C# Specific Security Recommendations

http://msdn.microsoft.com/en-us/library/ms173195.aspx

This list is not an exhaustive list of potential security problems. It highlights some common issues for C# developers.

  • Use the checked keyword to control the overflow-checking context for integral-type arithmetic operations and conversions.
  • Always use the most restrictive data type for parameters. For example, when you pass a value to a method that describes the size of a data structure, use unsigned integer rather than integer.
  • Do not make decisions based on file names. File names can be expressed in many different ways, and your test for a particular file may be bypassed.
  • Never, ever hardcode passwords or other sensitive information into your application.
  • Always validate input that is used to generate SQL queries.
  • Validate all inputs into your methods. The regular expression methods in the System.Text.RegularExpressions namespace are useful for confirming that input is of the correct form, such as an e-mail address.
  • Do not display exception information: it provides any would-be attacker with valuable clues.
  • Ensure that your application works while running with the least possible permissions. Few applications require that a user be logged in as an administrator.
  • Do not use your own encryption algorithms. Use the System.Security.Cryptography classes.
  • Give your assemblies strong names.
  • Do not store sensitive information in XML or other configuration files.
  • Check managed code that wraps native code carefully. Confirm that the native code is secure.
  • Use caution when you use delegates passed from outside your application.
  • Run the Visual Studio code analysis tool on your assemblies to ensure compliance with Microsoft .NET Framework Design Guidelines. This tool can also find and warn against over 200 code defects. For more information, see Detecting and Correcting Managed Code Defects.
  • Advertisements

    Creating a Table in Word c#

    http://msdn.microsoft.com/en-us/library/aa192483(office.11).aspx

     Word.Table tbl = ThisDocument.Tables[1];
    tbl.Range.Font.Size = 8;
    tbl.Range.Font.Name = “Verdana”;

    Object style = “Table Grid 8”;
    tbl.set_Style(ref style);
    tbl.ApplyStyleFirstColumn = false;
    tbl.ApplyStyleLastColumn = false;
    tbl.ApplyStyleLastRow = false;

    // Insert header text and format the columns.
    tbl.Cell(1, 1).Range.Text = “Name”;

    Word.Range rngCell;
    rngCell = tbl.Cell(1, 2).Range;
    rngCell.Text = “Size”;
    rngCell.ParagraphFormat.Alignment = 
        Word.WdParagraphAlignment.wdAlignParagraphRight;

    rngCell = tbl.Cell(1, 3).Range;
    rngCell.Text = “Modified”;
    rngCell.ParagraphFormat.Alignment =
        Word.WdParagraphAlignment.wdAlignParagraphRight;

    Word program with c#

    http://www.c-sharpcorner.com/UploadFile/amrish_deep/WordAutomation05102007223934PM/WordAutomation.aspx

    7. Embedding a Document:

    Embedding a document is done through the application by

    Insert-> Object-> Create from file-> Select the File-> Display as Icon. This embeds the file in the selected location as an icon and the user can double click on the icon to open the file. The same can be done through automation.

    The range supposed to set at the required place and the same has to be selected (range can be set by any of the means mentioned above). Now with the selection, the file can be embedded.

    //ICON LABEL CAN BE THE NAME OF THE FILE,

    //ITS THE NAME DISPLAYED BESIDES THE EMBEDDED DOCUMENT

    Object oIconLabel = “File Name”;

    //INCASE WE NEED THE EMBEDDED DOCUMENT TO BE DISPLAYED AS A SPECIFIC ICON,

    //WE NEED TO SPECIFY THE LOCATION OF THE ICON FILE

    //ELSE SET IT TO oMissing VALUE

    Object oIconFileName = “C:\\Document and Settings\\IconFile.ico”;

    //THE BOOKMARK WHERE THE FILE NEEDS TO BE EMBEDDED

    Object oBookMark = “My_Custom_BookMark”;

    //THE LOCATION OF THE FILE

    Object oFileDesignInfo = “C:\\Document and Settings\\somefile.doc”;

    //OTHER VARIABLES

    Object oClassType = “Word.Document.8”;

    Object oTrue = true;

    Object oFalse = false;

    Object oMissing = System.Reflection.Missing.Value;

    //METHOD TO EMBED THE DOCUMENT

    oWordDoc.Bookmarks.get_Item(ref oBookMark).Range.InlineShapes.AddOLEObject(

    ref oClassType,ref oFileDesignInfo,ref oFalse, ref oTrue, ref oIconFileName,

    ref oMissing,ref oIconLabel, ref oMissing);

    Three Layer Architecture in C# .NET

    http://www.codeproject.com/KB/cs/Three_Layer_Architecture.aspx

    Introduction

    Here in this article, I would like to cover the typical three layer architecture in C# .NET. It is a very useful approach for coding due to easy code maintenance.

