Atlas, Microsoft's AJAX framework for ASP.NET, has been renamed to ASP.NET AJAX. Not that there's a huge surprise, since Atlas was just a code name. There's no new CTP, although there's a new version (rel 9/14/06) of the Atlas Control Tool Kit with a few new controls.

Scott Mitchell put up a post about a CheckBoxList validator he built for ASP.NET 2.0. Worth checking out. I wrote a custom validator for CheckBoxLists a few weeks ago & while it wasn't too bad, I wish I had waited & just used Scott's. :) Also, he has some good tips about browser compatibility & RegisterExpandoAttribute.

FYI an expando attribute is an arbitrary attribute added to a HTML/DOM object at runtime. Weird name, I know.

...will run slower, because SQL Server will first check the master database for them. Weird but true, according to SQLMag. So, don't start your procs with sp_.

So that my blog shows up on Technorati. Funny, it seems like I did this before. Hmm. Technorati Profile

It's been a while since I posted anything in the management category, so it's time to get caught up. In a past life I was a Software Development Director, so I wanted to write about some things I figured out so that other programmers-turned-sudden-managers have some tips. The below is about goals, and is written for the employee (i.e. the person writing and achieving the goals), but it's equally useful for managers -- just adapt the perspective so that everytime you see the word "You" mentally replace it with "My Employee".

Goals as Performance Review Items

I was thinking the other day about employee goals. Some companies have managers sit down with their employees each year and come up with goals to achieve for the upcoming year. An employee's performance review is then often tied to whether they complete their goals or not. So there's an incentive to be shouting "Gooooaaaaaallllll" at the end of the year.

However, it's hard for many people to come up with their own goals in the workplace. We all know it has to be work-related, and in some professions it's easier than others (e.g. sell 10% more widgets than last year). In fact when I researched this in the past, a lot of the example "good goals" were in terms of manufacturing or sales.

But as a programmer (or other IT worker), in a workplace where priorities can change and projects come and go and get completed in months or weeks, what do you do? What are some goals you can choose and have a chance at pulling them off?

Be Smart About Your Goals

First of all, let's review some basics on goal picking. There's an acronym for good goals: S.M.A.R.T. (or as a friend liked to say, "TARMS"). I've seen many versions of what the different letters mean, but in genenral SMART goals are

• Specific
  • What specifically will you do? Answer the Who, What, Where, When, Why behind it.
  • Bad: "Do a better job of estimating effort" 
  • Good: "Have my actual effort come within 30% of my effort estimates, on average, for my web development projects in the next six months."
  • Other meanings for "S":
    • Stretching: it should be a challenge for you
    • Significant: it should be important
    • Systematic: it should be something you can work on or chip away at
    • Synergistic: working towards the goal should not be at cross-purposes to getting your job done -- you don't want feel like you're stealing time away from your "real" projects to work on your goals. It would be ideal if working towards your goal is incorporated into or part of doing your job. This is particularly important for employees who are already overloaded at work and don't have a lot of free time outside of work.
• Measurable
  • How will you and your manager know if the goal has been achieved? There should be some criteria for knowing that it's been completed. Anyone who deals with project management should be familiar with this theme.
  • Bad: "Learn C#"
  • Good: "Complete a C# class this fall and get a Brainbench C# certification by the end of the year."
  • Other meanings for "M":
    • Meaningful
    • Motivating
    • Memorable
• Acceptable
  • The goal should ideally be set by you, or at least acceptable to you. You should have a desire and willingness to complete it. It should be something you're interested in and that will have real value for you when it's completed (other than just a performance bonus based on goal achievement). For example, will you learn a new skill or technology? Will you feel a sense of pride and accomplishment?
  • Bad: "Devote an extra day a week to code maintenance on our legacy systems" (unless you like legacy maintenance, in which case I have some jobs for you....)
  • Good: "Research new technology and development techniques and deliver a proposal on upgrading some of our legacy systems."
  • Other meanings for "A":
    • Attainable: this is a common meaning for "A". It closely overlaps with Realistic, below. 
    • Action plan: you should put together a plan on how you will accomplish your goal
    • Agreed-upon: similar to Acceptable, it should be something that the manager and employee both agree is a good goal.
    • Accountability: you should be accountable to completing your goal, and failing at it should require an explanation from you as to why. Not achieving your goal should be seen in a similar light as not completing any other project.
• Realistic
  • You should be able to actually attain this goal. It should be a bit of a challenge to accomplish, but not so much that it's a hardship. It should require a level of commitment from you.
  • Bad: "Run 1 mile a month" (too easy) or "Work out twice a day" (too much)
  • Good: "Register, train for, and participate in the marathon this year, including finding a training regimen and/or running club appropriate for beginners"
  • Other meanings for "R":
    • Relevant: it should be relevant to work or your career. It probably shouldn't be "Take a wine-tasting class this fall." FYI, I feel a fitness- or health-oriented goal is OK as long as you have other goals that are more IT-focused. IMO a healthy, fit employee is beneficial to the company because they're less sick, have more energy and less stress, can save the company money on health insurance and/or workers compensation, and can inspire fitness in others. Plus they're better able to help lug those 21" CRTs to the new office. ;)
• Time frame
  • There should be a timeframe or deadline for completion of the goal. This is part of being Specific, but having an end point helps encourage employees to get it done.
  • Time frame also means you should know when you're going to be able to work on your goal. Do you have available time to complete it? When will you work on it? How much time will it require to complete? There are a lot of people who are overloaded at work, working 50+ hours a week, and have full and equally-demanding family lives outside of work. Those people will need to sacrifice something to gain the time they need, or choose goals that don't require as much time, or get their boss to free up their work schedule a bit so they can work on their goals.
  • Bad: "Take a C# class sometime" or "Write a 1000-page book on project management next month"
  • Good: "Take a C# class in the evening next quarter" or "Write an article on project management next month and submit it to at least 3 web sites and magazines."
  • Other meanings for "T":
    • Tangible: a goal that can be measured on paper or in an otherwise physical manner is tangible. But IMO that's too closely tied to Measurable

