SQL Injection Attacks – DunDDD 2012

Examples

The examples were run against a copy of the Adventure Works database.

Required Tables

For the Second Order Demo you need the following table added to the Adventure Works database:

CREATE TABLE [dbo].[FavouriteSearch](
	[id] [int] IDENTITY(1,1) NOT NULL,
	[name] [nvarchar](128) NOT NULL,
	[searchTerm] [nvarchar](1024) NOT NULL
) ON [PRIMARY]

GO

Slide Deck

The slide deck is available for download in PDF format.

Further Reading

During the talk I mentioned a lesson from history on why firewalls are not enough.

I also showed XKCD’s famous “Bobby Tables” cartoon, and also a link to further information on dynamic SQL in Stored Procedures.

More information about the badly displayed error messages can be found amongst two blog posts: What not to develop, and a follow up some months later.

I wrote a fuller article on SQL Injection Attacks that you can read here although it is a few years old now, it is still relevant given that SQL Injection Attacks remain at the top of the OWASP list of vulnerabilities.

Feedback from my DDD Scotland Talk on Parallisation

DDD Scotland 2011 Talk Opening SlideI got my feedback from my DDD Scotland 2011 talk on Parallelisation. I was actually pleasantly surprised. I guess I was being a little too self critical and the talk went over a lot better than I thought it had.

Some of the highlights:

  • Good clear samples and demos.
  • Enthusiastic speaker who really knew his stuff. Great talk!
  • Nice easy to understand examples. Getting the concepts across without clutter.
  • Useful info. Genuinely learnt something new.

And of course my favourite comment (despite being somewhat irrelevant, or should that be irreverent): Colin’s funky hair.

There were a couple of points that I need to address in future versions of the talk.

I only gave an overview of locking and the only demo that went close was the ConcurrentDictionary example in which all the locking mechanisms are internal to the ConcurrentDictionary. One person wanted more detail on locking so I shall endeavour to add a little extra into the presentation for DDD South West on locking including, if time allows, a specific demo.

The aspect of locking I need to address, is that I talked about when I used a semaphore in a project to restrict access to a scarce resource, but again I didn’t elaborate on it and another person would have found an example of a semaphore being used useful. I have already written about semaphores in a previous blog post, so I shall try and work that in to the next version of the presentation.

The other part is that the intro appears to be a little long and I need to shorten than slightly. If I can do that, it will at least free up space in a one hour talk to add the additional information on locking in later on.

I really appreciate the additional few moments people took at the end of my talk to write specifically what they enjoyed and what they disliked about my presentation, especially as lunch was waiting for them. It really gives me something to work with in order to improve the talk.

DDD Scotland Parallelisation Talk Overview

DDD Scotland 2011 Talk Opening Slide

Follow Up

I was asked a question during the talk I wasn’t immediately able to answer which I’ve now found the definite answer. What happens to parallel tasks running in the background when the application exits?

Examples

Here are all the examples from Saturday’s introductory talk on Parallelisation at DDD Scotland 2011.

Slide Deck

The slide deck is also available as a PDF file (3.0 Mb)

DDD Scotland: The feedback

I’ll be standing down as chairman of Scottish Developers shortly. I’m not leaving, I’m just looking for a different role within the user group. But as I’m hanging up that particular hat I felt I would add my own personal feedback to the feedback we have received over the last three DDD Scotland events.

On the whole the DDD events in Scotland have been exceptionally well received, especially considering the amount of polish in the main DDD events that happen in Microsoft’s UK HQ in Reading. I suppose from my perspective, sitting on the inside, seeing exactly how it is hanging together I’m always amazed that the feedback is so positive. It is a testament to all the other organisers, speakers and helpers on the day that help keep the event running smoothly.

That said, I feel there are some people that are not fully aware of what goes into organising this event, and on what kind of a budget that we manage it. The speakers are not paid, they volunteer their time, travel, and accommodation expenses.

What makes a DDD event?

The goals for DDD events, as a whole are:

  • The event is free to delegates
  • There are no marketing talks.
  • No speakers from Microsoft.
  • The sessions are voted on to the agenda prior to the event.

You don’t have to aim for everything on this list, and at DDD Scotland we didn’t for various reasons.

We do our best to ensure that it is free to delegates. And we’ve managed that three years running and we will continue to do that for as long as we can.