    Overview

    First let me give you a small overview about the topic I would like to cover in this article.

    1. Tier vs. Layer
    2. Three Tier/Layer Architecture Design Components
    3. Demo: Three Layer Windows Application in C#.NET

    1. Tier vs. Layer

    1.1 Tier: Tier indicates a physical separation of components, which may mean different assemblies such as DLL, EXE, etc. on the same server or multiple servers.

    As you can see in the above figure, Data Tier have no direction with Presentation Tier, but there is an intermediate Tier called Business Tier which is mainly responsible to pass the data from Data Tier to Presentation Tier and to add defined business logic to Data.

    So, if we separate each Tier by its functionality, then we come to know the below conclusion:

    1.2 Layer: Layer indicates logical separation of components, such as having distinct namespaces and classes for the Database Access Layer, Business Logic Layer and User Interface Layer.

    2. Three Tier/Layer Architecture Design Components

    As we have already seen, tier is the sum of all the physical components. We can separate the three tiers as Data Tier, Business Tier and Presentation Tier.

    • Data Tier is basically the server which stores all the application’s data. Data tier contents Database Tables, XML Files and other means of storing Application Data.
    • Business Tier is mainly working as the bridge between Data Tier and Presentation Tier. All the Data passes through the Business Tier before passing to the presentation Tier. Business Tier is the sum of Business Logic Layer, Data Access Layer and Value Object and other components used to add business logic.
    • Presentation Tier is the tier in which the users interact with an application. Presentation Tier contents Shared UI code, Code Behind and Designers used to represent information to user.

    The above figure is a mixture of Three Tier and Three Layer Architecture. Here, we can clearly see a different between Tier and Layer. Since each component is independent of each other, they are easily maintainable without changing the whole code.

    This approach is really very important when several developers are working on the same project and some module needs to be re-used in another project. In a way, we can distribute work among developers and also maintain it in the future without much problems.

    Testing is also a very important issue for Architecture when we are considering writing a test case for the project. Since it’s like a modular architecture, it’s very handy testing each module and to trace out bugs without going through the entire code.

    3. Demo: 3 Layer Windows Application in C#.NET

    Let’s go though from one module to other to have a better understanding of it.

    dbConnection

    This class is mainly used to do the database activity like Select, Update and Delete query to database. It also checks if the database connection is open or not. If database connection is not open, then it opens the connection and performs the database query. The database results are to be received and being passing in Data Table in this class.

    This class takes the database setting from the app.config file so it’s really flexible to manage the database settings.

    Collapse Copy Code
    using System;
    using System.Collections.Generic;
    using System.Text;
    using System.Data;
    using System.Data.SqlClient;
    using System.Configuration;
    
    namespace ThreeLayerDemo.Core
    {
        public class dbConnection
        {
            private SqlDataAdapter myAdapter;
            private SqlConnection conn;
    
            /// <constructor>
            /// Initialise Connection
            /// </constructor>
            public dbConnection()
            {
                myAdapter = new SqlDataAdapter();
                conn = new SqlConnection(ConfigurationManager.ConnectionStrings
    					["dbConnectionString"].ConnectionString);
            }
    
            /// <method>
            /// Open Database Connection if Closed or Broken
            /// </method>
            private SqlConnection openConnection()
            {
                if (conn.State == ConnectionState.Closed || conn.State == 
    						ConnectionState.Broken)
                {
                    conn.Open();
                }
                return conn;
            }
    
            /// <method>
            /// Select Query
            /// </method>
            public DataTable executeSelectQuery(String _query, SqlParameter[] sqlParameter)
            {
                SqlCommand myCommand = new SqlCommand();
                DataTable dataTable = new DataTable();
                dataTable = null;
                DataSet ds = new DataSet();
                try
                {
                    myCommand.Connection = openConnection();
                    myCommand.CommandText = _query;
                    myCommand.Parameters.AddRange(sqlParameter);
                    myCommand.ExecuteNonQuery();                
                    myAdapter.SelectCommand = myCommand;
                    myAdapter.Fill(ds);
                    dataTable = ds.Tables[0];
                }
                catch (SqlException e)
                {
                    Console.Write("Error - Connection.executeSelectQuery - Query: 
    			" + _query + " \nException: " + e.StackTrace.ToString());
                    return null;
                }
                finally
                {
    
