hejdig.

Someone hacked Github some time ago and they used MVC functionality.  In this case it was Ruby on rails but "all" MVC frameworks follow the same rules with populating objects with whatever comes in from the web.

Like this: when your controller (the name might shift between MVC frameworks) receives a request, normally an object gets populated.  It is done by comparing HTML form parameters with the names of the properties on the object.  If they match, data is transferred from the HTML request to your object.

Now say you have a property called IsAdmin or IsValid.  Now say someone with a little patience fakes calls and through trial and error populates your object including these properties.  Then you have a security breach.

This is something inherit in the MVC framework.  It is also not a hole but a feature.  Sloppy programming, on the other hand, is not a feature.

A remedy is to never use the model's objects all the way up to the GUI/HTML.  Instead create new classes/object to use in the view.  These classes/objects are normally called ViewModel.  Hence abbreviation MVVM which stands from Model-View-ViewModel.

This letter can be found here and is sponsored by NextGenHacker101.

/OF

----8<----

Code and development

Polyglot persistence and the database thaw

Polyglot persistence is a fancy name for storing data in other than relational data.  Fast forwarding it means that some data can be stored in one database(format) and some data in another.

Say you design your extended families' bank accounts and transactions.  The bank accounts are a given table design with columns for accounts and rows for transactions.  The family on the other hand is hierarchical in its nature.

You could squeeze the family tree into a RDB, it isn't hard - just backwards but you could also store it polyglot with the accounts in tables and the family in XML. (or sqlserver and neo4j for safety)

This also makes sense when looking at the domain where the families can be the main objects for one domain while the transactions of another; you are not interested in your cousins' transfers when you are investigating your own house loan and vice verse.

To make this "enterprisy" each data store has to be a "real" database and there must be a transaction manager around it all.

But that is where we developers come in, isn't it?

http://martinfowler.com/bliki/PolyglotPersistence.html

Tipthanks FHultin

poshcode.org - repository for powershell scripts

Just like Perl's CPAN or Python's package index the same exists for Powershell.

It is a collection for scripts readily for the taking.

If you are doing a wee bit of automation of machines - do look into Powershell.  It is like *nix bash but done with a target in mind.  What you get back from, and pipe to the next, program isn't text but real dotnet objects.

It is also very easy to write your own powershell modules in dotnet.

http://poshcode.org/

http://www.cpan.org/

http://pypi.python.org/pypi

Aspnetmvc testing tips and tricks

Visual studio 11 is in beta and Aspnetmvc is in beta so why write bout Aspnetmvc3?

Because what is in Aspnetmvc3, test wise, will be in Aspnetmvc4 and I know we all cheat on testing the GUI.

To make a long story short: Aspnetmvc makes the GUI easier to test.  It is just the last parts, like the HTML rendering and the browser itself and the javascript that isn't testable through Visualstudio.  But there is where Watir and Selenium comes in.  They are solutions for running the *very browser* and testing the results.  I have use Selenium for some 8 years ago and it blew my hair away.  Then.  It should be even better now.

Deeper linking provided through the link below.

http://www.infoq.com/news/2012/03/aspnet-unit-test

Sqlserver 2012

This year's version of Sqlserver is out.  Go fetch!

I am running it as we speak and it works as it should so far.  Well… I am not pushing the limits so it I am not surprised.  The user interface is still an 8 years' rewind of the clock.

The ctrl-E shortcut for running the query is gone in favour of F5, situated at the far side of the keyboard.  Ctrl-E+ is occupied for various stuff but I remapped ctrl-e-ctrl-e to running an ctrl-shift-e to debugging, almost like it works in the query window in Visualstudio 2010 and 11.

One can nowadays do paging in sqlserver without any tricks.  The implementation is just as you should have written it yourself but this gives the Sqlserver team more room for optimization in future versions.

There is something called LAG that lets you get the row returned earlier.  I don't know exactly what it does, and am happy about it, but mentally I compare it to a pointer to a stack of return values; in this case rows.

