As it’s getting progressively harder to keep up with .NET’s continutally expanding scope, this poster is a handy reminder of what’s included.  It shows which classes were added in .NET 3.0, and which in .NET 3.5.

There’s a broad cross-section across all areas of the .NET Framework:

• ASP.NET
• WinForms and WPF
• Communications and Workflow
• Data, XML and LINQ
• Fundamentals

Printing

The hi-res version is Microsoft XPS format, so if you’re not using Vista or Office 2007 then you might want the Microsoft XPS Viewer. Also, for ‘easy printing’, there’s a 16 page 4×4 version, but remember: ’some assembly is required if you choose this print method’, so remember to ask an adult for help with the scissors.

My local print shop printed and laminated the PDF version onto A1, which is easily hi-res enough and looks great.

Other .NET Reference Posters

There are a few other reference posters on MSDN, in particular I like the Silverlight Developer Reference, and keyboard shortcuts for Visual Studio 2008, available for both C# and Visual Basic.

(Thanks to Chris Bowen for the tip off.)

The last upgrade, SQL Server 2000 to 2005, was a huge leap forward for developers and added significant advances like CLR integration, SQL Server Management Objects (SMO), Integration Services (SSIS) and a native XML data type; as well as T-SQL enhancements like Common Table Expressions (CTEs), structured error handling with try/catch, pivot, apply, top(n) and row_number.

I was surprised to see how much new stuff is packed into the latest SQL Server 2008 CTP release, even, finally, IntelliSense for Management Studio, which was much anticipated but conspicuously absent from SQL 2005:

Also notice the new collapsible code regions, just like you get in Visual Studio. Editing T-SQL has never been such fun! Although, you have to feel a bit sorry for RedGate, whose SQL Prompt plug-in has been filling the auto-completion gap for the last few years.

Over time, new features have been introduced to the site, and old ones removed. Consequently the SQL Server database now contains many redundant tables that aren’t used. So, before cascading out the current schema to the other countries, it’s time for a clean up.

I managed to identify about 60 tables that aren’t used by the application and can safely can be dropped or archived. However, I’m now left with hundreds of stored procedures (SPs) and user-defined functions (UDFs) that were associated with these tables, which can also be removed.

The problem was how to find these orphaned objects. My first approach was a small .NET console application which uses SQL Server Management Objects (SMO). It loops through all SPs and UDFs and finds any that have no dependencies.

public List<string> FindOrphans()
{
   Server server = new Server(".");
   Database db = server.Databases["MyDatabase"];
   List<string> orphans = new List<string>();

   // get list of SPs
   UrnCollection urns = new UrnCollection();
   foreach (StoredProcedure sp in db.StoredProcedures)
   {
      // exclude these objects
      if (sp.IsSystemObject) continue;
      if (sp.Name.StartsWith("aspnet_")) continue;
      urns.Add(sp.Urn);
   }

   // get dependencies
   DependencyWalker dw = new DependencyWalker(server);
   DependencyTree tree = dw.DiscoverDependencies(urns, true);

   // find all objects without any dependencies
   DependencyTreeNode node = tree.FirstChild;
   do {
      if (!node.HasChildNodes)
      {
         string name = new Urn(node.Urn).GetAttribute("Name");
         orphans.Add(name);
      }
      node = node.NextSibling;
   } while (node != null);

   return orphans;
}

This works fine, and helped satisfy my current obsession with SMO. But it’s a bit awkward, and not easily portable or modifiable, to have this pure database operation wrapped up in an executable. So I looked into doing the same thing with just a TSQL query.

-- Find all SPs and UDFs have no dependencies
select
    object_name(obj.[object_id]) as [orphaned_object_name],
    obj.type_desc as [object_type],
    'DROP ' +
    case obj.type_desc
        when 'SQL_STORED_PROCEDURE' then 'PROCEDURE'
        else 'FUNCTION'
    end
    + ' [' + object_name(obj.[object_id]) + ']'
from
    sys.objects obj
    left join (select distinct [object_id] from sys.sql_dependencies) dep
        on obj.object_id = dep.object_id
where
    type_desc in
        ('SQL_STORED_PROCEDURE','SQL_SCALAR_FUNCTION','SQL_TABLE_VALUED_FUNCTION')
    and object_name(obj.[object_id]) not like 'aspnet_%'
    and dep.object_id is null
order by
    obj.type_desc, object_name(obj.[object_id])

The query works by checking for dependencies in the catalog view sys.sql_dependencies. This, I think, is a neater solution. I also included an auto-generated column that writes the SQL drop the SP or UDF, which I copied and executed.

Now, if only I could find a quick way to check for dependencies between my application’s data access layer and the database…

Scott Hanselman’s article Reading to Be a Better Developer got me wondering why we don’t do this more with .NET code, and the problem for me seems to be finding good code examples. Scott recommends looking at the Coding4Fun Developer Kit, but I wanted something more specific to web development.

So here are a few places I found ASP.NET source code that’s worth studying and learning from.

Microsoft Enterprise Library

A great place to start is the application blocks in Microsoft’s Enterprise Library. These are application service components designed to follow Microsoft best practices and include modules for caching, cryptography, data access, exception handling, logging, policy injection, security and validation.

