DominicPettifer.co.uk

This website represents my first foray into building a fully fledged web application using ASP.NET 2.0, and written in C#. It includes many features including a blogging engine, blog search system, user comments, user Poll, random images, support for BB (Bulletin Board) code and RSS feeds.

This website was built all by myself completely from the ground up. I could have used one of the many ASP.NET based blogging web application templates around (Dot Net Nuke et al.), but my goal was to learn ASP.NET.

From the outset I strived to used good coding and development practices for this site, as I have recently taken an interest in Agile Development Methodologies and Design Patterns and good software architecture design.

I wanted to make this site as easy to maintain as possible, while reducing bugs, keeping the performance acceptable, and making sure the application is secure. So I decided to use an n-Tier (or is it n-Layered?) architecture for this site.

It uses a dedicated data access logic tier that handles all database operations, you’ll never see database access code in the ASPX pages or code behind. The ASPX code behind kind of acts as the business logic tier at the moment, but as I learn more about best practices and software design, I hope to break this out into a dedicated Business Logic tier.

The ASPX pages themselves handle all presentation duties. I have succeeded in keeping all C# code out of the ASPX pages and HTML mark-up (one of my favourite things about of ASP.NET). This helps maintainability as presentation and code are kept separate.

The backend database used is SQL Server 2005. The database consists of 14 tables and is fully normalised. You can see the full database ERM diagram on the left.

I know you must be thinking this is a hackers dream as I’ve given away the names of all my table and columns, and that the destruction of my website is only a DROP statement away.

However, I believe that a website should still be totally secure and safe even if a potential hacker has all the original source code, database scripts, Stored Procedures etc. and I feel I have achieved this by...

• Validating all data returned from the client (including hidden form fields)
• Using data access logic that prevents SQL Injection attacks (escaping single quotes, or using SQL Parameters)
• Parsing special HTML characters such as angled brackets to prevent Cross Site Scripting

Web Application Security is a subject I have studied in depth during my Masters degree.

A feature I am proud of is the user commenting system, as I have tried my best to keep out spam and make sure the commenting system is secure.

For one, posting a comment requires the user to type a security code embedded in an image. The idea is to stop automated submissions from bots, as computers have trouble reading text contained in images (this uses dynamic image generation with GDI+).

Also once the user posts their comment, it requires activation via email, an email is sent to the user with an activation link that they click. This link contains a 160bit activation token that corresponds to a key stored in the database for the comment, so the user can’t simply activate the comment themselves by jumping straight to the commentActivation.aspx page. They need a valid email address, and if they spam the comment section I can simply ban them by their email address.

It’s by no means 100% foolproof but provides decent level of protection to the user commenting system, without requiring the user to register with the site.

When paging through records (records 1 – 10, 11 – 20 etc.) the logic to implement this takes place at the database level, known as database tier paging, or custom pagination.

This means that the database doesn't simply send all records (which could potentially be thousands) to the web application tier, leaving the web app to sort through them and just display records 1 – 10 on the page.

Instead the database only sends the records the current request is interested in, 1 - 10 or 11 – 20 and so on. This cuts down on network bandwidth (if the database and web server are on different machines in different locations) and also improves the performance and scalability of the application.

The web application is by no means complete. I still don’t have a content management system yet and all updates are being made via SQL Server Management Studio IDE. The hooks to add a CMS are already there though and I hope to implement this soon.

I would also like to implement keywords searching/tagging to the blogs similar to what Flickr does. I already have the tables in the database for this.

Finally, I have been studying Ajax for my Masters dissertation at university and so would like to implement some Ajax and DHTML capabilities into the website. One idea I have is a type ahead search that searches as you type, implemented for the main blog search system, similar to Google Suggest.

I have many other ideas too, so you should gradually see many improvements to the site over time. If you have any suggestions or comments about the site please email me. Thank you!

• Visual Studio 2005 Pro: I can't sing this IDE's praises enough. Probably the best development IDE I've used. It's code auto complete/intellisense capabilities make it worth it alone. Great for web design also.
• Paint Shop Pro: For all website graphics.
• SQL Server 2005 + Tools: SQL Server Management Studio was the main tool used here.
• Microsoft Visio 2003: To develop database ERM diagrams.