That's all for today, but next time I'll follow up with more suggestions, guidelines, and ideas for goal-setting in an IT world. I'll write more for the manager's perspective.

 

 

I saw an article today by Stephen Walther about custom validators with ASP.NET. Or I guess it's not so much an article as an excerpt from a book. Anyhow, the article discusses making your own validator controls, and he shows some code (in VB, though, not C#) about how to make a reusable AJAX validator control. It's similar to the CustomValidator, except that it does its validate via an AJAX call. Thay way, if you need to do some expense or fancy server-side validation (e.g. do a database lookup), your user doesn't have to deal with a postback.

I won't make use of it today, but possibly in the future.

I recently needed to strip out non-alphanumeric characters in SQL Server. I initially thought I might be able to use a managed stored procedure and C# regular expressions to do so, but I thought the performance would be bad (e.g. you'd have to cursor through a table, extract a field value, use RegEx on it, go to the next row, etc.). So I came up with the below function using T-SQL's quasi-regular expressions in PATINDEX:

/*******************************************************************
dbo.fnStripNonAlphaNumeric

Removes all non-alphanumeric characters (including spaces) from
@input, e.g.

select dbo.fnStripNonAlphaNumeric('Help, I "think" I''m falling!')

returns

HelpIthinkImfalling

*******************************************************************/
CREATE FUNCTION dbo.fnStripNonAlphaNumeric
(
    @input varchar(500)
)
RETURNS varchar(500)
AS
BEGIN
    
    DECLARE @i int
    DECLARE @result varchar(500)
    SET @result = @input
    SET @i = patindex('%[^a-zA-Z0-9]%', @result)
    WHILE @i > 0
    BEGIN
        SET @result = STUFF(@result, @i, 1, '')
        SET @i = patindex('%[^a-zA-Z0-9]%', @result)
    END

    RETURN @result

END

Then in use it's something like

SELECT dbo.fnStripNonAlphaNumeric(FieldWithAlphaNumerics) as AlphaCleanValue
FROM MyTable

FWIW, to strip non-alphanumeric in C# you can use the one-liner (assuming you have a initial string called "input")

System.Text.RegularExpressions.Regex.Replace(input, @"[\s\W]*", "")

:)

 

 

 

I went into this in my post about SQL Server remote connections, but basically, for each SQL Server instance running on your database server, you can enable remote access, control which IPs and ports SQL Server listens on, and which IPs are allows to access which port.

