Galin Iliev's blog

Software Architecture & Development

My Sessions at Microsoft Days 2008 in Sofia, Bulgaria

MS Days 2008 in Bulgaria is in history now and I could say I had a nice two days. There were many lecturers (about 50) and 72 sessions in 6 tracks.

For those who missed my talks or are interested in slides here are summary of the sessions:

LINQ to XML - Data Access Technologies

This session was focused on the new API from XML team for .NET languages. I gave a side by side comparison between traditional DOM vs. LINQ to XML regarding those most common actions:

  • Create XML
  • Traverse XML
  • Transform XML

I covered also VB9 Literals. At the moment I started talking about VB I was thinking people would throw rocks at me (and some really considered that option:) ). But at the moment when repeated some of demos with VB9 code the audience was very impressed and they forgot about those rocks in their pockets. Even there were initial brainstorming whether same things can be implemented in C# with custom code.(Unfortunately this is a compiler feature and we cannot do it very easily).

Another thing I mentioned was LINQ to XSD.

I've decided that people will understand my points better if I write code in front of them instead of just explaining it. This is also more challenging :). I think it went well...

Here are the downloads:

IIS7 for IT Pros

IIS7 is the most interesting feature in Windows Server 2008 and I already had some talks about it. In this talk I covered (from administration perspective) following key topics:

  • What is missing in IIS 6.0
  • IIS7 module architecture and it's benefits
  • New .NET-like configuration files and metadata
  • Delegated Administration
  • Shared Configuration
  • Tracing and Diagnostics

The things I've demonstrated are:

  1. New tools - new management console as well as APPCMD command-line tool
  2. Richness of new error pages and generated trace file - it is whole HTML+JS application built with XML & XSLT with incredible amount of information.
  3. WCAT stress test with view of live requests on the server.
  4. Analyze server and site load using IIS7 Admin Pack features.

And here is the presentation: MS PowerPoint 2007 format (0.98 MB)

Any feedback is very welcome.

How bad is SQL Injection

I have been presenting IIS (Internet Information Services) for a while and there is one slide in my deck which says that there is No critical security patch since RTM for IIS6.

Recently there was some news about 500k web pages was exploited with SQL Injection hack(more info here and here).

Although this could put some shadow on IIS security it has to be clear that this is not an IIS exploit. This is application exploit. Any application could suffer SQL Injection (video: Length: 6:01 - Size: 6.37 MB ).

It is not like uploading harmful file on the server and execute it, isn't it?

So it has to be clear: Do not use such code:

public bool Login(string userName, string password)
    string command = string.Format("SELECT COUNT(*) FROM User WHERE UserName='{0}' AND Password='{1}'",
        userName, password);

    using (conn)
        SqlCommand cmdLogin = new SqlCommand(command, conn);
        int res = cmdLogin.ExecuteScalar();
        return res == 1;

Do you know why?!

Because if you get as password the following string ' OR 1=1 '; drop table Users; you will drop the table from DB and apparently the application will stop working.

Do it this way:

public bool Login(string userName, string password)
    string command = string.Format("SELECT COUNT(*) FROM User WHERE UserName=@UserName AND Password=@Password",
        userName, password);

    using (conn)
        SqlCommand cmdLogin = new SqlCommand(command, conn);
        cmdLogin.Parameters.AddWithValue("@UserName", userName);
        cmdLogin.Parameters.AddWithValue("@Password", password);

        int res = cmdLogin.ExecuteScalar();
        return res == 1;

It is much safer...

Hope this helps!

Get list result from Stored Procedure

Stored procedures are very powerful and they have many benefits than using UDF (user defined function).

There is one cons though - resultset cannot be manipulated further from T-SQL.

There is one trick that will allow it: by using OPENROWSET:

FROM    OPENROWSET ('SQLOLEDB','Server=(local);TRUSTED_CONNECTION=YES;','set fmtonly off exec master.dbo.sp_who')
AS tbl

Read full blog post here

How much of success is the technical side?

All of us has heard of software companies that achieved a great success - Microsoft, Apple, Yahoo.. more recently Google and Skype. As we are technical people we tend to think it is related entirely with some super-duppa algorithm, smart software or you name it... built even in a garage. In most cases this is the initial power that make them move. But after initial start there are another factors that counts.

Have you wondered how is possible to build world class product with team of 5 and within a year to have a team of 100 (or 1000) doing same thing?  This is very dangerous situation because there is a moment in a young company when nobody knows what exactly are their responsibilities. It is dangerous because clients starts to suffer low quality of service. Having many teams require a lot of communication and not knowing how to structure it a lot of precious time is wasted. Such situations requires a good leadership.

The companies that has success had a leaders to help them. And leadership has small to do with technical problems. Dale Carnegie points this very accurate:

Even in such technical lines as engineering, about 15% of one's financial success is due one's technical knowledge and about 85% is due to skill in human engineering, to personality and the ability to lead people.

Dale Carnegie

Software industry is very different to other well known industries and in same same time very similar. Leadership is very same. 

Employees are not told what to do anymore. Now, you influence their choices and assist them in reaching their goals. You do not direct; you win the team over to your point of view. You do not dictate; you inspire! You can learn how to convey this inspiration by focusing on your leadership skills development. Leadership development is needed to successfully take charge of your team in today's business world.

.NET 3.5 Enhancements Training Kit

After Visual Studio 2008 training kit was released now it turn to .NET 3.5 Enhancements :)

This kit that was kindly put together by Developer and Platform Evangelism Group in Microsoft contains:

  • ASP.NET Dynamic Data
  • ASP.NET AJAX History
  • ASP.NET Silverlight controls
  • ADO.NET Data Services
  • ADO.NET Entity Framework

Download it from Microsoft Downloads (34.9 MB)

(via Guy Burstein)

Note: For this release of Visual Studio there are so many materials and training kits as never before! All one have to do it download and read, play and practice. And this is because of the strong community and internal support by Microsoft teams.

Release package is settled: Entity Framework & ADO.NET Data Services in VS 2008 SP1 and .NET 3.5 SP1

It's settled! The Entity Framework (and the Entity Designer) along with ADO.NET Data Services will RTM as part of the Visual Studio 2008 and .NET 3.5 SP1 releases!

Unfortunately, we don't have official release dates at this point, but stay tuned. You'll also want to keep an eye out for the upcoming SP1 Beta 1, which will be your next chance to check out updated bits for both of these products.

Elisa Flasko
Program Manager, Data Programmability

(via this ADO.NET team blog post)

Access Remote SQL Server with SQL Management Studio and Windows Authentication

I've been working with SQL Management Studio since it's release (and even before) and I think it is a very good tool. Especially as in next version there will be IntelliSense.

In my daily work I need to access several remote SQL Servers (over VPN) and some of them require windows authentication. With SQL Server Authentication is easy - just create VPN connection and use SQL Server Management Studio from local machine entering SQL credentials in the wide-known box below:


This is not the case with windows authentication. Especially in domain environment it is better to give access to domain groups and users instead of creating SQL ones.

As a workaround (the one I've used 'till today) you can do remote desktop connection to the server and do the job via RDC console. I have struggled with this approach for a long time and although it is not that bad there are some issues working all the time via RDC.

I've tried runas command but somehow my credentials weren't accepted.... but the switch /NetOnly did the job

so I use now

C:\>runas /netonly /user:domainName\userName "C:\Program Files\Microsoft SQL Server\90\Tools\Binn\VSShell\Common7\IDE\ssmsee.exe"

and it works...

Hope this helps