity Framework ....You just don't use it ooooorrr, even better and maybe a more postive thing than moaning about a product write you own, develop an open source alternative, dare I say it... use something else.

It is really easy to sit on the side line and snip about a framework that does not fit your needs or you believe is wrong, but come on now give the guys and girls who have slaved over the Entity framework a break constructive critisim fine and in the post above they have made some (fair enough) but to finish it with please make a vote of no confidence is not exactly nice and in just is in my view rude. Yes I suppose you have got the attention of the team.. but surely there is a better way, how to motive a team to your ideas.

I personally don't use Entity Framework or Linq SQL (I have tried) but I am big fan of LLBGEN Pro, it works, it's solid and fits my clients and my needs. I made a choice, not bashed a team that was trying to build a very complex product. Have some respect please don't sign a petition just give sensible feedback through normal challenge.. or dare I say don't use it....
**END RANT**

Apologies for the Rant. Good luck to the Entity Framework team, please look at some of the criticims leveled it is correct, but I am sure you would review it just like Classic ASP is better than ASP.NET v1 and ASP.NET 2 is better than ASP.NET v1. It will be a process of learning, would love to see how many developers get frameworks out of the box correct. I will admit I don't always do, that is the part of being human, my first Sage Framework in C# sucked my revision at the moment does not..

I am missing something do we need vote of no confidence.. No, just MS to be listening which I hope they are, and for sensible suggestions in a reasonable manner.

I have been experimenting with finding quick fixes on an existing site with Xss and using the browser file in ASP.NET to get a system wide Anti XSS implementation without have to go through each bit of code.

By no means is this a perfect solution you should go through all of the code that you are working on but sometimes you need to get up running defence.

Also this technique I am experimenting would be potentially useful for starting off with a new site with, a set of basic controls that have Microsoft Anti Scripting library by standard applied to.

Links to Microsoft Anti Scripting Library.

http://www.microsoft.com/downloads/details.aspx?familyid=EFB9C819-53FF-4F82-BFAF-E11625130C25&displaylang=en

Example:
http://msdn.microsoft.com/en-us/library/aa973813.aspx

This is the code I am tinkering with:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web;
using Microsoft.Security.Application;
using System.Web.UI.WebControls;

namespace UnwindSoftwareLtd.Web.StandardAxss
{
public class LabelControl : System.Web.UI.WebControls.Adapters.WebControlAdapter
{

protected override void Render(System.Web.UI.HtmlTextWriter writer)
{
((Label)base.Control).Text = AntiXss.HtmlEncode(((Label)base.Control).Text);
base.Render(writer);
}
}
}

Ideally though I would like Anti Scripting Lib to be applied to all MS controls, it would be switched on by default. I accept though there applications that need to use for example Label control to output Java Script, but it would be great if you could use switch to say don't use the Anti Scripting library or I want to output Javascript format for that.

James

The big rule of doing any CRUD data jobs in any ASP/ASP.NET app with SQL Server is that you MUST use parameterized queries.

http://msdn.microsoft.com/en-us/library/cc676512.aspx

The article above though also outlines using Regular expressions to protect your web app by validating data before passing it through.

Below are some example functions for testing for int and removing anything other than int information from a string. Both provide a first basic layer to stopping SQL injection attacks in classic ASP, as lot of web apps use int as a key field in a in a database, hence it gets passed through with a querystrings. Hopefully these will prove useful to someone else.

function IsInt(strOriginalString)
dim objRegExp : set objRegExp = new RegExp
with objRegExp
.Pattern = "^\d+$"
.IgnoreCase = True
.Global = True
end with

IsInt = objRegExp.test(strOriginalString)
set objRegExp = nothing
end Function

function OnlyInt(strOriginalString)
Dim regEx, Match, Matches,returnString ' Create variable.
Set regEx = New RegExp ' Create a regular expression.
regEx.Pattern = "\d+" ' Set pattern.
regEx.IgnoreCase = True ' Set case insensitivity.
regEx.Global = True ' Set global applicability.
Set Matches = regEx.Execute(strOriginalString) ' Execute search.
For Each Match in Matches ' Iterate Matches collection.
returnString = returnString & Match.Value
Next
OnlyInt = returnString
end Function

"Dear Sir/Madam,

Thank you for your email.

We are sorry to inform you that this issue was already reported by
other customer and we found that it is a bug in AVG. This problem is
fixed in our major program update which will be released at the end of
the second quarter of the year.

As soon as we release the update we will inform you.

Thank you for your understanding and cooperation. If you have any
further questions or issues feel free to contact us.

Answers to the most common questions can be found here as well:
http://www.avg.com/faq/"

Looks like my new shiny AVG 8 is not suitable for SBS Server 2003 .. Excellent.

Not sure why nobody thought to test it on this platform before release, can't imagine they have that many customers running SBS 2003 .... errr.

My advice is don't upgrade your AVG to 8 if you are running AVG 7.5. Stick or find a antivirus provider who actually support SBS 2003 which is exactly what I am going to actively have to do! AVG 7.5 seems to be still supported ..

Useful function No 1


public static bool IsInt(string testStr)
{
string pattern = @"^\d+$";
if (testStr == null)
{
return false;
}
if (testStr.Length == 0)
{
return false;
}
Match matchResult = Regex.Match(testStr, pattern);
return matchResult.Success;
}