Archive for September, 2005
Dell 2405FPW monitor review
Having now spent the best part of a month beneath the shadow of Dell’s 24″ wide-screen LCD behemoth, the 2405FPW, I thought a mini-review might be in order.
Twenty four inches might not sound big for a monitor when compared a TV but bear in mind you’ll be sitting only a couple of feet away. It will take up most of your vision without moving your head. In fact RSI of the neck could become an issue here if you are not sitting far enough way to take it all in one go.
The 1920×1200 panel is sharp with no blurring or edge enhancement artifacting over DVI (unlike my Iiyama E511). Getting the colour temperature right was a little fiddly and the menus themselves ok if you can get used to a horizontal row of buttons providing vertical movement. The 16ms response time is superb with no ghosting or other problems even in games such as Half-Life 2 DeathMatch.
The beast is equipped with DVI, VGA, component, composite and s-video inputs with the last three available as picture-in-picture on top of the DVI or D-Sub. This means that if you’ve got a video recorder, DVD player or satellite system or games console then the Dell will be happy to display those too.
It features a four port USB 2 hub and 9-in-1 media reader for pulling data off the numerous flash cards around. This turns out to be significantly faster than using a camera and it’s USB cable. Dell thoughtfully include both VGA and DVI cables in the box and the stand allows the monitor to be vertically positioned to your preference. It also has the ability to rotate the display 90′ from landscape to portrait however this feature seems ill thought out and the cables are easily caught up despite the stands attempts at cable management.
Overclockers are doing them for £599 ex-VAT this week and Dell have offers on all the time. Just check out the small business and home sections separately, as there are often offers only for one market. HotUKDeals sometimes have additional discount coupons too (and not just for Dell).
A real winner of a display packing a great quality panel and a whole host of features at a price below the competition even when at full retail price. For comparison (all are 1920×1200, 3 year warranty):
- Dell 2405FPW 24″ DVI/VGA/s-video/composite/component, 4xUSB2,16ms response, 1000:1 contrast, £580-£799
- Apple Cinema Display 23″ DVI, 2xUSB2 2xFW400, 16ms response, 400:1 contrast, £894
- Samsung SM-243T 24″ DVI, 25ms response, 500:1 contrast, £874
- Viewsonic VP231wb 23″ DVI/VGA, 16ms response, 500:1 contrast, £1034
[)amien
Conditional operator bug in .NET 1.x & 2.0
I encountered a strange problem this week when a conditional operator appeared to be evaluating the false expression contrary to the C# documentation. The line looked like:
return (testObject == null) ? null : testObject.InstanceVariable;The point of this line is to prevent accessing .InstanceVariable if the object is null and yet every time this line executed a NullReferenceException is thrown (and no I wasn’t overloading the == operator).
With a little experimentation I was able to narrow it down and produce a simple test case that exercised the bug on .NET 1.1 and .NET 2.0.
The problem is this: If the return parts are not of the same type and one of the members supports implicit conversion to the expect type, then it is called regardless of whether it is the the true part or not.
I filed the bug with Microsoft and it was confirmed last night by one of their C# engineers, there is a small chance it will be fixed in .NET 2.0 before release but we’ll have to see. I checked out some of the .NET classes and they too always access the object during an implicit conversion, however they are all value types which can not be null.
In the mean time there is an easy way to avoid this by modifying your implicit conversion methods to check for null before converting.
public static implicit operator string(ClassWithImplicitConversion objToConvert) {
return (objToConvert == null) ? string.Empty : objToConvert.ToString();
}A full test case appears below:
using System;
namespace ProveConditionalBug {
class Program {
static void Main(string[] args) {
Console.Out.WriteLine("Testing... " + ProveConditional());
}
static string ProveConditional() {
ClassHoldingImplicitConversionMember testObject = null;
return (testObject == null) ? null : testObject.InstanceVariable;
}
}
class ClassHoldingImplicitConversionMember {
public ClassWithImplicitConversion InstanceVariable = null; }
class ClassWithImplicitConversion {
public string Value = "Test";
public static implicit operator string(ClassWithImplicitConversion objToConvert) {
return objToConvert.Value;
}
}
}[)amien
Avoiding SQL injection
Back in ’98 I was developing an extranet site for a local company when I realised that it would be open for exploit if somebody put single quotes in text fields. It was early in the development cycle so I fixed it and moved on, unable to find out how other people were avoiding the problem.
It turned out many were not and it became a well-known exploit called SQL injection. Unfortunately there are many developers who don’t know or appreciate the problem, and it is this:
If you build SQL by appending strings and data without correct encoding your application can be exploited. These exploits can range from exposing sensitive information, through to modification and deletion of data.
This problem is very real and applies to:
- All SQL statements, not just SELECT
- All database systems, not just MS SQL or MySQL
- All programming environments, not just C#, PHP or ASP
- All data, most essentially that obtained from end-users, regardless of client-side checking
Let’s walk through an example and see how it works and what can be done to avoid it.
Example: User login
We have a user-name and password from a web form and want to get the users ID from the database, or nothing if it wasn’t valid. We want to send something like this SQL statement to our database.
SELECT UserID FROM Users WHERE UserName='Bob' AND Password='test'And so a developer might do something like this (in C# using .Net);
Datareader dr = connection.Execute("SELECT UserID FROM Users WHERE UserName='" + Request("UserName") + "' AND Password='" + Request("Password") + '");
if (dr.Read()) userId = dr.GetInt32(dr.GetOrdinal("UserID"));The problem here is that if there is a ‘ in the form fields it effectively breaks out of the selection criteria and allows the end user to add extra criteria or even commands to what we are sending to the database server. Should they enters the following into the password form field…
' OR ''='Then our code above will send the following SQL to the database:
SELECT UserID FROM Users WHERE UserName='aaa' AND Password='' OR ''=''Which will return every record in the database and our code will let him log in as the first user it finds – normally a developer or administrator account. Ouch!
