Dev Philosophy

Red Gate & Reflector: My Concerns...

Jay Kimble — Thu, 21 Aug 2008 13:22:20 GMT

Ok, before I start off I want to note that Red Gate is one of our "Friends of TRT," so they show up on just about every page of the site (and would appear in every RSS if I had the time to figure out how to do it). I also want to note that I know that I am breaking a rule with this post and may alienate a vendor, but this needs to be said (and sometimes I can’t resist).

I love Red Gate tools. Their commercial stuff is absolutely awesome, and I mean that. If you don’t own at least their SQL Data/Compare tools, then you should. Their software engineering is without much fault (as far as I have seen). I love how they help the community (hence they are in our "Friends" program).

I was chatting with JP (John Papa) when I caught the news in the latest bulletin from them (it might have been old), and went from casual talk about John’s skin on his blog (see here) to "Crap! Red Gate just bought Reflector..." JP doesn’t necessarily agree with me, but I wanted to at least spit out what I’m bugged by.

Red Gate also owns the PInvoke.net addin for VS2005 (and maybe it now works with VS2008). When you click on the web site to get the addin you are prompted for an email address and are informed that you will be getting ANTS Profiler 3 and Exception Hunter 1 as well... so they bundled 2 trials with a free product... products that you may already have licenses to.

Not only that but every couple days you start getting spammed by their marketing department (it’s one of those... 2 days, 5 days, 1.5 weeks, 3 weeks, and after about a month they finally leave you alone). The bigger problem is that they don’t check their DB to see if you are already a registered licensee of a product (beyond the fact that you went there for a FREE PRODUCT).

So everyone is wondering if .NET Reflector will continue to be free. I know that it will... It will just be bundled with some stuff that you may or may not want... and then you’ll be marketed to for a couple weeks after... That would be my big complaint. I hope that they choose to do otherwise (right now you can still download just .NET Reflector... but the marketing guys haven’t had time yet to figure out what they want to do... so we’ll see what happens).

BTW, I hope I’m wrong about all this ... I really do. Red Gate is a company I really do like (I just don’t always like the way they have handled "free" products in the past)... I hope they continue to have a single download to the free product.

Writing Better JS Components

Jay Kimble — Tue, 12 Aug 2008 12:04:33 GMT

Perry (my boss... a developer/manager... he codes and manages) and I have been having a recurring conversation lately. One that keeps bringing to my mind a product that I knew about when I worked for ZAC Catalogs (way back in the day). I would daresay that none of you had even heard of it (although we did pick it up as a result of Xtras carrying it, so maybe a few of you knew about it). I believe it was a called "MFC DataGrid Wizard" or something like that. Anyway what it did was build a custom DataGrid component for you based on selections in a wizard. You selected what features you needed and then it would take it’s full-featured Grid source code (which came with the component) and would dynamically generate a full blown component for you with just the features you needed.

There are two reasons this has become a topic for discussion for me. The first is that we are currently struggling with a set of third party components that a prior developer/manager pushed all over our main site. The components are ones that you have probably heard great things about them and they are pretty cool. The problem is when you shove these components everywhere! We are having ViewState issues among other things... One of the components is a full-featured Grid control (client-side) that while nice we usually only use as a glorified listbox (we use it for selecting an item). As a result I built a specialized DataGrid for our company (one that I’ll be doing a walkthrough on its codebase at the first TUX user group meeting next month)

The other reason is this post from Bertrand LeRoy where he talks about a simple grid for ASP.NET. Here’s my problem with Bertrand’s post. The grid he talks about as being simple really doesn’t sound all that simple to my ears. Let me list a couple features:

Column drag/drop
Different column types
Data Sorting/Paging
Inline editing

Now mind you these are awesome features if you need them all then you would want to use something like this, but a lot of times what we need is something simpler. You could use the aforementioned grid for this, but the grid will probably still use ViewState (because it needs it maintain state for the paging, sorting, and editing features). It might need several more scripts or <shudder /> it’s script might be 500-1000 lines longer because of the added features.

