I got a little sidetracked with a problem due to an assumption. What I am doing is returning a proxy to an object to my client. I started to think what would happen across my serialization boundary. I assumed that the serializer would access all the properties and send their values across the wire to be reconstituted on the other side. Well, I was wrong. What serialization will do is serialize all the private fields and move those across the wire and then repopulate all the fields on the other side (via reflection). This is clearly obvious now as...

I recently had the pleasure of speaking to the e-commerce class at DevStudios about input validation and hashing. It was a fun talk and I love the interactivity you get when talking to a smaller audience. Thanks guys!

An interesting bug has been found in the .net framework. Basically if a null is inserted into a string and you manipulate that string through several different methods then the data after the null will be dropped.MailMessage message = new MailMessage() message.to = request["to"] + "@legitserver.com" if request["to"] were to be something like i@spamvictim.com%00 the message.to property would become i@spamvictim.com instead of what you would expect as i@spamvictim.com@legitserver.com the reason behind this is that .NET treats nulls as data where the native calls that .NET uses behind the scenes treats nulls as string terminators (many languages internally terminate strings with nulls). More info on this can...

I wanted to thank the Vancouver user group for having me out to speak. It was a great experience and a surprising turnout considering that the weather was just great outside! As I said in the demo you can download the code, database and slides here. The demo web site also implements some other features that I did not get to talk about due to time constraints. The biggest one is a custom security level (the web.config has a named policy named demo and a demo.config file with the policy in it). I wanted to talk about this...