                }
                return dataTable;
            }
    
            /// <method>
            /// Insert Query
            /// </method>
            public bool executeInsertQuery(String _query, SqlParameter[] sqlParameter)
            {
                SqlCommand myCommand = new SqlCommand();
                try
                {
                    myCommand.Connection = openConnection();
                    myCommand.CommandText = _query;
                    myCommand.Parameters.AddRange(sqlParameter);
                    myAdapter.InsertCommand = myCommand;
                    myCommand.ExecuteNonQuery();
                }
                catch (SqlException e)
                {
                    Console.Write("Error - Connection.executeInsertQuery - Query: 
    			" + _query + " \nException: \n" + e.StackTrace.ToString());
                    return false;
                }
                finally
                {
                }
                return true;
            }
    
            /// <method>
            /// Update Query
            /// </method>
            public bool executeUpdateQuery(String _query, SqlParameter[] sqlParameter)
            {
                SqlCommand myCommand = new SqlCommand();
                try
                {
                    myCommand.Connection = openConnection();
                    myCommand.CommandText = _query;
                    myCommand.Parameters.AddRange(sqlParameter);
                    myAdapter.UpdateCommand = myCommand;
                    myCommand.ExecuteNonQuery();
                }
                catch (SqlException e)
                {
                    Console.Write("Error - Connection.executeUpdateQuery - Query: 
    			" + _query + " \nException: " + e.StackTrace.ToString());
                    return false;
                }
                finally
                {
                }
                return true;
            }
        }
    }

    Database Access Layer

    Database Access Layer (DAO) builds the query based on received parameters from the Business Logic Layer and passes it the dbConnection class for execution. And simple return results from the dbConnection class to Business Logic Layer.

    Collapse Copy Code
    using System;
    using System.Collections.Generic;
    using System.Text;
    using System.Data;
    using System.Data.SqlClient;
    
    namespace ThreeLayerDemo.Core
    {
        public class UserDAO
        {
            private dbConnection conn;
    
            /// <constructor>
            /// Constructor UserDAO
            /// </constructor>
            public UserDAO()
            {
                conn = new dbConnection();
            }
    
            /// <method>
            /// Get User Email By Firstname or Lastname and return DataTable
            /// </method>
            public DataTable searchByName(string _username)
            {
                string query = string.Format("select * from [t01_user] 
    		where t01_firstname like @t01_firstname or t01_lastname 
    		like @t01_lastname ");
                SqlParameter[] sqlParameters = new SqlParameter[2];
                sqlParameters[0] = new SqlParameter("@t01_firstname", SqlDbType.VarChar);
                sqlParameters[0].Value = Convert.ToString(_username);
                sqlParameters[1] = new SqlParameter("@t01_lastname", SqlDbType.VarChar);
                sqlParameters[1].Value = Convert.ToString(_username);
                return conn.executeSelectQuery(query, sqlParameters);
            }
    
            /// <method>
            /// Get User Email By Id and return DataTable
            /// </method>
            public DataTable searchById(string _id)
            {
                string query = "select * from [t01_id] where t01_id = @t01_id";
                SqlParameter[] sqlParameters = new SqlParameter[1];
                sqlParameters[0] = new SqlParameter("@t01_id", SqlDbType.VarChar);
                sqlParameters[0].Value = Convert.ToString(_id);
                return conn.executeSelectQuery(query, sqlParameters);
            }
        }
    }

    Value Object

    Value Object is nothing more but a class with the contents GET and SET methods. It’s mainly used to pass Data from one class to another. It’s directly connected with Business Logic Layer and Presentation Layer. As you can see in the diagram object values are being SET in Business Logic Layer and GET from Presentation Layer.

