As it’s getting progressively harder to keep up with .NET’s continutally expanding scope, this poster is a handy reminder of what’s included.  It shows which classes were added in .NET 3.0, and which in .NET 3.5.

There’s a broad cross-section across all areas of the .NET Framework:

• ASP.NET
• WinForms and WPF
• Communications and Workflow
• Data, XML and LINQ
• Fundamentals

Printing

The hi-res version is Microsoft XPS format, so if you’re not using Vista or Office 2007 then you might want the Microsoft XPS Viewer. Also, for ‘easy printing’, there’s a 16 page 4×4 version, but remember: ’some assembly is required if you choose this print method’, so remember to ask an adult for help with the scissors.

My local print shop printed and laminated the PDF version onto A1, which is easily hi-res enough and looks great.

Other .NET Reference Posters

There are a few other reference posters on MSDN, in particular I like the Silverlight Developer Reference, and keyboard shortcuts for Visual Studio 2008, available for both C# and Visual Basic.

(Thanks to Chris Bowen for the tip off.)

Scott Hanselman’s article Reading to Be a Better Developer got me wondering why we don’t do this more with .NET code, and the problem for me seems to be finding good code examples. Scott recommends looking at the Coding4Fun Developer Kit, but I wanted something more specific to web development.

So here are a few places I found ASP.NET source code that’s worth studying and learning from.

Microsoft Enterprise Library

A great place to start is the application blocks in Microsoft’s Enterprise Library. These are application service components designed to follow Microsoft best practices and include modules for caching, cryptography, data access, exception handling, logging, policy injection, security and validation.

Website Starter Kits

Another good place to look is the ASP.NET Starter Kit Websites, a collection of working ASP.NET demos that can be examined or built on. They cover DotNetNuke, e-commerce with PayPal, blogging, project time management, media library and plenty more.

Codeplex

Lastly Codeplex, Microsoft’s open source project hosting site. There’s so much goodness here it’s hard know where to start, so try browsing the most popular or active projects to start. Here are the top ten that caught my eye:

• BlogEngine.NET
  Full featured blog engine targeted at .NET developers. It is light weight and very simple to modify and extend.
• Umbraco
  Simple, flexible and friendly ASP.NET CMS
• DinnerNow
  Sample marketplace application designed to demonstrate how you can develop a connected application using IIS7, ASP.NET Ajax Extensions, Linq, WCF, WF, WPF, Powershell, and the .NET Compact Framework.
• Community Kit for SharePoint
  Set of best practices, templates, Web Parts, tools, and source code for creating a community website based on SharePoint.
  
• Facebook Developer Toolkit and Facebook.NET
  .NET wrappers and libraries for the Facebook API.
• DbEntry.Net
  Lightweight, high performance Object Relational Mapping (ORM) database access compnent for .NET 2.0.
• PublicDomain
  .NET packages for time zone support, logging, dynamic code evaluation, GAC API, unzipping, RSS, Atom, OPML, screen scraping, and utilities for strings, arrays and cryptography.
• ASP.NET RSS Toolkit
  Gives ASP.NET applications the ability to consume and publish to RSS feeds.
• NGenerics
  Class library providing generic data structures and algorithms not implemented in the standard .NET framework
• Html Agility Pack
  Agile HTML parser that builds a read/write DOM and supports plain XPath or XSLT. The parser is very tolerant with “real world” malformed HTML. The object model is very similar to System.Xml, but for HTML documents.

If you know any other places to find good quality .NET source code then please leave a comment.

// TODO: fix catastrophic memory leak

These notes will automatically appear in the Visual Studio Task List, which you can open with the shortcut Ctrl+W, T or by selecting View – Task List from the main menu bar.

Visual Studio also supports two other comment tokens, HACK and UNDONE. You can even add your own custom comment tokens in:

Options – Environment – Task List.

Part 2 – Protect against SQL injection in .NET

This code will look familiar because it’s the sort of sloppy mistake you make all the time.

string productId = Request.QueryString["ProductId"];
string sql = "delete Products where Id=" + productId;
SqlCommand cmd = new SqlCommand(sql);
cmd.ExecuteNonQuery();

Your feeble imagination doesn’t stretch far enough to consider what happens when a mischievous user sets productId to, say, “1 OR 1=1″. You merrily build the query, complete with unverified user input, and execute it against the database.

delete Products where Id=1 OR 1=1

Oh dear, where did all your products go?

A vigilant SQL Server DBA can thwart your stupidity at the database by restricting your access. By assigning your login to the db_denydatareader and db_denydatawriter roles, you can thankfully be prevented from running any SELECT, DELETE, INSERT or UPDATE queries whatsoever.

Since you can’t be trusted, the DBA should give you permissions to execute only the stored-procedures and UDFs you need. This is the principle of least privilege.

Parameterised stored-procedures are usually safe from SQL injection because they validate the type and size of the inputs. These inputs are evaluated as values only, and not executed as part of the SQL statement. But there is one exception. When you build SQL dynamically inside the stored-procedure.

sp_executesql ’select * from Products where Id in ‘ + @List

This line is from a real stored-procedure I saw last week, @List is a varchar parameter containing something like “(1,2,3)”. And, of course, the values for @List came from unverified user input. If you absolutely have to use dynamic SQL then at least clean the inputs and remove or escape anything that could be potentially dangerous.

Read more about SQL injection:

• How To: Protect From SQL Injection in ASP.NET
• SQL Server BOL: SQL Injection

Part 1 — Comment your .NET code

You might very well think that. I couldn’t possibly comment.
— Francis Urquhart

By glancing at your uncommented code I can tell instantly that you’re either an amateur or, more likely, a lazy and selfish sociopath. It’s not like I’m asking you to write a novel. Would it really impede your productivity so much that you can’t find time to furnish your garbled, obfuscated nonsense with some sort of mitigating explanation? Oh, and when I tell you to start adding comments, I don’t expect you to start littering code with superfluous crap like:

populateControls();       // populate the controls

string name = getName();  // set the name

Comment as you go along, or you’ll forget. If you’re so inclined, use comments to structure your functional design before you write code, this is the Pseudocode Programming Process. As a general rule, comment what your code is doing, and why it’s doing it. I should already be able to see how your code works, because you’ve used meaningful and precise names for your classes, functions and variables.

// create a SqlConnection object using connectionString

SqlConnection cnn = new SqlConnection(connectionString);

I can see you’re using a SqlConnection because the programming syntax conveniently forces you to include the class type in its variable declaration. It is also very clear from the code that you’re passing connectionString as a parameter. The bigger picture is a mystery. What is your intent? Why are you connecting to the database? What data are you expecting back? If these things aren’t clear then explain.

Don’t comment every single line, instead give a brief summary for each block of related code. If you’re working on an API then use a documentation generator like Javadoc or SandCastle and format comments accordingly.

Other people will probably have to extend or maintain or your unintelligible mess. You might think it’s good for job security if you’re the only one who can understand your code. It really isn’t.

Read more about commenting code:

• Successful Strategies for Commenting Code
• Literate Programming – Source Code Comments

Follow up post:

• If the code and the comments disagree, then both are probably wrong