Use Windows Security when possible

Connecting via a Windows account is more secure than connecting with a SQL Server login and password. In the past those values were sent in plaintext (eek), although now SQL Server 2005 offers lockouts, password complexity enforcements, and password expiration for SQL Server logins, so they're not as unsecure as they used to be. Also if you're using the SQL Native Client to connect, your login packet is encrypted, so the password isn't in plaintext anymore.

If you need to use SQL Server logins, don't use the sa account -- log in with a different account with limited permissions. And use strong passwords. If it's available over the internet, you should use an SSL certificate to encrypt connections, too (see Encrypting Connections to SQL Server in Books Online).

Allowing Remote Access

SQL Server doesn't allow remote access by default. So if you want other machines to access SQL Server, open up SQL Server Surface Area Configuration (in Programs->Microsoft SQL Server 2005->Configuration Tools) and click Surface Area Configuration for Services and Connections. On the left side, navigate to the Remote Connections node under your SQL Server instance's Database Engine node, and ensure Local and Remote connections is selected with Using TCP/IP only. Then click OK.

 

Configuring IPs

You do so via opening up SQL Server Configuration Manager, opening the Network Configuration node and clicking the Protocols section. You'll see TCP/IP on the right.

 

Double click TCP/IP. You'll see a dialog like below with some settings on the Protocol tab:

By default, Listen All is set to Yes, which means SQL Server is listening on every IP the server has. If the server has a public IP, or if you don't want it listening on certain IPs, set Listen All to No. Now switch to the IP Addresses tab.

You'll see entries for all the machine's bound IPs -- in the above example 192.168.0.10 is the internal IP, 77.89.121.42 is a public IP, and 127.0.0.1 is the local loopback IP (note those aren't my real IPs, they're just for show).  Active means the IP address is a working IP network-wise -- changing the value via the dropdown doesn't do anything. If Listen All is set to No, you can set specific ports for various IPs, or tell SQL Server to not listen on them by setting Enabled to No. Notice how I've used the port 2000 and disabled access on the public IP.

FYI, Dynamic Ports is a setting where SQL Server finds an available port at runtime. I don't recommend Dynamic Ports because a) you have to run the SQL Server Browser service (a security risk) in order to inform clients which port is being used, and b) it's hard to protect SQL Server with a firewall because you never know which port is going to be used. So you're stuck opening up a bunch of ports, which is bad.

Anyhow, if Listen All was set to Yes on the Protocol tab, then you can't apply settings for individual IPs -- you instead apply settings for all IPs in the IPAll section at the bottom.

 

Configuring the Firewall

Now you can create a firewall rule allowing certain IPs access to your machine over certain ports. If you're using Windows Firewall, you can do so by first opening Windows Firewall from the Control Panel and clicking the Exceptions tab. You'll see a list of current exceptions.

Click Add Port. Give your rule a name (e.g. "SQL Server Rule") and specify the port you set in SQL Configuration Manager.

Now we want to specify who can access our server over this port. By default, everyone can (even folks over the internet), which IMO isn't super secure. So click Change Scope. You can choose My Network to allow all computers on your network to access your server, but if you want a more narrow range (good if you have a large network but only a few machine should be able to access your machine), you can enter the specific IPs and/or masks in the Custom List section.

Now click OK, and click OK again, and your new firewall rule is applied.

Finishing Up

Now restart your SQL Server service, and you're ready to connect. You can also feel better that you've protected your SQL Server instance.

 

 

By default, remote connections are disabled for all versions of SQL Server 2005, including SQL Server 2005 Express. If you try to connect from a different machine, you'll get an error message like this:

An error has occurred while establishing a connection to the server when connecting to SQL server 2005, this failure may be caused by the fact that under default settings SQL server does not allow remote connection.

To resolve it, you need to enable remote connections in the SQL Server Surface Area Configuration Tool (under Start->Programs->Microsoft SQL Server 2005->Configuration Tools) and then restart the SQL Server Express service. See this full walkthrough is on MSDN on how to do so.

If you then get errors like "Error Locating Service/Instance Specified" you have two options: using the SQL Server Browser, or using TCP/IP & specifying the port when you connect.