A Better Way

I have been thinking about a better way to "do" script components. We really need to have a wizard that asks us what we will be needing in the components and then the main script file can be customized (as can the server side code) to remove certain things. It could be done really easy with templates for the script. You need a template for the main file, and additional includes based on features. The server side would work pretty much the same way. I know that no company really wants to give away their source, but even if they were able to do this for script code that would make our lives a lot easier.

MS MVC Thoughts

Jay Kimble — Thu, 24 Jul 2008 13:45:05 GMT

[NOTE: I haven’t quite had much of a chance to look at the new Preview 4, so take this as someone nearly informed. I haven’t read about anything in the Preview 4 that changes what I’m going to say. Also, remember that I am the admin/editor of the blog site which is Alt Alt.NET... so testability/mockabilty doesn’t really resonate with me.]

I know it’s shocking that I would have something to weigh in on MS MVC, but I do. For those who don’t know. I took some issue with Ayende’s "leaky abstraction" back in my CodeBetter days (they had to love having me around). BTW, I understood and agreed in some respects, but in others I was less than agreeable. I still think Web Forms are viable and usable, but in some cases the paradigm breaks down, so the need for another paradigm is both welcome and interesting (and before anyone brings up Castle, PixelDragon, or CodeStory MVC frameworks, I have looked at them as well and found them --in general--way too complex to get started with which is not to say that a couple templates could help you guys out...).

Why I’m interested?
Ok, the reason I’m interested is summed up in one word: RIAs. I could have summed that up in 2 words: Ajax, and Silverlight2. The other thing is that I have used the MVCContrib’s Restful feature to build REST services (way cool).

The Good
I really like the simplicity. I mean MVC isn’t simple, but the MVC framework makes it easy to keep your layers separate... you still have to think about what you are doing, but on the whole it’s pretty easy to use. The MVC paradigm allows for a truer coding experience (the engine doesn’t pretend to be a Windows application in any way although you can still use things like session and the forms authentication engine in ASP.NET).

The MVCContrib library is indispensable. It’s an open source library that is a community project that adds additional features to the MS MVC architecture. For instance there are a number of alternative view engines; I haven’t investigated all them yet (and for the most part I am sticking with the ASPX engine... although my later comments may lead you otherwise).

The Not So Good
Before I say this I want you to realize I have written a grand total of 2 apps with this. App1 used the Restful plugin and really shouldn’t count, so I have written exactly 1 app (so definitely take this with a grain of salt).

Complaint number 1 is that I felt like I was writing old ASP code. I used the inline code method for writing output into my HTML. I probably could have written in the codebehind and had a clean web template with code separation (something I’m a believer in, but it was my first app)... probably more my fault than the engines, but there is a lot of sample code out there already that lead you down this path.

Complaint number 2 really is valid. The whole idea of MVC is that I should be able to swap out the view engine. Or better yet, be able to respond to a request and supply a view that is more suited for the client. Someone pointed out to me that one of the big features of ASP.NET 1.0 was that it would supposedly do this... I would really love for MVC to make it easy to determine that "this is a mobile browser" supply the mobile template (if one exists). Or better yet, this client is requesting that I send XML... evidently it’s some kind of Rich Client. Specific methods can be triggered to deliver a specific type, it would just be nice if the framework would detect that the client "accepts" (that’s a ServerVariable pushed in the header) only "Application/Json" so the MVC app should use a JSON result or convert the result I got to JSON and push it directly down to the client.

This would make the MVC part of this more useful to me (remember all the stuff I said up front... and Yes, I know I can do this myself and have... it just would be nice if I could get the controller framework to make it easy for me to configure and then do this for me)

An Answer to my post for young programmers

Jay Kimble — Wed, 25 Jun 2008 01:15:35 GMT

My good buddy (actually my best friend from High School), "The Witt" complained that I wasn’t being helpful to programmers who are trying to learn the craft when I posted two weekends ago on "A Question you should ask when hiring a non-entry level developer." (OK, he wasn’t the only one... but, hey, we have a history, so he can get me to post a response, and you can’t... deal...)

