Archive for August, 2007
Investigating MonoRail
Fighting WinForms
I hate fighting with a technology to get it to do what I want because it means I either have the wrong expectation or wrong technology.
With web development I expect strict web standard support and clean code that is easy to maintain.
I am, therefore, tired of fighting with WebForms and seeing as I’m not prepared to change my expectation then the technology must change.
Looking at MonoRail
Ruby on Rails is very fast, elegant and powerful but comes with a bunch of unknowns. The IDE’s I’ve tried have been so-so, there is no support for IntelliSense so I’m forced to remember exact property and method names. There are concerns about performance and scalability and I find the Ruby language itself cryptic.
My current .NET environment has all these things, so what I’m really looking for is an alternative to the WebForms element itself. It also has a powerful framework, tons of samples, and C# is not only enjoyable but very in-demand :)
MonoRail seems to be just what I am looking for but there are a number of things keeping me away. I decided to spend an hour watching a screen cast on WinForms and MonoRail from Ayende @ Rahien’s blog. It calmed some concerns but raised a few others…
NHibernate mapping files
NHibernate provides the core ORM system within MonoRail and normally requires XML mapping files to do so.
I really don’t want or need another abstraction layer here – my tables are freshly modeled and represent my domain classes very well. Rails, Subsonic and LINQ to SQL are all happy to just do it/
Thankfully a project called ActiveWriter gives you a very LINQ to SQL-like experience in dragging tables off, changing names and properties if you want and doing the magic for you.
ActiveRecord template
I still don’t like this mix of static and instance methods providing some sort of split between what should really be two classes but I can live with it.
There is also a Repository<T> option mentioned which perhaps solves this, I shall have to investigate it further.
View engines
There are a number of view engines available for MonoRail but the primary ones are NVelocity and Brail.
As I already have C# and JavaScript in my project and I have no desire to add another language unless there is a good reason to do so. If they want to stop people writing too much view code then what is wrong with a subset of C#?
The template engines also mean giving up strong typing (everything is passed to the view in a type-less property bag accessed with a string key!) and a complete lack of IntelliSense (the demo stalls as fields are mistyped on occasion proving just how useful this is).
HTML injection
Yes, in this day and age HTML injection should be a long-dead concern and yet even the built in SmartGridComponent will happily squirt out data without encoding it and thus allowing data from anywhere to contain HTML ready to be injected into an unsuspecting page.
Ayende has investigated the issue now and is working on getting a fix into the tree.
[)amien
Web Application Security for Developers presentation
Last nights Guernsey Software Developers Forum meeting was sparsely attended with a number of the regulars attendees absent. There were however two new faces including Kezzer who I’d been chatting to on-line for years.
Hopefully the low numbers were down to the seasonal summer holidays and the subsequent knock-on effect that we couldn’t get email out to the BCS Guernsey division to gather sufficient awareness.
I did a short presentation on Web Application Security for Developers that covered HTML injection, SQL injection and cross-site scripting including some live demonstrations on sample code. Slides and sample are available although without audio or screen cast of the demonstrations until I work out how to do that with Keynote.
Download Web Application Security for Developers (Flash) (1 MB)
Download Web Application Security for Developers (PDF) (120 KB)
Download Sample of vulnerable and secure code (ASP.NET) (196 KB)
I’ve come to the conclusion that putting presentations together takes me around 1 hour of preparation to 1 minute of presentation…
[)amien
Envy Code R preview #6 forthcoming
Envy Code R has been updated since this post.
I have been experimenting with Envy Code R over the last few months – everything from creating a bold version to delta hinting with Visual TrueType with mixed results.
Part of the problem is that at larger sizes the odd shapes and over-emphasized curves that I drew to make the font look great at 10-point with ClearType on makes it look awkward at larger sizes.
Last weekend, I went back to the drawing board, literally, to try and improve on the shapes without impacting too much on the 10-point size ClearType version. The result is as follows;
And for comparison, the old version:
Let me know your thoughts in the comments, even if it’s just to say your prefer PR6, Consolas or something else. Be sure to mention what size and whether you have ClearType on (or if you are using a Mac).
[)amien
Web Application Security presentation in Guernsey
This presentation is now available on-line.
I will be giving a talk about web application security tonight at the Guernsey Software Developers Forum.
Web application security is a very large subject I will only be covering SQL injection, HTML injection/cross-site scripting and input manipulation. If there is enough interest I’ll consider covering other subjects such as session hijacking, defensive programming, hashing etc. in a future talk.
As always the doors are open to everyone opening at 6pm tonight (Wednesday 15 August 2007) at the Guernsey Training Agency above the Post Office in Smith Street.
The talk will last around 30 minutes but the meetings tend to go on to around 7:30pm for those that want to discuss it or other developer topics.
[)amien