Website Starter Kits

Another good place to look is the ASP.NET Starter Kit Websites, a collection of working ASP.NET demos that can be examined or built on. They cover DotNetNuke, e-commerce with PayPal, blogging, project time management, media library and plenty more.

Codeplex

Lastly Codeplex, Microsoft’s open source project hosting site. There’s so much goodness here it’s hard know where to start, so try browsing the most popular or active projects to start. Here are the top ten that caught my eye:

• BlogEngine.NET
  Full featured blog engine targeted at .NET developers. It is light weight and very simple to modify and extend.
• Umbraco
  Simple, flexible and friendly ASP.NET CMS
• DinnerNow
  Sample marketplace application designed to demonstrate how you can develop a connected application using IIS7, ASP.NET Ajax Extensions, Linq, WCF, WF, WPF, Powershell, and the .NET Compact Framework.
• Community Kit for SharePoint
  Set of best practices, templates, Web Parts, tools, and source code for creating a community website based on SharePoint.
  
• Facebook Developer Toolkit and Facebook.NET
  .NET wrappers and libraries for the Facebook API.
• DbEntry.Net
  Lightweight, high performance Object Relational Mapping (ORM) database access compnent for .NET 2.0.
• PublicDomain
  .NET packages for time zone support, logging, dynamic code evaluation, GAC API, unzipping, RSS, Atom, OPML, screen scraping, and utilities for strings, arrays and cryptography.
• ASP.NET RSS Toolkit
  Gives ASP.NET applications the ability to consume and publish to RSS feeds.
• NGenerics
  Class library providing generic data structures and algorithms not implemented in the standard .NET framework
• Html Agility Pack
  Agile HTML parser that builds a read/write DOM and supports plain XPath or XSLT. The parser is very tolerant with “real world” malformed HTML. The object model is very similar to System.Xml, but for HTML documents.

If you know any other places to find good quality .NET source code then please leave a comment.

Part 2 – Protect against SQL injection in .NET

This code will look familiar because it’s the sort of sloppy mistake you make all the time.

string productId = Request.QueryString["ProductId"];
string sql = "delete Products where Id=" + productId;
SqlCommand cmd = new SqlCommand(sql);
cmd.ExecuteNonQuery();

Your feeble imagination doesn’t stretch far enough to consider what happens when a mischievous user sets productId to, say, “1 OR 1=1″. You merrily build the query, complete with unverified user input, and execute it against the database.

delete Products where Id=1 OR 1=1

Oh dear, where did all your products go?

A vigilant SQL Server DBA can thwart your stupidity at the database by restricting your access. By assigning your login to the db_denydatareader and db_denydatawriter roles, you can thankfully be prevented from running any SELECT, DELETE, INSERT or UPDATE queries whatsoever.

Since you can’t be trusted, the DBA should give you permissions to execute only the stored-procedures and UDFs you need. This is the principle of least privilege.

Parameterised stored-procedures are usually safe from SQL injection because they validate the type and size of the inputs. These inputs are evaluated as values only, and not executed as part of the SQL statement. But there is one exception. When you build SQL dynamically inside the stored-procedure.

sp_executesql ’select * from Products where Id in ‘ + @List

This line is from a real stored-procedure I saw last week, @List is a varchar parameter containing something like “(1,2,3)”. And, of course, the values for @List came from unverified user input. If you absolutely have to use dynamic SQL then at least clean the inputs and remove or escape anything that could be potentially dangerous.

Read more about SQL injection:

• How To: Protect From SQL Injection in ASP.NET
• SQL Server BOL: SQL Injection

Part 1 — Comment your .NET code

You might very well think that. I couldn’t possibly comment.
— Francis Urquhart

By glancing at your uncommented code I can tell instantly that you’re either an amateur or, more likely, a lazy and selfish sociopath. It’s not like I’m asking you to write a novel. Would it really impede your productivity so much that you can’t find time to furnish your garbled, obfuscated nonsense with some sort of mitigating explanation? Oh, and when I tell you to start adding comments, I don’t expect you to start littering code with superfluous crap like:

populateControls();       // populate the controls

string name = getName();  // set the name

Comment as you go along, or you’ll forget. If you’re so inclined, use comments to structure your functional design before you write code, this is the Pseudocode Programming Process. As a general rule, comment what your code is doing, and why it’s doing it. I should already be able to see how your code works, because you’ve used meaningful and precise names for your classes, functions and variables.

// create a SqlConnection object using connectionString

SqlConnection cnn = new SqlConnection(connectionString);

I can see you’re using a SqlConnection because the programming syntax conveniently forces you to include the class type in its variable declaration. It is also very clear from the code that you’re passing connectionString as a parameter. The bigger picture is a mystery. What is your intent? Why are you connecting to the database? What data are you expecting back? If these things aren’t clear then explain.

Don’t comment every single line, instead give a brief summary for each block of related code. If you’re working on an API then use a documentation generator like Javadoc or SandCastle and format comments accordingly.

Other people will probably have to extend or maintain or your unintelligible mess. You might think it’s good for job security if you’re the only one who can understand your code. It really isn’t.

Read more about commenting code:

• Successful Strategies for Commenting Code
• Literate Programming – Source Code Comments

Follow up post:

• If the code and the comments disagree, then both are probably wrong