I decided that our subsequent conversation in email would make a good followup post for those who want to know what they should be doing, and with his blessing I am posting an edited version.

[It started with this comment]

The Witt - OK I know that I am new to the ASP codeing info.
I understand the security issues ( or at least, what might happen with leaving every thing wide open). BUT, Having just completed two semesters of nothing but ASP I just don’t see what wrong... I AM NOT a seasoned programmer...and my classes taught us to connect inthis very manner you discribe...
can you eleborate for those of us that are trying to learn? show us what you would do instead?
thanks in advance

Jay (in Email now)- I know I probably made some harsh statements there (in my blog post). I meant it to be hard, but it was as much about seeing some consultant coming in and writing crappy code against my APIs and leaving HUGE security holes in my website.

The major point is for ASP.NET that you should always use Command objects with parameters... something like this (code may not compile cause its off the top of my head... there’s probably an error in there somewhere...)

        1: Dim query as string = "select field1, field2, field3 from someTable where ID = @TableID"

       2: Cmd.CommandText = query

       3: Cmd.Parameters.Add(new DbParameter("TableID", cbo.Value)

       4: ' Code continues....

The trick is in using the "@" variable in the query, and using the Parameters collection. When this gets shoveled down to the database it gets sent differently and if someone tries to change that "cbo.Value" within the http post by trying to add their own SQL it will fail.

I know that changing the variable in the http post statement sounds advanced... go here --> http://www.bayden.com/TamperIE/, download the TamperIE tool (for IE) and try it out... You’ll see that you can in fact force whatever values you want into the post.

As far as other dev environments go (I know you deal with a couple others), you want to figure out how to send a prepared statement to whatever SQL Server you are dealing with (ms access has these as well, so does Oracle and everything else I can think of... even the free PostgreSQL has them).

Anyway, I see you as someone who’s growing as a developer... you’d not go into an interview and present yourself as more than you are... that too is the problem...

Do you mind if I post this (more or less?) as a new blog post?

The Witt- I don’t mind in the least…

Like I said I am trying to learn. The “@” tucked in front… I always thought that was just to get the info from the current page. It’s nice to know what that really does. I do use that for most of my sites. I just never knew all the reasons.

I think that is the problem with a lot of the schools today. They are just pushing the students out and they really don’t know what they are doing. (Not that I always know what I’m doing).

---------------

Ok. it’s not all that edited. One more thing I forgot to mention. If you use an ORM or something that builds classes for you, then you probably are getting this type of functionality (just about every ORM I know of uses prepared SQL statements to push data). My favorite ORM is SubSonic (and I know others rave about NHibernate)... It the Java world I use Apache Cayenne (and people rave about Hibernate over there)

---------------

BTW, I take great pleasure in mentioning that The Witt turns $28 (that’s hex) in a little less than 2 months... unfortunately I turn $28 about 2 weeks before him.

A Question you should ask when hiring a non-entry level developer

Jay Kimble — Sat, 14 Jun 2008 13:18:23 GMT

And I mean every developer. If you are an entrepreneur and you are hiring a consultant to work on your hot idea you need to do this. It could cost you everything if you don’t.

I recently took on a side project. It’s a return to a project I did 2 years ago. Since I have worked on it there have been at least 2 other people on the project. I’m writing this for the Business Development guy (the guy I assume hired the other folks). I am not writing this to "cut" on the other developer (I am not perfect), but I did detect a flaw that for me is critical. So one of the other guys is not only not up to snuff IMNHO, but s/he shouldn’t be working anywhere as anything but entry level (I’m sorry to be so harsh, but when you understand what I’m talking about you’ll why I’m being so harsh).

One more thing because I’m writing this more for a non-technical person. You don’t need to pretend to be technical. Pretend like you’ve hired someone to help you assess a programmer, and this is your one and only question.