Bad solution: Encode it yourself
One solution often adopted is to always ensure all string input has a single-quote replaced by two single-quotes, which is what SQL server expects if you really want to send it a single quote.
This solution fails in that it doesn’t handle numbers or dates and falls apart in that both numbers and dates are often regionally formatted.
Good solution: Let the DB client encode it
A much better solution is to use your environment to perform all the proper encoding for you. As well as protecting you from such exploits you’ll also avoid localisation problems where the string representation of something on your client is interpreted differently in your database. This can be a real problem in the UK where dates formatted by a UK webserver are sent to a misconfigured SQL server expecting US formatting and the days and months become transposed without error.
SqlCommand cmd = new SqlCommand("SELECT UserID FROM Users WHERE UserName=@UserName AND Password=@Password");
cmd.Parameters.Add(new SqlParameter("@UserName", System.Data.SqlDbType.NVarChar, 255, Request("UserName")))
cmd.Parameters.Add(new SqlParameter("@Password", System.Data.SqlDbType.NVarChar, 255, Request("Password")))
dr = cmd.ExecuteReader();
if (dr.Read()) userId = dr.GetInt32(dr.GetOrdinal("UserID"));Okay there is no doubt this is a little longer but it takes care of all our encoding and localisation worries, and if for example you want to insert a lot of data into the database, creating the command and parameters once, then just setting the parameters for each insert (and executing it) will run faster than lots of string building inserts…
Moral of the story
Always encode data properly. If you can use the provided methods and functions to do so. If none are provided grab the specification and find out all the special characters used. Learn what encoding and escape sequences are used and apply them properly.
A few places where data should be encoded properly:
HTML – Obviously < and > have special meanings and need to be escaped. ASP.Net’s controls will take care of this if you set the .Text or .InnerText properties but set .InnerHTML at your own peril. Old ASP has the Server.HTMLEncode() function.
URL - A whole host of rules but the query string is often modified in code. Use URLEncode() or something similar especially if you want XHTML compliance too.
XML - Again a whole host of rules for what is valid data. Either use an XML object to write out your data (MSXML, Xerces etc) or maybe even store it in [[CDATA sections.
CSV – Even comma-seperated value files have encoding rules. What do you need to do if text is going to have a ” in a field. What happens if a number contains a comma! Find out or use a well regarded library to do it for you.
Notes about the example
A better login system would not allow the web server direct access to sensitive data such as the user table. All access to sensitive information should be through SP’s that enforce those restrictions.
Such a login system would therefore call a stored procedure that logged the attempted, decided if it was valid, and locked out the user if too many incorrect attempts. I’ll blog that if anyone is interested.
Even if you don’t want to do that, returning a single field is better achieved by using ExecuteScalar() and forgetting a data reader.
Microsoft have a developer how-to on injection.
[)amien
Battle of Britain, ADSL upgrades, Skype and EU VAT
Battle of Britain
This week is the annual Battle of Britain week here in Guernsey and today sees highlight of the weeks events, the air display. Alas, I missed the a chunk of it but managed to catch the star attraction The Red Arrows. As always it was most impressive, dives banks and turns at low altitude while retaining perfect form in an number of geometric shapes. The weather was less impressed and the low cloud ceiling cancelled out the various cross-overs we are normally treated to.
ADSL upgrades
Today sees the completion of Cable & Wireless Guernsey’s free ADSL upgrade from 512KB to 1MB. My parents and friends got theirs earlier but even mine was enhanced this morning. If yours is still running at 512KB give them a shout.
So how does it stack up against other uncapped residential plans?
- C&W Guernsey 1150/280 £26.99
- Jersey Telecom 512/256 £24.99, 1024/384 £44.95, 2048/384 £84.99
- Manx Telecom 512 £29.23, 1024 £49.99, 2048 £89.99 (all include VAT)
- C&W UK 8192 £29.50 (including VAT)
- UK Online 512 £9.99, 1024 £14.99, 2048 £19.99, 8192 £29.99
- Germany (various) 1024/128 €16.99, 2048/192 €19,99, 6016/576 €24.99 (all include VAT)
- BellSouth USA 256/128 $24.95, 1500/256 $32.95, 3000/384 $42.95
So Guernsey is doing rather well in the island broadband pricing, but still rather abysmal compare to the UK, Europe and USA. I can’t quite figure out why the German providers give you so little upstream bandwidth. Maybe P2P is a big problem there. The US pricing looks poor because most of the providers hide their plans behind registration screens and don’t make it clear what you are getting.
Skype
I tried Skype last night to talk to Clarissa and it worked very well. Only once in an hour did it scramble Clarissa’s voice although mine apparently scrambled a few times. Sounds quality was very acceptable and it was letting me call her land line at €0.02 a minute using the SkypeOut feature.
EU VAT
A problem with Skype the moment is that they insist on charging Guernsey EU VAT mistakenly thinking we are part of the EU, when we are not.
Apple’s iTunes Music Store took a different approach to handling us CI’ers and just barred all GY? and JE? postcodes so we couldn’t buy tunes at all. You can bypass this check by putting your postcode in lower-case and accept the dreaded EU VAT for now – better than no tunes at all.
[)amien