Running queries without touching data is improved.  Instead the query path is returned and now with more information than earlier.

One can set what a stored procedure should return, schema wise.  Maybe the first step to create a good language out of tsql and not just a hacked-together-syntax-looking sql with if statements.

Throwing exceptions is possible.

Parsing culture sensitive text is possible.  The article suggests it calls the dotnet lib.

Which gets me into calling the CLR from stored procedures.  I have done it in a project where there was great need for logic close to the database and the logic was too complex to be written in tsql.  It took a little configuration and added some coding rules but the result was visual studio debuggable, unit tested code that run inside sqlserver, very close to the data.

Date and time functions are improved upon.  Maybe a little lib for calling dotnet would be in place here?

The case statement has got a brother in choose with better syntax.

There is a concat method for… <drums/> concatenation!  It implicitly converts null to empty.  I have used coalesce earlier but the syntax is clumsy.

Inline if is now supported.  Something I have looked for.  Without investigating I take for granted it doesn't evaluate the "other" result.

IIF( true, i=i+1, y=y+1 ) -- Should not increase y. 

Get more links for further digging below.

http://www.infoq.com/news/2012/03/T-SQL-2012

Javascript - making good of bad

Douglas Crockford has written a quite famous book titled "Javascript, the good parts".  Nor DCrockford nor I think Javascript is a good language but we both share the opinion that a lot is gained through learning why Javascript looks like it does.

Like this: inheritance isn't bad in Javascript - just different.  There are (at least) two ways to implement inheritance and Javascript chose the lesser used.  One one stops using inheritance in Javascript as in other languages and instead use it as it is meant - it suddenly becomes a very versatile inheritance.

On the other hand: implicit semi colons and default global variables are bad ideas.  So thinks DCrockford and so think I.

Here is another example:  Use ===, not ==.  Follow the links below through the dungeons to find out why.

DCrockford has created a utility called JSLint which inspects javascript code and reports on common pitfalls.  His subtext is super: "JSLint will hurt your feelings".

There is also a similar tool called Javascript lint.

Which brings me to Coffeescript.

I have mixed feelings about cofeescript.  The base idea, to simplify the syntax of Javascript is super.  But it has the indent sensitive white space aware syntax that Python has; and I don't like it.  The indentation sensitive syntax is there to make it harder to mess up a loop scope.  But I say it instead does.  I guess they say potato while I say potato.

On the site of Coffescript there is also an online sandbox to test write coffee script without installing anything.

http://javascript.crockford.com/script.html     <- not from the book but short and insightful about the script tag

http://eleventyone.done.hu/OReilly.JavaScript.The.Good.Parts.May.2008.pdf     <- the book but in broken, albeit readable, pdf

http://www.jslint.com/lint.html

http://www.javascriptlint.com/

http://coffeescript.org/

An overview on how youtube works

Youtube runs on Apache, Mysql, Python and continuous tweaks.

The link below is not only interested for the high-scalability geeks but also for devs with semi high data loads.  Randomised cache time (with corresponding patent suck), Python and fake data where some, to me, new clever stuff.

http://highscalability.com/blog/2012/3/26/7-years-of-youtube-scalability-lessons-in-30-minutes.html

Tipthanks MAnaya

Projects and leadership

Hang a picture and tools-and-competence comparision

Below is linked an essay about hanging a picture on the wall in an office as an allegory for choice of tools.

The protagonist asks for a nail gun since it is more automatic and easier than to drive a nail through a wall by hand.  He also starts to construct a saw disregarding the fact that they already exist.

The nail gun allegory can be compared to using Sharepoint for filing issues while the saw example is our's (us developers') reluctancy to googlewithbing and find already created tools and buy them.  In most companies buying a tool is so much of a hassle that it it easier to build it oneself.  Remember: you are probably not the first guy with your problem.

http://www.bluegraybox.com/blog/2004/12/02/picture-hanging/

Tipthanks AndersL

Products and releases

Thoughworks technology radar - what is hot now and in the future

Every year Thoughtworks releases their thoughts on what is hot on techniques, platforms, technologies, solutions and products.  They then produce it in an easy to read format <geek level="uninteresting">a polar coordinate system with an unknown, possibly discrete angle value</geek>.

