DevDays 2009 day 1 C# 4.0 / The Future of C#

A small introduction for these posts you can find here.Today the first day of the day started great with a broken Tom-tom and me taking a wrong turn in The Hague. So I missed the keynote.

First session "C# 4.0 / The Future of C#" by Krishnan Subramanian. Krishnan likes to type code while presenting, so it promised to be a fun session. Krishnan starts with a history lesson:

  • C# 1.0 first managed Code
  • C# 2.0 Generics
  • C# 3.0 LINQ
  • C# 4.0 Dynamic programming

trends now in C# declarative, dynamic, concurrency

We are programming very declarative, this creates a lot of noise. Finding out what the code does can be hard. A lot of details go into the how instead of the what. Krishnan uses linq to show that linq already has less noise. His non-technical girlfriend can understand a linq query.

Krishnan says that there is room for static and dynamics languages.

When you look at hardware trends,more and more multi processors machines are getting mainstream. C# 4.0 will give more possibilities for parallel programming. Krishnan demo’s this by using a LINQ ray tracer program this program is part of the parallel extensions. To make it parallel he only uses the .asParralel keyword on a LINQ query.

The themes for C# 4.0 are

  • Dynamically typed objects
  • Optional and Named Parameters
  • improved COM interoperability
  • Co- and Contra-variance

For some parts of the programs we write statically typed objects can get in your way. For these parts you can use dynamic typed features of the DLR. The DLR provides for expression trees, dynamic dispatch and call site caching. As an example Krishnan shows ugly C# reflection to determine a type and invoking a method and compares it to JavaScript and  to c# use the dynamic keyword. The dynamic keyword is a much cleaner piece of code. In the demo he calls an iron python coded calculator form c# using the dynamic keyword. The add function can take any argument that exposes the + operator to function correctly, any argument compiles. The next demo shows writing a dynamicbag that is a child implementation of DynamicObject. In this demo he uses a dictionary that is holding the properties you can call on the object, these methods than can be added at build time from the calling code. So DynamicBag.MyCustomProp = 1 will create an entry in the dictionary the holds MyCustomProp and value 1, so this code works with some minor overriding of methods even if DynamicBag doesn’t have a property MyCustomProp.

The current way to use methods with less or more parameters is to use overloads. In C# 4.0 you have named and optional parameters. The optional parameter feature you can use by setting a default value to the parameter in the method declaration. When calling the method you can use named parameters this makes the code more readable.

For COM interop there are improvements:

  • Dynamic mapping
  • Optional and named parameters
  • Indexed properties
  • Optional ref modifier
  • interop type embedding

To explain Co- variance you can look at an array of strings and putting a button in it. This is co-variant but not safe. When looking at List<String> and Ienumarble<object> these cannot be cast to each other. In C#4.0 you can now use IEnumarable<in T> and IEnumarable<out T>.

In the future it might be possible to use the compiler as a service. Your program should be able to change compile behaviour.Krishnan shows a demo of code that will compile in the C# version that will come out after C# 4.0. In this he uses a CSharpEvaluator class with which he writes a program from strings. Using this he writes a command line c# interpreter. Kewl.

Attack and defence: Securing ASP.NET applications

A small introduction for these posts you can find here. Lunch at was well taken care of. Salmon sandwiches and plenty of them.

The next session for day 1 for me was “Attack and defence: Securing ASP.NET applications” By Keith Brown. ( )

As a preface Keith showed us is jojo skills, pretty impressive.

According to Keith in security you need to find a balance. You need to start by thread modelling. You can find info from P&P


  1. principle of minimum privileges. Don’t use the network  service account, create your own account
  2. do security in depth,  assume all input is evil. Do security validation on the server.
  3. put user input quickly in strongly typed variables don’t keep them in strings to long
  4. don’t use regex without ^ and $, otherwise people still can insert stuff .
  5. use sql parameters , don’t concatenate input in your query.
  6. don’t show complete error messages, put the in the log and give the user the possibility to correlate there error with the log.
  7. using a maximum length in textboxes doesn’t help. Use server side validation

If you use validation controls you need to program them correctly. You need the check on the server side the IsValid property.

