Build Your Own ASP.NET 3.5 Website Using C# & VB (94 page)

Visual Basic

Private Sub BindGrid()

Dim conn As SqlConnection

Dim dataSet As New DataSet

Dim adapter As SqlDataAdapter

Dim commandBuilder As SqlCommandBuilder

Dim connectionString As String = _

ConfigurationManager.ConnectionStrings( _

"Dorknozzle").ConnectionString

conn = New SqlConnection(connectionString)

adapter = New SqlDataAdapter( _

"SELECT DepartmentID, Department FROM Departments", _

conn)

adapter.Fill(dataSet, "Departments")

For Each dataRow As DataRow In _

dataSet.Tables("Departments").Rows

If dataRow("Department") = "New Department" Then

dataRow.Delete()

End If

Next

commandBuilder = New SqlCommandBuilder(adapter)

adapter.Update(dataSet.Tables("Departments"))

departmentsGrid.DataSource = _

Licensed to [email protected]

Advanced Data Access

547

dataSet.Tables("Departments").DefaultView

departmentsGrid.DataBind()

End Sub

Note that in the C# version the conversion to string needs to be performed explicitly:

C#

private void BindGrid()

{

SqlConnection conn;

DataSet dataSet = new DataSet();

SqlDataAdapter adapter;

SqlCommandBuilder commandBuilder;

string connectionString =

ConfigurationManager.ConnectionStrings[

"Dorknozzle"].ConnectionString;

conn = new SqlConnection(connectionString);

adapter = new SqlDataAdapter(

"SELECT DepartmentID, Department FROM Departments", conn);

adapter.Fill(dataSet, "Departments");

foreach (DataRow dataRow in

dataSet.Tables["Departments"].Rows)

{

if(dataRow["Department"].ToString() == "New Department")

{

dataRow.Delete();

}

}

commandBuilder = new SqlCommandBuilder(adapter);

adapter.Update(dataSet.Tables["Departments"]);

departmentsGrid.DataSource =

dataSet.Tables["Departments"].DefaultView;

departmentsGrid.DataBind();

}

Execute this command, and all departments called New Department will be removed.

Summary

This chapter has given us the chance to explore some more important concepts of

ADO.NET. First, you learned about the data source controls, and how they can be

Licensed to [email protected]

548

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

used to build code-free data binding. With just a few mouse clicks, you were able

to build editable grids of data!

We also investigated the DataSet class, and learned how to use it in our intranet

application. We then moved on to learn about the constructs of DataSets, including

DataTables and DataViews. We also learned how to populate DataSets using

SqlDataAdapters. Finally, we looked at sorting, paging, and filtering data using

DataViews, and updated a data source from a modified DataSet using the

SqlCommandBuilder.

In the next chapter, we’ll be looking at ASP.NET’s security features. Using ASP.NET’s

form-based security capabilities, we’ll learn how to restrict each user’s access to

the specific web forms we want them to be able to use, while still allowing public

access to other parts of the site. We’ll also take a look at some controls that make

building login and logout mechanisms a snap.

Licensed to [email protected]

Security and User Authentication

The issue of security is important in many facets of information technology, but it’s

especially relevant in web development. While you’ll want to make sure that your

web site users are able to go where they need to go and see what they’re allowed to

see, you’ll also want to prevent unauthorized and malicious users from getting into

your system.

One common approach is to require your site’s visitors to log in before they can

view certain pages and to ensure that restricted pages cannot be accessed by simply

typing in the correct URLs, unless the user has been specifically allowed to view

those pages. Although different solutions exist for the various applications you may

create—for instance, IIS could provide certain pages to users who have been authenticated by Windows within an intranet environment—this chapter focuses on the more straightforward tasks of form-and script-based authentication.

In this chapter, we’ll learn some simple coding techniques and discover just how

easy it is to secure your web applications using ASP.NET. Security is a huge topic,

and several books have been written on the subject. If you’re serious about developing

secure complex applications, we recommend that you check out some additional

resources, such as
Professional ASP.NET 2.0 Security, Membership, and Role

Licensed to [email protected]

550

Build Your Own ASP.NET 3.5 Web Site Using C# & VB

Management with C# and VB
(Wrox Press, 2006),1 and
Writing Secure Code, Second

Edition
(Microsoft Press, 2003).2

In this chapter, you will:

■ Learn how to authenticate your visitors using ASP.NET Forms Authentication.

■ Use ASP.NET Memberships and Roles.

■ Create users and roles.

■ Use the ASP.NET login controls.

Let’s get moving!

Basic Security Guidelines

The primary and most important element of building secure applications is to

consider and plan an application’s security from the early stages of its development.

Of course, we must know the potential internal and external threats to which an

application will be exposed before we can plan the security aspects of that system.

Generally speaking, ASP.NET web application security involves—but is not limited

to—the following considerations:

validating user input

Back in
Chapter 6
, you learned how to use validation controls to enable the client-side validation of user input, and how to double-check that validation

on the server side.

Since the input your application receives from web browsers is ultimately under

users’ control, there’s always a possibility that the submitted data will not be

what you expect. The submission of invalid data can generate errors in your

web application, potentially compromising its security.

protecting your database

The database is quite often the most important asset you need to protect—after

all, it’s there that most of the information your application relies upon is stored.

1 Stefan Schackow,
Professional ASP.NET 2.0 Security, Membership, and Role Management with C#

and VB
(New Jersey: Wrox Press, 2006). A new version updated for ASP.NET 3.5 is due out in November 2008.

2 Michael Howard and David LeBlanc,
Writing Secure Code, Second Edition
(Washington: Microsoft Press, 2003)

Licensed to [email protected]

Security and User Authentication

551

SQL injection attacks
, which target the database, are a common threat to web

application security. If the app builds SQL commands by naively assembling

text strings that include data received from user input, an attacker can alter the

meaning of the commands the application produces simply by including malicious code in the user input.3

You’ve already learned how to use ADO.NET to make use of command parameters, and parameterized stored procedures, in order to include user input in SQL

queries. If you use the practices you’ve learned in this book, ADO.NET will

protect your against injection attacks.

displaying data correctly

If your web application produces HTML output, you should always bear in

mind that any text you include in that output will also be interpreted as HTML

by your visitors’ browsers. As such, you need to escape special characters (such

as < and &) correctly, using the HttpUtility.HtmlEncode method.

This consideration is especially important when you’re outputting a string that

was originally received as user input. If that user input were to contain HTML

code, that code might disrupt the appearance or functionality of your application

when it was displayed. For example, if you want to display the text “