What follows is some information about how we run the events based on the feedback we have received. I hope this gives you a little insight in to the event. We have received other feedback too that we will be acting upon to improve the event, and if possible we will act on the feedback below to improve things too. I just really wanted to get over the constraints we were running under so you didn’t think that after three years we weren’t listening. We do value all feedback.

The event is “not very well advertised”

We have no advertising budget so we use social media such as blogs, twitter and the like to get the word out. However, even with no advertising we were still oversubscribed. The event “sold out” in 15 days, 3 hours and 35 minutes. After that it went to a waiting list. At its peak there were 88 people on the waiting list.

“Tons of people who signed up didn’t come, maybe the people on the waiting list should the get the spaces of the people who didn’t turn up.”

We do our best on this count. If people realise they cannot come they can unregister which means the website will invite someone on the waiting list along. However, if someone doesn’t want to go and they also don’t unregister then there is little we can do about it.

Over the three years we have run the event we have had a 30%-33% drop out rate and we take that into account when allowing people to sign up. For example, this year we allowed 280 people to sign up before the waiting list was activated, in the end we had 188 delegates turn up on the day. We were aiming for 200 delegates, the same as last year. Last year we had 176 turn up.

In the 24 hours prior to the event the waiting list dropped by 60% allowing nearly 50 people that otherwise would not have had the opportunity to go a chance to get to the event.

“As you go feedback [is] better than a few days later”

This is interesting. There is a debate between some of the various DDD organisers as to which is better: online feedback after the event or paper based during the event.

I can’t say which provides better quality feedback. However, my particular take is that I want to get feedback to the speakers as quickly as possible. The sooner a speaker gets feedback the quicker they can see issues they may have and resolve them, or the quicker they can see what is working or what people appreciate about their presentation.

I also feel that when I get asked for feedback immediately I have a better recollection of what I’m feeding back on. If I wait a couple of days the memories are fading and I won’t recall something that would have helped the speaker improve.

We did a little experiment, with one of the speaker’s permission. He happened to run the same session at DDD8 in Reading as well as at DDD Scotland this year. We compared the feedback he got on line for DDD8 versus the paper feedback he got from DDD Scotland. Roughly the same percentage of the audience filled in feedback, of those that did, roughly the same percentage filled out comments (which is more valuable to the speaker than the raw ratings do). However, where there was a significant difference was that the amount that was written in the freeform feedback was greater online… Perhaps, as developers, we are so used to typing that we can’t write so much these days. But then, was all that extra written material an increase in quality as well as quantity?

I guess the debate will continue on that front.

“Make it a 2 day event, do it twice a year (or more)”

I’d love to do that. It is just very hard work for doing it once a year. But the two day idea is certainly something I’d entertain.

Scottish Developers have noticed that if we run day events during the week we do get a slightly different audience so perhaps it would be an excellent way of reaching out to those that can’t make a Saturday.

Incidentally, the Saturday concept was so that the event didn’t impact on the working week so that contractors didn’t lose a days pay and so that the genuinely enthusiastic could continue geeking out at the weekend.

“The lunch break was too short”

The lunch break was 90 minutes. However, we do have activities on during the lunch break to keep people interested. Unlike previous years, this year we only had grok talks – these are short 10 minute talks that represent topics that would not suit a full presentation or a taster for a full length session.

“more in depth” – “not for beginners”

One of the key aspects of DDD events are their democratic nature. Some people may want more elementary sessions while others may prefer more in-depth sessions. But on the day, what is on the schedule was put there by votes. Every single session was voted in. Back up sessions are chosen by votes too. No session appears without having been voted in.

However, that said, when the ash cloud threatened to disrupt the travel plans of most of our speakers we would have been prepared to bend the rules on that one slightly just to be able to put on an event.

“put feedback forms in goodie bag”

Interestingly we did that last year and we didn’t get that many of them back. People either just didn’t realise they were there or forgot about them. Either way, it meant that the feedback was not as comprehensive as we’d have liked.

Putting the feedback forms on the seats works better for us we’ve found.

“The food was a bit disappointing” – “More coffee in breaks” – “Why not run a café?”