Viewstate by default gets hashed and checked on tampering. Cookies don’t get this, form login cookies do.

printf(a,b,c,d) has a big security issue (not console,writeline()) a is a control channel, the rest is a data channel. Don’t give up control of the control channel. Equal so Proces.Start(a,b) and sql.commandtext = a.

demo on sql- injection (people have automated this)

  • in a search box start with a ‘ and see if you get an error (if it is a string, for a number you don’t need it.
  • use ‘ or 1=1 – to get all the rows
  • do ‘union select null,null,null (keep adding rows)
  • replace a null with intersting stuf @@version, username, tables from table_schema
  • if there is a user table, select emails and passwords and put them in an excell sheet.
  • change price
  • exec xp_cmdshell ‘net user hacker password /add’

Keith his anti virus software wanted to let the entire audience know that it was out of date during the presentation.

To test for XSS protection turn of validateRequest and see if your application can handle it. Web.config Demo:

  • put in a textbox <h2>test<h2> see if the formatting is kept.
  • put forms, JavaScript and what you want in the textbox (example change logo to Google)
  • when an error page is show that get’s its message from the query string, you can use this to enhance a phishing attack.

To fix the problem sandbox the output. When getting the data out of the database use HttpUtility.HtmlEncode(data). On the input side filter the input.

get free modules and examples form pluralsight.

DevDays 2009 day 1 TDD and S.O.L.I.D

A small introduction for these posts you can find here. My third session was a wildcard session by Dennis Doomen on TDD and S.O.L.I.D. Even though the room wasn’t on the map and the session wasn’t on the session overview the room was packed.

People who didn’t know what inheritance is, were asked to leave.

Dennis uses a definition by Michael Feathers to define quality. You must be able to write a unit test of your code within five minutes. There are multiple principles you can use, Dennis is going to focus on some of them:

  • TDD
  • S.O.L.I.D

TDD is a design process, tests are your first users, tests can be documentation. If TDD hurts you are doing it wrong.

For S.O.L.I.D I say read the book by Uncle Bob Martin. Dennis gives an introduction.

In the demo Dennis an aaa template for creating unit tests.( Arrange, Act, Assert) For naming he follows a Should_When naming convention. During the demo, Resharper and RhinoMocks prove their usefulness. Make unit tests intention revealing.

An extra tip from Dennis, it is possible to decorate your unit tests with the workitem attribute, this will couple the unit test with a workitem in TFS.

The samples are posted on Dennis’s blog.

It was a nice session with enough interaction. I would like to see this talk held in a room full of none believers though but then with enough time to discuss. For a nice simple introduction to S.O.L.I.D watch the dimecast screencasts.

DevDays 2009 day 1 Tasks threading and parallel programming.

A small introduction for these posts you can find here. The last session of the day was by  Ingo Rammer about parallel programming in .Net 4.0.

The slides and code of this session will be under conferences on

Multithreading vs Parallelism. Multithreading is easy, just call Thread.start(). It is primarily used to keep the ui responsive.Parallel programming is used to maximally use the cores that are available.

The ray traces sample comes form the parallel extensions.

Ingo shows a demo walking a large tree structure and visualizing this. The first version uses no threading and takes about 1500 ms to complete. In the second version he tries to make a thread for every node. This version blows up, every thread takes up one mb of memory. The third version uses Threadpool.QueueUeserWorkitem, timing is off now because the threads are fire and forget. The fourth version works with the new tasks from the parallel extensions. This version does the work in about 800ms.

More functionality of the Task is making the creation possible using a factory (shorter, cleaner code). Also the results of a task can be simply used, all synchronization is done for you. In the demo he sums up all values in the tree without having to worry about synchronisation.

After that my netbook just closed down. Basically Ingo covered three ways to do parallel programming in C# 4.0.

  • Fine-Grained Parallelism: Task-API and coordination structures (the foundation of it all)
  • Structured Parallelism: Parallel
  • Declarative Parallelism: PLINQ

Ingo is a great speaker and made this last session while everybody was tired still fun.