SQL Injection

•October 10, 2007 • Leave a Comment

Exploits of a Mom

Source: xkcd, via: Pietro.


Quiz #2

•April 11, 2007 • 2 Comments

Look at the following snippet:

public class Foo
    protected Foo() {}

public class Var : Foo
    Var(): base() {}

    void Main()
        Foo foo = new Foo();

Now tell me if it can be successfully compiled:

  1. both in 1.1 and 2.0
  2. only in 1.1
  3. only in 2.0
  4. neither in 1.1 nor in 2.0

Dynamics CRM as development platform: transparent substitution of CrmService with Filtered Views.

•April 6, 2007 • 3 Comments

In my last post I suggested not to directly use, in your code, the CrmService proxy class. I quickly mentioned some enhancements you can gain from this, let’s focus on substituting web service calls with database access on filtered views. Even if limited to read operations, this can increase a lot the performances of your system.

As we want the callers not to be aware of the way we retrieve data, we have to passing back data to them in the form they expect it: “BusinessEntity” derived classes or collection of them. This may seems hard, but it isn’t. You can build the statement in way that it will produce data in XML, in a format that can be directly deserialized in entity instances.

So, let’s view how we can:

  • Compose the SQL statements in such a way the will produce the xml we need
  • Deserialize the data from xml to entities

Take a look at this query:

  'http://www.w3.org/2001/XMLSchema' as xsd 
, 'http://www.w3.org/2001/XMLSchema-instance' as xsi 
, 'http://schemas.microsoft.com/crm/2006/WebServices' as crm 
SELECT name as 'crm:name' 
     , accountid as 'crm:accountid' 
     , donotphonename as 'crm:donotphone/@name' 
     , donotphone as 'crm:donotphone' 
     , address1_shippingmethodcodename as 'crm:address1_shippingmethodcode/@name' 
     , address1_shippingmethodcode as 'crm:address1_shippingmethodcode' 
     , modifiedbyname as 'crm:modifiedby/@name' 
     , modifiedbydsc as 'crm:modifiedby/@dsc' 
     , modifiedby as 'crm:modifiedby' 
     , createdbyname as 'crm:createdby/@name' 
     , createdbydsc as 'crm:createdby/@dsc' 
     , createdby as 'crm:createdby' 
     , statuscodename as 'crm:statuscode/@name' 
     , statuscode as 'crm:statuscode' 
     , statecodename as 'crm:statecode/@formattedValue' 
     , statecode as 'crm:statecode' 
  FROM Filteredaccount 
   FOR XML PATH ('account')

The WITH XMLNAMESPACES, the field aliases and the FOR XML PATH do the magic, and we get data in this format:

<account xmlns:crm="http://schemas.microsoft.com/crm/2006/WebServices" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
  <crm:name>Adventure Works Ltd.</crm:name> 
  <crm:modifiedby name="CRM Administrator" dsc="0">89A611D4-C7BD-DB11-A4E3-005056A80A71</crm:modifiedby> 
  <crm:createdby name="CRM Administrator" dsc="0">89A611D4-C7BD-DB11-A4E3-005056A80A71</crm:createdby> 
  <crm:statuscode name="Active">1</crm:statuscode> 
  <crm:statecode formattedValue="Active">Active</crm:statecode> 
<account xmlns:crm="http://schemas.microsoft.com/crm/2006/WebServices" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"> 
  <crm:name>Contoso Inc.</crm:name> 
  <crm:donotphone name="Allow">0</crm:donotphone> 
  <crm:modifiedby name="CRM Administrator" dsc="0">89A611D4-C7BD-DB11-A4E3-005056A80A71</crm:modifiedby> 
  <crm:createdby name="CRM Administrator" dsc="0">89A611D4-C7BD-DB11-A4E3-005056A80A71</crm:createdby> 
  <crm:statuscode name="Active">1</crm:statuscode> 
  <crm:statecode formattedValue="Active">Active</crm:statecode> 

That is exactly what you need to obtain, with the help of XmlSerializer, a collection of accounts:

XmlReader xmlReader = cmd.ExecuteXmlReader(); 

while (xmlReader.ReadState != ReadState.EndOfFile) 
    xml = xmlReader.ReadOuterXml(); 
    StringReader reader = new StringReader(xml); 

    account acc = serializer.Deserialize(reader) as account; 

// convert accounts in a BusinessEntitesCollection...

Note that:
– the standard SQL syntax for a property is:

, property ascrm:property

– properties expressed by CRM object model in form of “Lookup” are splitted, on the views, in three columns:

, propertyname ascrm:property/@name
, propertydsc ascrm:property/@dsc
, property ascrm:property

– properties expressed by CRM object model in form of “Picklist” and “CrmBoolean” are splitted, on the views, in two columns:

, propertyname ascrm:property/@name
, property ascrm:property

– StatusCode and StateCode are the only further singularity.

Given these rules isn’t hard to build a class able to generate statements for any entity type. For an hard-core solution, add something able to translate a QueryExpression in SQL statements…

Dynamics CRM as development platform: interacting with CrmService.