Yes, we know. Unfortunately our budget didn’t allow us to stretch any further than we did. The catering bill was by far the largest expense. Since GCU kindly donated the venue to us for the day the catering budget accounted for about 90% of the running costs.

The first year we ran we got feedback decrying the fact that we didn’t put on breakfast. Possibly this was due to some people who were used to the DDD events in Reading which have the backing of a big corporation that can afford, to us, such luxuries.

There is a café on the ground floor at the venue, however it is closed on a Saturday. We did, the first year, look in to opening it up but were told that was not possible.

Ultimately, what we can afford depends on how much sponsorship we can pull in. This year was particularly disappointing. We were lucky in that we still had a sizeable chunk of money left over from last year which, in fact paid for most of the conference this year. Next year we will be starting from a relatively clean slate financially. Simply put, the cupboard is bare.

“Too much Microsoft oriented presentations”

The conference is run as democratically as we can. If you want to see more non-Microsoft oriented technologies then we need more submissions from people offering non-Microsoft oriented sessions and then we need enough people to vote on them.

We also had people asking for more consistent tracks and we do our best to work in a route through the agenda so that a person who has a high level interest in a particular area, say web technologies, has a route from start to end. But ultimately we can only work with what we have, and what we have are sessions that were submitted and a set of votes telling us what people want to see.

For the future

There are a number of points above that we will try to fix, just as soon as we can. For example, we’d love to keep you all properly fed and watered during the day. We’d love to do this more often, have an event every 6 months or a two day event. We’d love to vary the city.

For these things we need more sponsorship. Not just the variety where a vendor gives us free licenses. I’m not saying we don’t want that. We love to get items from sponsors to use as prizes or swag, it keeps things interesting during the day, but ultimately we need things we can use and the bottom line is mostly money.

If you have any ideas that will help up put on a better event, especially if it helps us solve the issues we currently have then please get in touch at support@scottishdevelopers.com

Agenda for DDD Scotland 2010

We have finally got all the speakers confirmed and the agenda sorted out for DDD Scotland 2010. Subject to any last minute changes this is is:

Time

Room A (80)

Room B (40)

Room C (40)

Room D (40)

08:45-09:20

Registration

09:20-09:30

Housekeeping

09:30-10:30

HTML 5: The Language of the Cloud (Craig Nicol)

Contractual Obligations: Getting Up and Running with Code Contracts (Barry Carr)

WCF Data Services (Iain Angus)

Team Foundation Server 2010 for Successful Project Management (Martin Hinshelwood)

10:30-10:40

Break

10:40-11:40

Exception Driven Development (Phil Winstanley)

Real World Application Development with Castle Windsor and ASP.NET MVC 2 (Chris Canal)

Get Going with jQuery (George Adamson)

T4 and How it Can Be Used for Code Generation in Visual Studio 2008/2010 (Rob Blackmore)

11:40-12:00

Break

12:00-13:00

Web Standards are Broken, and it’s Getting Worse (Sebastien Lambla)

A Guided Tour of Silverlight 4 (Mike Taulty)

Commercial Software Development Is Easy, Not Going Bust Is the Hard Bit (Liam Westley)

Defensive Programming 101 (Niall Merrigan)

13:00-14:30

Lunch time: Grok Talks

Lunch time:
Local Open Source Incubator

Lunch time: Sponsor talk

Lunch time: Sponsor talk

14:30-15:30

Getting Started with Behaviour-Driven Development Using Cucumber (Steve Sanderson)

Silverlight – Real World Gotchas (Ray Booysen)

What ASP.NET (MVC) Developers Can Learn from Rails (Paul Cowan)

Developments in MultiCode and Concurrent Programming with .NET 4 (Barry Wimlett)

15:30-15:40

Break

15:40-16:40

Real World MVC Architectures (Ian Cooper)

Cloud Coffee – A Year Developing on Windows Azure (Dominic Green)

C# on the iPhone with Monotouch (Chris Hardy)

Domain Specific Languages – What Are They and Why Should You Care? (Mark Dalgarno)

16:40-17:00

Closing

Developer Day Scotland 2009

Developer Day Scotland - 2nd May 2009There is less than 2 weeks until Developer Day Scotland 2009. There are still a few places left so if you haven’t got one, now is your chance. If you’re still not sure then read on.

Developer Developer Developer events are founded on a number of principles which I think makes it unique and well worth a single day of your time once a year.

