I have been working on this new social networking website that is based around the collaboration and sharing of ideas. I have talked about this project in the past, in very vague details, but today I have decided to open the curtains and give everybody a look.

http://www.ideapipe.com

Currently there are a couple websites out there that are doing the same thing, but in a more focused way for their specific business. One of the examples of these focused websites for sharing of ideas is Dell Idea Storm. In the case of Dell each of the users go to their website and submit ideas on how they can improve Dell’s products. The platform has worked really well for Dell, they seem to be getting a positive response from their community of users. It has led to them introducing a couple of products that they probably wouldn’t have, such as Ubuntu as an alternate to Microsoft Windows, if there wasn’t such an overwhelming support for this install option.

Idea Pipe was born about 7 months ago, when I realized that this type of platform would be useful to businesses, projects, and people of all shapes and sizes. Especially the ones that wouldn’t be able to pay the Salesforce.com Tax. Idea Pipe has actually been released for about a month now, however I was waiting to announce it officially until we had support for groups. Groups are a way that anybody, with an Idea Pipe account, can create their own personalized Idea Pipe, that provides all the same features and functionality as Dell’s Idea Storm, but at no charge to the group owners.

To kick off this announcement I created a group so that my readers can share and collaborate on ideas for me to post about in the future, on this blog, that will interest you my readers: http://www.ideapipe.com/groups/coder-journal

This site is still new and like any new site you will probably have suggestions on how to improve the site or the architecture, so please submit them to: http://www.ideapipe.com/groups/pipeline

If you happen to find any bugs, please send them to bugs@ideapipe.com.

Slashdot has been around for over a decade now and many tech nerds first cut their teeth on Slashdot as an information source for everything tech related, because it predated the blogging revolution by almost a half decade.  I can say with an almost certainty that every person who visits my blog each day, has at one point in their life read Slashdot.  I know this because, many of you like myself, for many years Slashdot was the first place you visited in the morning to checkout the latest nerd-news, and it was such an honor if one of your stories actually made it the front page.  Everything was bliss because the editors of Slashdot really tried to get good content to the viewers of the site, the editors were a little slanted towards the LAMP stack, but at least the content that made it to the front page was accurate.

Now like most journalism, no facts are checked, and stories are pushed through in order to driven an agenda.  For example:

500 Thousand MS Web Servers Hacked

Posted by kdawson on Friday April 25, @11:48AM
from the scream-and-shout dept.

andrewd18 writes “According to F-Secure, over 500,000 webservers across the world, including some from the United Nations and UK government, have been victims of a SQL injection. The attack uses an SQL injection to reroute clients to a malicious javascript at nmidahena.com, aspder.com or nihaorr1.com, which use another set of exploits to install a Trojan on the client’s computer. As per usual, Firefox users with NoScript should be safe from the client exploit, but server admins should be alert for the server-side injection. Brian Krebs has a decent writeup on his Washington Post Security Blog, Dynamoo has a list of some of the high-profile sites that has been hacked, and for fun you can watch some of the IIS admins run around in circles at one of the many IIS forums on the ‘net.”

Every person that reads my blog should have a basic understanding of why this title is 180 degrees out of whack with the actual article that is quoted.  If not here is the short description of what in this article, on Slashdot, is totally wrong and the editor who approved it kdawson should be fired for gross negligence.  Luckily most of the comments on the Slashdot article show a more intelligence and greater understanding of the actual problem than the Slashdot poster and editor.  But you shouldn’t have to read between the lines to get the actual story from the Slashdot article.

First of all SQL injections are a result of bad programming and are platform independent.  And are usually the result of concatenating a SQL string together in code instead of using parameters in your SQL queries.  So as you can imagine scripting languages like PHP and Old ASP have a ton of problems with SQL injection, which is unfortunate because these two languages are in the top 5 languages that run the web, luckily Old ASP has been decreasing because of ASP.NET.  However just to reiterate SQL injection can happen in any language on any platform because there are bad developers that use everything language and every platform.

So basically to say that 500,000 Microsoft web servers were hacked is a gross misrepresentation of the problem that was illustrated in the article.  The original F-Secure article had to clarify that this wasn’t Microsoft’s problem, probably because of the Slashdot article listed above.

We’ve been receiving some questions on the platform and operating systems affected by this attack. So far we’ve only seen websites using Microsoft IIS webserver and Microsoft SQL Server being hit. Do note that this attack doesn’t use any vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.

If you are interested in seeing all the pages effected and if one of your pages is involved you can use this Google Link, however make sure to take precautions against getting infected.  I will leave everybody with this last posting that was left in one of the IIS forums as a sign of what good programmers are combating every day.

I also have been hit by this attack on Saturday 4/12/08. It compromised our database and overwritten that script into all of your products. Luckily a database restore fixed the problem. Two days later the same thing happened, I have changed all the database and login passwords and did another db restore. Now today 4/18/08 we got hit again by the same thing but this time as the pages are loaded ActivX is activated and wants to run but of course I did not allow it. Anybody has successfully solved this situation?

Today I came across an interesting extension pattern that I didn’t know how the runtime would react. Normally when you do something like the following:

string s = null;
Console.WriteLine(s.Trim()); // throws NullReferenceException

You get a NullReferenceException meaning that you didn’t first check to see if the object was null before trying to call one of its methods. This is pretty common and results in patterns that usually look like this:

string s = null;
string result = null;

if (s != null)
    result = s.Trim();

Console.WriteLine(result);

This results in a ton of extra code to just verify you inputs. It’s a dirty task but somebody has to do it. So today it occurred to me that maybe extension methods were my answer to this code bloat. To better understand extension method, Scott Hanselman has done a great job explaining how they function and what they look like to the CLR.

So I whipped up the following console application and tested my theory out.

public static class Extension
{
    public static string TryTrim(this string s)
    {
        if (s == null)
            return s;

        return s.Trim();
    }
}

class Program
{
    static void Main(string[] args)
    {
        string s = null;
        Console.WriteLine(s.TryTrim());  // notice that I don't have the code bloat like above
    }
}

This works without a NullReferenceException because the code actually looks like this to the compiler.

public static class Extension
{
    public static string TryTrim(string s)
    {
        if (s == null)
            return s;

        return s.Trim();
    }
}

class Program
{
    static void Main(string[] args)
    {
        string s = null;
        Console.WriteLine(TryTrim(s));  // this is how the run time sees the code
    }
}

So with this new understanding of extension methods you don’t have to worry about checking if a variable is null or not before trying to use an extension method. The more I use extension methods the more I love them.