SQL Server Browser

The SQL Server Browser service tells interested parties the SQL Server instances available on the machine. It's a mild security risk (especially if you expose it over the internet), but it lets you easily connect to SQL Server instances, especially if your database server has multiple instances running. You'll need to ensure that the SQL Server Browser Service is running on the database server, and that the database server's firewall isn't blocking the SQL Server Express service or the SQL Server Browser service. See this MSDN article on how to do so.

TCP/IP Ports

This method is more secure but a little more work. You don't have to run the SQL Server Browser service, and you get to pick (and manage traffic on) the IP and port that each SQL Server instance listens on. Worth it for a public server, IMO. If you're using TCP/IP and don't want to run SQL Server Browser for security reasons, or if you have multiple SQL Server instances on your server, you'll need to check the TCP/IP ports that your SQL Server Database Engines are listening on, and ensure each running instance has its own port.

Open up SQL Server Configuration Manager (under Start->Programs->Microsoft SQL Server 2005->Configuration Tools), expand SQL Server Network Configuration, click Protocols for SQLEXPRESS, double-click TCP/IP. Note whether "Listen All" is Yes or No. Click the IP Addresses tab. If "Listen All" was Yes, then you can set the ports in the "IPAll" section below. If "Listen All" was set to No, then ensure that there's a port specified for the listed IP addresses, or disable (set Enabled to "No") any public IPs you don't want to expose SQL Server on.

Then open up Windows Firewall on the database server (or whatever your firewall program is) and allow TCP traffic in for the port you specified. Be sure to indicate who you want to access this port, too (e.g. the internet, your local network, a specific subnet, or just the local machine).

Then you should be able to connect to the server using "<ip address>,<port>" (e.g. "192.168.0.10,8000") from SQL Server Management Studio.

 

I wanted to share a quick & easy way to validate uploaded images in ASP.NET. One of my projects has a feature allowing users to upload a logo. But I wanted to restrict them to JPG & GIF images, and ensure that the image was within a certain height. So....asp:CustomValidator to the rescue!

Here's the code for the web page with the INPUT file tag and the CustomValidator:

---

<INPUT type="file" id="txtCorporateLogo" name="txtCorporateLogo" runat="server">

<asp:CustomValidator ID="valLogo" Runat=server CssClass="validator"
ErrorMessage="Logos can only be GIF or JPG images under 100 pixels high"
OnServerValidate="ValidateLogo" ClientValidationFunction="checkLogo" ControlToValidate="txtCorporateLogo"
><br>Logos can only be GIF or JPG images under 100 pixels high</asp:CustomValidator>

---

Here's the client-side javascript function that the CustomValidator calls to ensure that we don't post to the server if the image isn't a JPG or GIF. The function sets IsValid to true if there's no file specified, or if it ends with jpg, jpeg, or gif:

---

<script language="javascript">

		function checkLogo(sender, args)
		{
			var filename = document.getElementById('txtCorporateLogo').value.toLowerCase();
			
			if (filename.length < 1)
			{
				args.IsValid = true;
			}
			else if (filename.indexOf('.jpg') == -1 && 
					filename.indexOf('.jpeg') == -1 && 
					filename.indexOf('.gif') == -1)
			{
				args.IsValid = false;
			}
			else
			{
				args.IsValid = true;
			}
		}

</script>

And here's the server-side method that confirms the image is 100 pixels high or shorter:

---

        protected void ValidateLogo(object sender, ServerValidateEventArgs args)
        {
            HttpPostedFile imageFile = this.txtCorporateLogo.PostedFile;

            if (imageFile.FileName == String.Empty)
            {
                args.IsValid = true;
            }
            else if (!imageFile.FileName.ToLower().EndsWith("jpg") && !imageFile.FileName.ToLower().EndsWith("gif"))
            {
                args.IsValid = false;
            }
            else
            {
                System.Drawing.Bitmap bitmap = new Bitmap(imageFile.InputStream);

                if (bitmap.Height > 100)
                    args.IsValid = false;
                else
                    args.IsValid = true;

                bitmap.Dispose();

                imageFile.InputStream.Position = 0;    // reset the position in the stream
            }
        }

---

That's it. Just remember to check Page.IsValid in your submit method before doing anything with the image.

And I'm starting to get annoyed with FTB's code import. Look at that mess above! :)