HTML, SQL and XSS injection vulnerabilities aren’t new but they are still largely ignored by developers.

My first encounter with these issues was in 1999 whilst writing an extranet e-commerce web site. Back then the ASP fix consisted of Server.HtmlEncode for all output and a Replace("'", """")Replace("'", """") for strings heading to SQL (other types headed there via CInt/CLong/CDate and I wasn’t aware of parametrized queries).

It has been one week since I picked up my new MacBook Pro 17″ to replace my aging first-generation 15″ model.

My initial concern was that the size and weight would be unwieldy after 4 years of lugging around a 15″ MacBook Pro and a prior to that a Titanium PowerBook G4. The actual problem was that my trusty Samsonite Trunk & Co. backpack could not accommodate it and that I’d have to hope Santa would deliver something a little bigger. Being properly kitted up might reveal if the dimensions and weight are uncomfortable so expect an update once I’ve travelled with the beast.

If you don’t encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are incredibly dangerous.

Using MonoRail or Microsoft’s MVC does not make you automatically immune – use {! }{! } in MonoRail’s Brail engine and the HtmlHelpers in Microsoft’s MVC to ensure correct encoding.

Part of my job involves revising our SQL Server architecture. My plan includes the addition of a read-only reporting SQL pair for non-critical inquiries and reports. This allows the heavy and unpredictable load from reporting away from from the primary SQL pair responsible for critical operations (shipping orders).

We utilized SQL Server’s publisher-subscriber replication on the required databases which, given their legacy nature, had some cross-database dependencies that were added without due consideration.

Hello Damien

You have received this email as a customer of our sister company, Friends Reunited.

The first public preview of Microsoft’s ASP.NET MVC (model view controller) framework is now available.

Download ASP.NET 3.5 Extensions (EXE) (3.7 MB)

A few years ago I believed that HTML and SQL injection vulnerabilities were headed for extinction. Thanks to object-relational mapping tools SQL injection continues to die but HTML and script injection vulnerabilities are as popular as ever.

Part of the problem stems from the “back-to-basics” approach to rendering web pages, throwing out classes and controls for string-based libraries (primitive obsession) and helpers which do not encode HTML or even offer a concise simple syntax to do so.

Wake up every morning to your iTunes playlist without the danger of an app launching it and having a problem/update pending that prevents you getting to work on time.

Alarm Clock 2 also includes Timers (great for a quick 20 minute power nap) and Stopwatches alongside the normal one-off or regular scheduled alarm that will bring both you and your machine out of sleep ready for that early-morning email check.

I just got the opportunity to try out the latest version of VMware and thought I’d do a quick Windows Experience Index on Boot Camp, Parallels and VMware to see what the performance is like before my new MacBook Pro 17″ arrives (hopefully on Friday!)

When I installed Leopard on my machine I took the opportunity to carve out a dedicated 20GB partition again to put a fresh install of Vista on. As well as being able to boot natively this also now means I can run my single Windows partition switching between native, Parallels or VMware at will which admittedly drives Windows Activation crazy.

I know, I said there would be a good chance that the next version of Envy Code R would be out this weekend but the annoying sizing, thickness and cropping issues that came up at some sizes above and below the optimum 10 point were really annoying me.

Many articles later, some playing around with Microsoft Visual TrueType and much frustration and experimentation later I think I’m on the right path.