DDD events are free. It doesn’t cost you anything to attend. Think of any large conference that you might like to go along to. They costs hundreds of pounds, if not more. Sure, we might not have all the bells and whistles of a big fancy conference, but at the end of the day what do you want out of an event like that? Do you want the glitz and schmaltz or do you want to learn something new?

Speakers from the community. We invite people that have something to say, a story to tell, or an experience to learn from. This year we had 84 session submissions from all sorts of folks and on all sorts of subjects. The majority of these people are real day-to-day software developers or DBAs that actually work for a living.

DDD events are democratic. All the sessions are voted in by the community, so we only put on what people have asked to see. This year the 84 sessions were whittled down to 20. We have 5 database sessions all lined up so if you are a DBA or database developer you won’t miss anything. We also have a route through the agenda for Web Developers. We also have sessions on languages (dynamic and functional languages as well as what’s coming soon in C#), processes and tools (such as scrum, virtualisation, TDD and refactoring) and architecture & patterns (such as MVC, MVVM and AOP)

No Marketing BS. The core philosophy for the sessions are that they contain useful information. Stuff that you can either take back and start using the next day or (if not yet available) to start planning how to move to that technology.

To paraphrase the Lincoln’s Gettysburg address, Developer Day Scotland is of the developer community, by the developer community and for the developer community.

Developer Day Scotland

Event Organisation – The Feedback

This is the first post in a series of random thoughts on community events that I’m writing based on my experience running a user group and the Developer Day Scotland conference.

In this post I’ll concentrate on receiving feedback.


Photo by Craig Murphy

 

First, I should like to concentrate on the management of feedback. If the event asks people to fill in feedback then it should be collated and returned to the speaker as soon as possible. For my user group meetings I try and ensure that when I get home afterwards I collate the feedback and email the speaker before I go to bed. The quicker the speaker can receive the feedback the quicker they can see how they did. The closer to the event the more they will remember and the better they will be able to evaluate the feedback effectively. For Developer Day Scotland I got the feedback out to all the speakers within 3 days.

If the speaker doesn’t receive their feedback after a number of weeks they they are most likely to have forgotten specific incidents during their presentation. The guy that writes “Loved the quip about…” or “It was most annoying when you…” has effectively wasted their time if you, as a speaker, can no longer remember making the quip or doing the annoying thing. The quip may have been an off the cuff remark made in the moment that you could have incorporated in to your future presentations – If you can’t remember it, then you’ve lost the opportunity to re-use it and entertain as well as educate. Similarly, if you can’t remember the annoying thing then the comment about it won’t help you so much. It isn’t easy to purge annoying habits if you don’t remember doing them or associate a particular habit as being annoying.

Bottom line on this point is to get the feedback to the speakers promptly. Devote time to collating it and delivering it to speakers. The sooner the better.

It’s all very well and good saying that but how do you turn around the feedback quickly?

If you have a paper based feedback system in place where you are collecting feedback after each session, you can have people help you input that into excel or a database. That will help you get the feedback processed quicker. In this case many hands make light work.

From personal experience, I don’t recommend the online feedback that happens after the event. This style of feedback takes longer because you are waiting on the attendees actually fill it in. Some might do it promptly, others might take their time, and some will just plain forget. From an organiser’s perspective, the online feedback may seem to be an easy win; it is much easier to collate as it is done online so the database is being populated by the actual attendees. Of course, as the feedback is filled in after the event the attendees recollection starts to fade.

If you want to get as many people to fill in the feedback as possible I’ve found that basing prize draws on the feedback forms submitted encourages more people to fill in feedback. For events such as Developer Day Scotland we had some prominent sponsors offer us developer tools as giveaway item. But smaller items such as books, T-shirts, mice can do just as well for user group meetings.

Having been responsible for collating feedback for a variety of speakers I’ve seen a fair amount of variety in the comments. However, I have to admit that I’ve never had a stunningly bad speaker at any of my events yet. For the most part feedback is positive. The audience generally really does want the speaker to succeed and will often give some leeway for things that go wrong that is out of the control of the speaker.