The Question

When should/would you ever right code like the following (pick the version that applies to you):

        1: // C# Code

       2: string query = "select * from SomeTable where SomeID = " + cboField.SelectedValue;

       3: SqlCommand cmd = new SqlCommand(query, connection);

       4: SqlDataAdapter da = new SqlDataAdapter(cmd);

       5: da.Fill(ds);

       1: ' VB.NET (actually most versions of VB look something like this)

       2: Dim query As String = " select * from SomeTable where SomeID = " + cboField.SelectedValue

       3: Dim cmd As New SqlCommand(query, connection)

       4: Dim da As New SqlDataAdapter(cmd)

       5: da.Fill(ds)

       6:  

       7: ' Thank you Telerik for the quick translation

The Answer

The simple answer is nowhere.

The biggest reason is security. That code enables something called SQL Injection. There are utilities that exist that will let a hacker (actually you as a non-technical person could use them) to steal your entire database via a single whole in your app like this. All kinds of bad things can happen as a result of this. I recently switched grocery stores because my old grocery store had an IT problem where my debit card number got stolen. That kills it for me. I won’t be going back. The same will be true of your customers (if you don’t get sued). So the proper answer to this question means a lot.

A second option is that the programmer might mention the DataSet. This is really less critical (and there are times to do this). The first line of the code is what should be singled out in your mind, because this will tell you if the programmer "gets" security. If s/he doesn’t understand it here... s/he probably won’t understand it elsewhere (you probably have a non-professional programmer pretending to be a professional programmer... take this from a guy who started as a non-professional and doesn’t have a programming degree).

If they suggest making any changes to the first line, then they know what the problem is. They pass. If they leave that first line alone. They fail. By the way, it doesn’t matter whether the programmer is building a web app, a windows app, or some kind of service, this is a universal mistake.

No matter how cheap they are they are creating problems that you don’t need. You can get a good programmer for a lower rate. For instance, I lowered my rate considerably to get a small piece of the pie on the app I’m working on.

To Cache, To Static, or To Session "When?" is the question

Jay Kimble — Tue, 10 Jun 2008 15:15:35 GMT

DonXML has an interesting article over here that got me thinking about a technique I have been using for years now, and I’m not sure I’ve seen much written about it.

The basic tenet begins like this: I avoid session like the plague (not sure why except I have visions of some abuses I have seen... like full DataTable’s stored in session). The only time and I mean the ONLY TIME I use Session is if I have a value that needs to be associated with a user across the WHOLE site. As a result I really try to design my model where there are minimal values that need to be associated with a user site-wide.

What I have seen is that values come in 3 basic variations as far as Web site variables go: Values associated with a user everywhere, values associated with a user necessary for a few pages, values that really are application level values.

My suspicion about "Values associated with a user everywhere" is that they are not as prevalent and are often the result of programmers either not fully understanding web apps, they just aren’t thinking things through, or they are pushing a value into session site-wide when they only need it in a couple places. Treat Session like you do ViewState: it is a snake (maybe a poisonous one) that while necessary to kill the rats in your back yard due to the citrus trees, you don’t want a dozen snakes in the backyard either... Only use the number of snakes that you need (if you have no rats then 0 is the perfect number of snakes). So the lesson here is to really look at your user-related values: determine if they really are used everywhere, and determine if they need to be available in memory the whole the user is on the site.

For values associated with a user necessary for the a few pages, I tend to use cache, or I do use Session (but I clean up immediately after I’m done). When I use Cache I factor in the user’s Session ID. The thing I like about Cache is that I have a much richer set of expiration options. Session sticks while a user is clicking around the site... Cache let’s me absolutely set an expiration time. I also am aware of the fact that Cache can be unloaded early (so I use Cache as a temporary place for a value knowing that I may need to retrieve it again). If it’s something that isn’t stored elsewhere then into Session it goes (even if I have to delete that Session var later). It’s really about managing the data in memory.

For the application type values, I usually forget about the whole Application mechanisms (you might use them, but I do something else), I like to use static/shared values on individual classes. This has the effect of better organizing your code (and if you do any else with the class it simplifies things... I suspect some automated test guys would agree with me on this point). Why mention these here? Well I have seen my share of things that were really application related or indexed application related (such as storing this customer’s company info in session... that really should be either a cache or a static, and it should be retrievable by some company id).

