January 2005 Archives

Creepy one

| 6 TrackBacks |

I just noted a weird thing in microsoft.public.dotnet.xml newsgroup. Somebody who identifies himself as Paja, posts the same question (verbatim!) to the newsgroup once in a month or so. He's got answers, but never replies, but keeps posting it again. Take a look here - Oct 17 2004, Nov 7 2004, Nov 17 2004, Dec 23 2004 and now - Jan 23 2005. Creepy...

It's already 2005 and everybody's aware of SQL injection attacks nowadays. But it's silly to think that this kind of attack is only about SQL, right? SQL injection is just one particular case of a general code injection attack - when somebody too gullible allows user input to become a part of an executable code. So it's always bothers me when I see how often people (even XML geeks) are building XPath expressions concatenating them with user input. Admit it - that's common practice to have something like

customers.SelectNodes("//customer[@name='" + txtUser.Text + "' and
    @password='" + txtPassword.Text + "']")
which is just a front door open for any evil person, which knows a little bit XPath. And there are many of them just in here, so having selections like above in your production code is most likely a hidden security vulnerability.

Turning Comments Off (Temporary!)

| 1 TrackBack |

Ok, I can't take it anymore, too many spam. I turned comments off temporary untill I upgrade my blog engine. Sorry.

Mvp.Xml library v1.0 released

| No Comments | 11 TrackBacks |

On behalf of the Mvp.Xml Project's team I'm glad to announce release v1.0 of the Mvp.Xml library.

We've been planning to use NAnt in our product for running customizable scripts and almost convinced our boss to go for it (IBM's Websphere server where all server automation is implemented via Ant is good argument here). But unfortunately we've found out that Ant and NAnt have different licenses. Ant is of course released under very pointy-haired-boss-friendly Apache Software License Version 2.0, while NAnt (which I mistakenly thought is just .NET clone of the Ant) - is under scary GNU-compatible license, which may be a red light for some companies. So now we are waiting for a legal department's answer on using GNU licensed software in our product :(

Certification fun

| No TrackBacks |

I was doing annual papers cleaning back in the Hanuka/X-mas days and found a voucher for one discounted Microsoft Certificatied Professional exam, which I completely forgot about and which was about to expire at December 31. So I decided to give it a try. I chose 70-315 exam (Web apps with C#), spent a week preparing (using plain old good MSDN) and went to a Pearson Vue test center, which I conveniently found to be located the same street where I work (Maskit street in Herzliya Pituach).