I use the contents for two purposes.  1) checking myself if there is anything I have missed and 2) as a discussion subject for what to bet ones future on.

http://www.thoughtworks.com/radar

Running Windows without installation phase (win)

There is an oh-so-cool way to run Windows without installation or license hassle.  Just fire up IE (activex required) and surf.  You get 40 minutes with an already installed Win2008r2.  You also get a lesson to follow and even a test at the end.

According to some docs I found one can more time anytime but I haven't found that button.

I used it for doing a fast check if Win2008r2 came with a DLL that I couldn't find on a Win7 machine.

If you have need more time you can download an image that is valid for 180 days.  It's about 2 gigs which takes a while to download; but faster than setting up the OS yourself.

I have seen such images with Biztalk or Visualstudio/Sqlserver or Exchange already installed.

There are pre installed Win7 evaluation downloads too but they are limited to 90 days.

- http://technet.microsoft.com/en-us/bb512925.aspx     <- no installation required

http://www.microsoft.com/download/en/details.aspx?id=16572     <- full image

Google wave and alternatives

The Google wave project was killed last year but we have up until last of April this year to fetch our data; and put in into alternatives like Apache wave and Walkaround.

Why do I write about a dead project?  Because it was awesome!  It was future-like as the Ipad but without the design and black turtleneck.  IMHO it was the clunky GUI that killed it, not the functionality.  That and some bugs that made the GUI even more clunky.

I predict we will see Google wave in the future but in another dress and with another name.

http://incubator.apache.org/wave/ <- alternative

http://code.google.com/p/walkaround/ <- alternative

Formatting Json

There are several XML formatters.  You know the ones one uses when you receive XML as a long string.  I have only found one from Json formatting.  And I linked it below.  Horray for me!

http://jsonformatter.curiousconcept.com/

Browserquest massive multiplayer in html5

It looks as boring as any RPG game (yes - I have looked at Wow and it looks boring) but it runs in the browser and talks web sockets over the internet; which is not boring.

I did some web sockets programming through a lib called xsockets and it was a blast.  I created a game in 6 hours, web sockets, canvas and all.  It had worse graphics than the game mentioned here so maybe I should just shuddup and instead give credits where credits are due.

http://browserquest.mozilla.org/     <- the game

https://hacks.mozilla.org/2012/03/browserquest/     <- about the game

http://www.littleworkshop.fr/     <- creators

http://www.youtube.com/watch?v=kYcNJQ3Y6Sg     <- boring demo of boring looking game play of ega graphics.  but it talks web sockets

https://github.com/mozilla/BrowserQuest     <- source code.  not boring.

Tipthanks JNordlinder

Aspnetmvc, Webapi and Razor is open source (win)

It was no secret Aspnetmvc was open source.  Now Webapi and Razor is free too.

Well known PHaack, who used to work at Microsoft with Nuget, aired his doubts about the spirit of open source for AspnetMvc since it didn't take contributions.

Not too long ago Microsoft pushed the source for the above mentioned frameworks on Codeplex. (a site formerly owned by Microsoft used for publishing of open source projects) Codeplex uses TFS and since some time back Git.

Here's the cool thing: it is incredibly simple to fork and contribute through Git. Incredibly simple.

http://weblogs.asp.net/scottgu/archive/2012/03/27/asp-net-mvc-web-api-razor-and-open-source.aspx
http://haacked.com/archive/2012/02/22/spirit-of-open-source.aspx     <- phaack's opinion
-
http://blog.filipekberg.se/2012/03/28/asp-net-mvc-web-api-web-pages-on-codeplex/
-
http://blogs.msdn.com/b/bharry/archive/2012/03/22/the-future-of-codeplex-is-bright.aspx
- http://weblogs.asp.net/jgalloway/archive/2012/03/30/thoughts-on-asp-net-mvc-asp-net-web-api-and-asp-net-web-pages-razor-open-source-announcements.aspx <- long and insightful

Tipthanks MAnaya

Security, privacy and rights

Twitter vill patentera "pull-to-refresh"

Den enkla lösningen att man drar i en rad för att få sidan att uppdatera sig vill Twitter patentera.