I’ve also found that there are a few really angry people out there who only ever give bad feedback. So, if you are a first time speaker and you’ve got one of those nutters at your session try not to take it too personally. I’m not going to go on at length about how to interpret feedback as Barry Dorrans, an experienced speaker at DDD and other events, has an excellent post on the subject on his blog: Is “bad” feedback the best feedback?

Finally, there is feedback form itself. What do you ask people? How do you want the results. There are two main types of answer, in my opinion. The first is the tick-the-box style where you just tick the box for the score out of 5 (or 10) on a particular aspect. The second is a question that requires a text based answer, a few words or a couple of sentences.

For the event organiser the questions that ask people to tick a box are often better because it means that when you collate all the feedback together you can rank the speakers. I did this for Developer Day Scotland (and published some of the results.) You can set a base line where you say, if anyone drops below this line they don’t get invited back, or if anyone goes above that line they are automatically accepted next time. Or, if you are like NxtGenUG you can use these scores to give out prizes to the best speakers.

From the speaker’s perspective the text based answers are often better because they give a greater variety of feedback and allow the evaluator to express themselves. This can be used to tell the speaker what they did well, to show appreciation, to point out a negative aspect, or to suggest a way to improve. The wide variations in what people can put would rule out giving them tick-boxes to mark off.

For the text based answers the questions have to be open. They have to encourage people to say what ever they want to say without constraining them into thinking that something isn’t important because it wasn’t asked for directly. I often reduce it to just two questions. “What did you like?” and “What didn’t you like?” And other times I’ll also include the catch all “Are there any other comments you’d like to make?”

Hopefully you’ve found this useful for your own events, or perhaps you have your own comments you’d like to add. Either way I’d welcome any feedback so feel free to leave a comment.

Feedback on Developer Day Scotland

I was recently one of the organisers for Developer Day Scotland (aka DDD Scotland) in Glasgow. It was on on the 10th of May and was the first of its kind in Scotland. I’ve also just finished putting together the event feedback for the various speakers and for the event itself. It is always interesting as a speaker when you receive your own feedback, and for me it has been interesting putting together the feedback for all the speakers to see what people liked and didn’t like.

If you weren’t at Developer Day Scotland and don’t know what it is I’ll explain it briefly. We had a conference in the centre of Glasgow based on the DDD events that are normally held at the Microsoft Campus at TVP in Reading. It was aimed at Developers mainly, but we also had a SQL track for DBAs. In total we had 132 delegates arrive on the day.

On the whole the comments were very positive. There is some room for improvement and we will be looking to improve in certain areas for next year. But there were some disappointing comments that suggested people either didn’t quite know what the event was actually trying to achieve or completely had the wrong end of the stick.

First, just to blow our own trumpet, some of the positive comments:

  • Good selection of sessions
  • Lot’s of T-shirts
  • It was free
  • It was on a Saturday (no time off work)
  • Well organised
  • Based in Glasgow

A small number of people commented on the location. Most comments were extremely positive because there have been very few (if any) events like this in Scotland, however, a couple were disappointed because it was so far from London. I have to say that from the point of view of people in Scotland the fact that the vast majority of conferences we see are located in the south east of England (in or within about an hour-ish of London) was actually one of the main drivers to bring the DDD format to Scotland. We had seen an increasing number of Scots make the trek south for each DDD and their only real complaint with it was the distance they had to travel. The DDD events will continue to be held in Reading for the foreseeable future and indeed DDD7 is going to be on November 22nd, but there are now regional DDD events (such as DDD Ireland and Developer Day Scotland) that will take place from time-to-time.

Some people were disappointed by the length of the sessions. They thought more time was needed as some speakers seemed to be compressing too much information into too short at time. I have to agree that in many cases the talk did need more time. There are a number of possible solutions to this. Speakers could indicate a length of time for their topic and we have variable length sessions. Obviously the logistics in this is more complicated, but it is doable. Another possible solution is to request all speakers prepare a longer talk. For some this will be good as their talk was a compressed version of a longer talk, but for others this may leave them with a large period of time at the end with nothing to do. We will work on this problem and try to produce something that allow speakers to run for the time they need to discuss their topic.

Another common bit of feedback was that it wasn’t so easy to tell what level each of the talks were at. Next year we will introduce a system where it will be easy to see what the prerequisites for a talk are.