Don’s post was originally spawned by the new Velocity cache from MS. Honestly the only comment I have on it is that I wish they had chosen a different name. I hear Velocity and I think about the text template engine (the one for Java... but the one for .NET is nvelocity)

Silverlight2 Programming: The Designer Rule

Jay Kimble — Tue, 13 May 2008 16:04:43 GMT

I’m starting a new series on Silverlight2. I am currently building a little SL2 prototype, and as I am learning things I thought I would write them down here.

The first rule deals with working with Designers. It is stated as such.

"Prefer XAML code to CLR/DLR code when it comes building interfaces"

Note the word "prefer" here. That word means "usually", "normally", or "unless there is an exception."

This is best explained by some C# code I saw the other day. It looked something like this:

        1: string ElementX = @"<div class='twocolumndiv'><span class='singlecolumn'>{0}</span><span class='singlecolumn'>{1}</span>";
  

The problem with the above code is that you’ve embedded it into your code. It’s effectively buried. If someone else needs to change this template to say add a field or to make changes in any manner, they are scanning the code looking for this (provided they know where to look); this will be the cause of much swearing and maligning of your name.

To make matters worse, if you have a web designer you have effectively removed their visibility to this code (maybe this point is made a little sharply; I know some web designers who would be scanning the code as well, but they wouldn’t be happy).

So how does this relate to SilverLight 2? Simple, you should try to avoid instantiate controls on your Silverlight views (pages??) that a designer has no visibility to (in other words, using a UserControl that has an associated XAML is fine, but instantiating a new UserControl and throwing a new layout and a bunch of text boxes should be done with great care... you should know why you did it that way).

Composition vs. Inheritance...

Jay Kimble — Fri, 02 May 2008 16:41:52 GMT

[I really should stay out of these discussions... I really should, but I can’t resist.]

The other day I saw an article on Composition over Inheritance (I forget where I saw it). The article did a good job of explaining what "composition" is. This is my simplistic understanding (which means that someone will probably come in and tell me I have it ALL wrong... what else is new?): "composition" means essentially wrapping objects instead of direct inheritance (so instead of inheriting from X you instead have a private instance of X in your class that you use, but you create your own interface possibly something that looks totally different from the "wrapped" class).

I only really have one concern in all this; at least with what I have read (and not necessarily the last article I read on this subject). The advice almost comes across as "thou shalt avoid inheritance (if you can)." The implication is that inheritance is something bad. Now I understand that inheritance can complicate things in a unit testing scenario (be it TDD or POUT).

The problem is that implication that inheritance is bad. I think it might be better to discuss some things I recently did in the DLRScript source code. I recently used composition to build a compatible XMLHttpRequest object in my DLRScript environment (no, it’s in the unreleased bits which will be released as soon as I can test it properly... I was hoping for a JQuery compatibility, but it looks like that ain’t happening this iteration). I wrapped the SilverLight HttpWebRequest object. This let me create a Mozilla/Safari-compatible XmlHttpRequest object that has no extra features other than what those objects contain.

That said I also have some code I have had in place for some time that also works well. This code inherits from the SilverLight HtmlDocument, and creates a document object that is more in line with what we are used to seeing in client script in the browser. I also have a class that wraps HtmlElement to create an object that is also more familiar to JavaScript junkies. I recently added a style property to each of these elements, for instance. My style property simply utilizes the setStyle/getStyle methods (I forget the actual method names) which is already available in the HtmlElement (for instance) to get/set values of individual style properties. In this case having a few dangling methods doesn’t really hurt because I already need 90% of what is already there. I do have to override a few methods since I need to emit DomElements (my inherited form of the HtmlElement) from getElementById instead of an HtmlElement.

My point is this. Think. Think! THINK!!! THINK!! Don’t just blindly follow a rule. Look at your code. Take control of it. Make it do what you want it to do. Make sure that it makes sense. and if someone else is going to be using it, ask someone else if they think what you are doing makes sense. And then DOCUMENT IT!! At least provide an example of how to use it.