Det innebär att de äger rätten att bestämma, i 20 år framåt, vem som skall få använda en liten rullgardin för att uppdatera sin sida.  I USA idag, med ACTA skall det bli lättare att få mjukvarupatent godkända i hela världen.

Jag funderar på att lämna Twitter.

http://feber.se/webb/art/239492/twitter_vill_patentera_pulltor/

Tipstack JBergström

Miscellaneous

Uzay

There are Star wars action figures made in Turkey and they are called Uzay.  GLucas doesn't get a penny from them so they are also called Stormtroper and See-Threep.  They have also become collectors' items.

I won't ruin your linking pleasure by pasting a picture right in the letter but you can trust me on my word.  Starswar.

Alternate action figures aren't limited to Starswar.  A good alternative is Robert Cop; the protagonist from a movie better than it's reputation.

Why limit the creations to just altering names?  Hey - Marvel are throwing all their super heroes into one bag and making a new adventure so why not mix Superman and GI Joe?  Or Superman and He-man?  With enough fantasy one isn't limited to whoever ones a brand or not.

If I ever was Superman there are so many things I would do.  Flying is most of them.  And when you can fly I guess parachuting is as boring as boring can be.  Laser eyes; flying; super strong; bullet proof, x-ray vision; you name it.  As Superman I would do more cooking than parachuting.

On the other hand, if I was Superman I wouldn't hesitate in riding a dinosaur.  It wouldn't be very challenging but it would draw chicks.

Now I got the steam up for Star wars and Turkey.  They are also combined in what is commonly known as Turkish Star wars.  It is a full length movie with turks and clips from Starwars, the 1977 version.  It is not a good movie.  Original title is Dünyayı Kurtaran.

Then there is Star wars holiday special.  GLucas was involved so I suppose it is a real star wars movie.  It is also the first movie with Boba Fett.

I say Dünyayı Kurtaran is better than Star wars holiday special.  I base it on the fact that I have seen Dünyayı Kurtaran from start to finish (I winded a lot) but not even bothered to do that with Star wars holiday special; I just stopped.

There is more Star wars you haven't seen.  Ewoks: Battle for Endor is a TV series from 86.  I hate Ewoks

http://m.geektyrant.com/news/2012/3/26/awesomely-awful-turkish-star-wars-action-figures.html <- stars war/uzay, especially check out the calculator thingy

http://i.crackedcdn.com/phpimages/article/2/2/1/46221.jpg     <- robert cop

http://i.crackedcdn.com/phpimages/article/2/2/3/46223.jpg     <- parachuting superman

http://i.crackedcdn.com/phpimages/article/2/3/1/46231.jpg     <- superman riding a dinosaur.  looks a bit like a mechasaur

http://video.google.com/videoplay?docid=-7069307816427160377     <- dünyayı kurtaran

http://video.google.com/videoplay?docid=323909610753051544     <- star wars holiday special

http://www.youtube.com/watch?v=pnx_nEvWQsY     <- ewoks warning

8bit google maps

All we need now are some trolls.

http://maps.google.com/?t=8

100 most misspelled words in english

As the title says.

Can be fun for a sofa shoot out about who's the meanest speller.

http://grammar.yourdictionary.com/spelling-and-word-lists/misspelled.html

Tipthanks LarsFj

Puzzle game

Below are linked some stuff for the casual gamer..

Note the domain name for one, "games for work".  I like the idea, 5 minutes of brain relaxation, or at least change of environment.

http://www.gamesforwork.com/games/play-9820-Blockoban_88-Flash_Game <- simple puzzle

http://www.kongregate.com/games/wmarsh/bridge-thing <- build a bridge with trusses

*EOF*