One person wrote simply “not enough user interactions”. I’m not entirely sure what they mean by that, however, the experimental open spaces session we did at lunch time was very successful and we packed the room out, so we will aim to do more of these next year. Perhaps that will solve that particular problem as they tend to allow a lot of interaction between all the participants.

We had some comments about the fact that “all the sessions were based on Microsoft technology”. We did have some non-Microsoft based talks submitted, however the talks that appear on the day are voted in by the community. However, two of the talks we had on the day were in fact technology independent. We try and keep the process as democratic as possible. Hopefully next year we will get more non-MS topics submitted and more non-MS delegates voting on these sessions so we can have a more diverse programme of sessions available on the day.

We did receive some excellent feedback, but there is always room for improvement and I hope next year’s event will be even better. In the mean time, Scottish Developers will still be running events in the evenings.

Finally, I really must thank all those that helped out in the preparation and on the day. We had 15 excellent speakers without whom we would not have had an event at all. We had a number of people that helped put the day together including John Thomson, Martin Bell, Frank Kerrigan, Craig Murphy and Brian Hainey. And a number of people who helped out on the day including Duncan Lundie, Ged Mead, Beverley Hatchard and Catriona Mackay. Hopefully I’ve not missed anyone out.

Developer Day Scotland – The scores on the doors

Developer Day Scotland was last weekend and went very well. I’ve just finished collating all the speaker feedback and I’ve sent each speaker their feedback information (all anonymised). We had excellent speakers and I want to recognise the best speakers that we had on the day.

Was the session as expected?

  • Third place: Ben Hall
  • Second place: Barry Carr
  • First Place: Daniel Moth

Rate the presenter: Overall

  • Third place: Allan Mitchell
  • Second place: Guy Smith-Ferrier
  • First place: Daniel Moth

Rate the presenter: Slides

  • Third place: Richard Fennell
  • Second place: Oliver Sturm
  • First place: Daniel Moth

Rate the presenter: Demos

  • Third place: Guy Smith-Ferrier
  • Second place: Barry Carr
  • First place: Daniel Moth

Rate the presenter: Information

  • Third place: Oliver Sturm
  • Second Place: Guy Smith-Ferrier
  • First Place: Daniel Moth

How does the voting work for Developer Day Scotland

Developer Day Scotland is a BY the community FOR the community conference based on the Developer Developer Developer! community conference. We accept sessions from the community on any aspect of software development. When the call for speakers closes we go in to a voting phase. At the end of the voting phase we tally the votes and work out which speakers we need to contact to ask to speak, and which we need to contact to say sorry.

I’ve been asked by a few questions how we will be going about our voting process.

When the voting closes all the sessions will be ranked from most popular to least popular. The simplest thing to do at this point would be just to pick the top sessions. However, we want to ensure that a broad range of subjects are covered and that we get a diverse set of speakers.

If an individual speaker gets more than one session into the top set of sessions we will ask the speaker to hold the second session in reserve in order to give another speaker a shot at speaking. This may sounds like a strange thing to do, but we want to avoid “The Joe Bloggs Show” from emerging because a particular speaker has submitted a large number of sessions that are all quite popular. Also, if we have one speaker taking too many session slots we run the risk of having a big hole in our schedule if they were to be ill or have some other emergency on the day which prevented them from speaking. By the time the process is complete we would be looking at getting as close to as many separate speakers as there are session slots – one for each available session slot.

However, if two sessions that are broadly similar make it into the top list then the duplicates will be removed. We will try to be as fair as possible with this. If one of the speakers has another session that made it into the top list then their duplicate will be removed to give a chance to a speaker that may not have the opportunity to otherwise present.

Naturally, some speakers will have just missed the cut and others will have sessions dropped because of some kind of duplication. These speakers will be asked to come along anyway with their session up their sleeve just in case one of the other speakers has to drop out at the last moment.

At the end of the day we are aiming to get as much community involvement as possible. The process is part science in that the voting shows what people want to see and part jiggery-pokery in that we have to schedule all this into a day that works.

We have almost 30 speakers who have submitted sessions with over 50 session proposals in total. Inevitably there will be some disappointment for the speakers who didn’t get picked and we are very sorry that we have to reject any of the speakers as we have so many excellent sessions.

In the meantime the session voting is open, so vote for what you want to see.

 

 

Follow

Get every new post delivered to your Inbox.