•March 28, 2007 • 1 Comment

This is the first of a series of posts about extending Dynamics CRM 3.0. These posts were originally planned for some months ago, but I have had stuffs to do. Anyway, I recently restarted my activities on the product and I will share my considerations and some implementation details. Let’s start with CrmService. CrmService is a web service and contains the methods you need to write code against all of the entities in the system. A proxy can be obtained (with Visual Studio) adding a web reference to this url:


I’m not going to spend words on the web service methods, they are basically CRUD operation. The most important think is, I think, the way your code interacts with the web service. Your code shouldn’t directly use the proxy class generated by Visual Studio, is better to wrap it in a class that, just to begin, exposes the same functionalities the proxy do. Than you can start to write your code against your wrapper and, at later time, introduce enhancement in your wrapper distributing the benefits of these enhancements to all the callers of your wrapper and without modifying them. These enhancements can include:

  • Increase the performance of the HTTP/SOAP calls by implementing this simple but power solution. I already wrote about this, but it’s so powerful!
  • Increase the data retrieving performance by substituting web service calls with database access (on filtered views). A will dedicate an entire post to this.
  • Data caching, for data that isn’t critical and doesn’t change frequently.
  • Data integrity constraints enforcement. Constraints you apply to your entity attributes are enforced only by the UI, not by the web service. But you can read those constraints from the MetadataService and apply them before passing data to CrmService. May be I will write a post even on this.

Here an example of how the wrapper can expose the functionalities the proxy do, with some little features…

public class CrmServiceClient
	public virtual BusinessEntity RetrieveEntity(string entityName, Guid entityId)
		return RetrieveEntity(entityName, entityId, new AllColumns());

	public virtual BusinessEntity RetrieveEntity(string entityName, Guid entityId, ColumnSetBase cols)
		BusinessEntity entity = null;

			entity = m_CrmService.Retrieve(entityName, entityId, cols);
		catch (SoapException ex)

			string msg = ExtractSoapExceptionMessage(ex);
			throw new Exception(msg);
		catch (Exception ex)


		return entity;

	// other mehods...

And here the way I implemented the HTTP/SOAP calls enhancement explained in the article I linked above (note the use I make of the ConnectionGroupName property to limit the security treats that may occur by setting UnsafeAuthenticatedConnectionSharing to true):

public class CrmServiceClient
	// other mehods...	

	private CrmService ActivateCrmService(NetworkCredential credentials, bool unsafeAuthentication)
		CrmService service = new CrmService();
		service.Credentials = credentials;

		if (unsafeAuthentication)
			service.UnsafeAuthenticatedConnectionSharing = true;
			service.ConnectionGroupName = CreateSecureGroupName(credentials);

		return service;

	private string CreateSecureGroupName(NetworkCredential credentials)
		string toEncode = credentials.UserName + credentials.Password + credentials.Domain;
		Byte[] bytes = Encoding.UTF8.GetBytes(toEncode);

		SHA1Managed Sha1 = new SHA1Managed();
		Byte[] updHash = Sha1.ComputeHash(bytes);

		return Encoding.Default.GetString(updHash);

I know there’s nothing special in these snippets, but consider this post as an intro. Something more interesting is coming soon.

Tools for writing and the way I write

•March 15, 2007 • 1 Comment

DarkRoom screen shotI recently discovered a writing tool, and I literally fallen in love with the first time I opened it. Is DarkRoom, a minimal text-only editor that help you concentrate by making the entire screen black leaving only the essentials: words and scrolling arrows (see image).

Then I realized that I really prefer this kind of editors as I write my emails in text-only, I take my notes in Notepad (recently in Notepad2, recommended), I always write “readme documents” in .txt files rather than in Word or other processors.

And this surely influence the way I write, the way I compose sentences, the way I explain concepts, and so on. In a positive way, I think. Because, without colors, without text formatting (bold, italic, font size…), I have only words to express my self clearly, to make readers get the points and catch the concepts I’m writing about.
Further more, I’m not used to have grammar tools helping me. So I often check what I’m writing, and this sometimes drive me to better rewrite a sentence or a period.

I think this good exercise I’ve always done without the intention to getting better in the way I express what I want to say, in the end, really helped me. Specially in English, which is not my first language.

On the other hand, text formatting may be important too for the reader, and sometimes I use it in my posts. Perhaps, the solution may be to apply it only when you finished to compose the text.

Quiz #1

•March 15, 2007 • Leave a Comment

Modify this apparently thread-safe event raiser in such a way it becomes truly thread-safe without changing signature nor implementation.

protected void OnMyEvent(MyEventArg e)
   MyEventHandler handler = MyEvent;

   if (handler != null)
      handler (this, e);

Inspired by this post by Pierre Greborio.

Script Sharp 1 – Scripting Internet Explorer proxy configuration

•March 12, 2007 • 4 Comments

This is for those who continuously have to configure Internet Explorer proxy settings to match different network locations.

I have two different configurations I’m switching at least twice a day: one for when I’m in the office and another for my home WI-FI network. Not to talk about the number of configurations I have for the customers I sometimes have to visit.

Script must be included in a .vbs file that you can call directly from the shell or with a shortcut.

Here the code you can run to enable/disable proxy:

On Error Resume Next

Const HKEY_CURRENT_USER = &H80000001

strComputer = "."
strKeyPath = "SoftwareMicrosoftWindowsCurrentVersionInternet Settings\"

Set objReg = GetObject("winmgmts:{impersonationLevel=impersonate}" & strComputer & "rootdefault:StdRegProv")
objReg.SetDWORDValue HKEY_CURRENT_USER, strKeyPath, "ProxyEnable", 1 'Use 0 to disable proxy
objReg.SetStringValue HKEY_CURRENT_USER, strKeyPath, "ProxyServer", "proxyName:8080"

If err.Number <> 0 Then
    MsgBox err.Description
End If

MsgBox "Done!"

Note that you can work on a different machines (strComputer) and impersonate a desired user (the WMI string passed to GetObejct() function), but I haven’t investigated this yet.