    Collapse Copy Code
    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Text;
    
    namespace ThreeLayerDemo.Core
    {
        public class UserVO
        {
            private int _idUser;
            private string _firstname;
            private string _lastname;
            private string _email;
    
            /// <constructor>
            /// Constructor UserVO
            /// </constructor>
            public UserVO()
            {
                //
                // TODO: Add constructor logic here
                //
            }
    
            public int idUser
            {
                get
                { 
                    return _idUser;
                }
    
                set
                {
                    _idUser = value;
                }
            }
    
            public string firstname
            {
                get
                {
                    return _firstname;
                }
    
                set
                {
                    _firstname = value;
                }
            }
    
            public string lastname
            {
                get
                {
                    return _lastname;
                }
                set
                {
                    _lastname = value;
                }
            }
    
            public string email
            {
                get
                {
                    return _email;
                }
    
                set
                {
                    _email = value;
                }
            }
        }
    }

    Business Logic Layer

    Business Logic Layer (BUS) works as a bridge between Presentation Layer and DAO. All the user values received from the presentation layer are being passed to BUS. The results received from the DAO are in row data in Data Table format but in BUS it’s converting into Value Objects (VO). Business Logic Layer (BUS) is the most important class in the whole architecture because it mainly contains all the business logic of the program. Whenever a user wants to update the business logic of the program only need to update this class.

    Collapse Copy Code
    using System;
    using System.Collections.Generic;
    using System.Text;
    using System.Data;
    
    namespace ThreeLayerDemo.Core
    {
        /// <summary>
        /// Summary description for UserBUS
        /// </summary>
        public class UserBUS
        {
            private UserDAO _userDAO;
    
            /// <constructor>
            /// Constructor UserBUS
            /// </constructor>
            public UserBUS()
            {
                _userDAO  = new UserDAO();
            }
    
            /// <method>
            /// Get User Email By Firstname or Lastname and return VO
            /// </method>
            public UserVO getUserEmailByName(string name)
            {
                UserVO userVO = new UserVO();
                DataTable dataTable = new DataTable();
    
                dataTable = _userDAO.searchByName(name);
    
                foreach (DataRow dr in dataTable.Rows)
                {
                    userVO.idUser = Int32.Parse(dr["t01_id"].ToString());
                    userVO.firstname = dr["t01_firstname"].ToString();
                    userVO.lastname = dr["t01_lastname"].ToString();
                    userVO.email = dr["t01_email"].ToString();
                }
                return userVO;
            }
    
            /// <method>
            /// Get User Email By Id and return DataTable
            /// </method>
            public UserVO getUserById(string _id)
            {
                UserVO userVO = new UserVO();
                DataTable dataTable = new DataTable();
                dataTable = _userDAO.searchById(_id);
    
                foreach (DataRow dr in dataTable.Rows)
                {
                    userVO.idUser = Int32.Parse(dr["t01_id"].ToString());
                    userVO.firstname = dr["t01_firstname"].ToString();
                    userVO.lastname = dr["t01_lastname"].ToString();
                    userVO.email = dr["t01_email"].ToString();
                }
                return userVO;
            }
        }
    }

    Presentation Layer

    Presentation Layer is the only layer which is directly connected with the user. So in this matter, it’s also a really important layer for marketing purposes. Presentation Layer is mainly used for getting user data and then passing it to Business Logic Layer for further procedure, and when data is received in Value Object then it’s responsible to represent value object in the appropriate form which user can understand.

    Collapse Copy Code
    using System;
    using System.Collections.Generic;
    using System.ComponentModel;
    using System.Data;
    using System.Drawing;
    using System.Linq;
    using System.Text;
    using System.Windows.Forms;
    using ThreeLayerDemo.Core;
    
    namespace ThreeLayerDemo
    {
        public partial class frmLogin : Form
        {
            private UserBUS _userBUS;
    
            public frmLogin()
            {
                InitializeComponent();
                 _userBUS = new UserBUS();
            }
    
            private void btnSearch_Click(object sender, EventArgs e)
            {
                UserVO _userVO = new UserVO();
                _userVO = _userBUS.getUserEmailByName(txtUsername.Text);
                if (_userVO.email == null)
                    MessageBox.Show("No Match Found!", "Not Found", 
    			MessageBoxButtons.OK, MessageBoxIcon.Exclamation);
                else
                    MessageBox.Show(_userVO.email ,"Result",
    			MessageBoxButtons.OK,MessageBoxIcon.Information);       
            }
    
            private void btnCancel_Click(object sender, EventArgs e)
            {
                Close();
            }
        }
    }

    Summary

    Hope this explanation helps the beginner specially looking for a generic approach. There are also some methods which are far better than the architecture described above, mostly with skipping Database Access Layer and Value Object Class, and making it dynamically which is really handy for maintenance in case of frequent database change. I will try to post some in the near future.