Advice for a beginner

[spizotfl]

Hi. I work for a small non-profit. We are looking to create a data entry system for stuff we need to submit to the state. We were thinking that using an ASP.Net based system would be a good way to go. We have multiple sites. Some of the users of the system, the data entry people themselves, are located within the main building on the domain. There will be other people who will be external and will, eventually, need to be able to access the system.
What I am wondering is what sort of things should we be looking at in terms of how to put this together? Most of the beginning books show how to show this control and how to validate that control, but the larger implementation details (or options, for that matter) aren't as easily found.
I would appreciate any advice or recommended resources to help get this project off the ground.
Thanks

"Maturity is a bitter disappointment for which no remedy exists, unless laughter can be said to remedy anything."
-Vonnegut

 

[ca8msm]

What do you mean by "larger implementation details"? Can you expand a bit on what you specifically are seeking advice on?


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[spizotfl]

Well, typically beginning books focus on "Here's the web page that we are working on". The examples are geared to a single page. I figure navigation probably isn't all that big of a deal, but should the web pages directly interact with the database, or is it better to build some intermediate layers to handle that?
I guess what I am wondering is should this just be a single layer - web page to server - or is it better to make more layers? I am primarily concerned with the security aspect as the data will be sensitive. I think I could probably do the pages for the data entry that will occur locally without much concern, but the external access is what worries me.
Hopefully this clarifies somewhat, if not, I'll try and explain more.
Thanks.

"Maturity is a bitter disappointment for which no remedy exists, unless laughter can be said to remedy anything."
-Vonnegut

 

[ca8msm]

Generally, you should be looking at separating database access in a Data Access Layer (DAL). You would then have both a business layer (where you perform any logic) and a presentation layer (which includes the interface). This method makes it much easier to maintain and debug.

As for security, ASP.NET (version 2.0) comes with it's own security controls which can be based on both users and roles so you should read up on that.

Does that help?


____________________________________________________________
Mark,
[URL unfurl="true"]http://aspnetlibrary.com[/url]

Need help finding an answer? Try the Search Facility or read FAQ222-2244.

 

[jmeckley]

a webpage is webpage. whether it's accessed from the intranet or internet the same threats exist.

you will definately want a SSL cert for the IIS server so the data transmission is encrypted.

having everything (controls, logic, data access) all within 1 form isn't a security risk because ulitmately the user only sees html. instead this can become a mainteance nightmare. I would recommend seperate layers for DAL, BLL and PAL.

This could be as simple as seperate files/folders within the App_Code directory (asp.net 2.0). Or completely seperate assembilies. all relating to the web app.

when creating a DAL remember to use parameterized queries to avoid sql injection attacks. example
GOOD:

datatable toReturn = new datatable();
using(sqlconnection cnn = new sqlconnection(...))
{
   [COLOR=blue]string sql = "select * from table where id=@id";[/color]
   sqlcommand cmd = new sqlcommand(sql, cnn);
   [COLOR=blue]cmd.parameters.add("id", sqldatatype.integer).value = 1;[/color]
   sqldatareader reader = cmd.executequery();
   while(reader.read())
   {
      toReturn.rows.add(new datarow(...));
   }
}
return toReturn;

BAD:

datatable toReturn = new datatable();
using(sqlconnection cnn = new sqlconnection(...))
{
   [COLOR=red]string sql = "select * from table where id=" + 1;[/color]
   sqlcommand cmd = new sqlcommand(sql, cnn);
   sqldatareader reader = cmd.executequery();
   while(reader.read())
   {
      toReturn.rows.add(new datarow(...));
   }
}
return toReturn;

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[SiriusBlackOp]

Hi spizotfl,

Welcome to the world of application design. LOL!

If you are a small non-profit, then let's face it... you probably have very little capital to invest in hardware and licensing and such.

With that said, I'm just curious firstly about just how sensitive your data is that you are collecting. If the data were to find it's way into the public, would that be terrible (such as names and SS numbers), or would it be no big deal because it is more like environmental research that is public anyway?

My second question is budget size. Can you afford a least one Windows server, One CPU License of MSSQL Server software, SSL Certificate (if needed), Method of data backup such as Veritas with an SQL Module? I’m thinking all of the above is probably going to run you about $4000 or so. If you need a copy of Visual Studio .NET then that is another $700 or more.

Application Design is really about joining "need" with "available resources". If you can't afford the above, and the data is nothing too sensitive then one option might be to use a hosted service model for you application such as is described in this link:

http://www.networksolutions.com/web-hosting/index.jsp

It sounds like an interesting and fun project for sure!


Senior Software Developer

http://www.scoutsft.com

 

[spizotfl]

Losing data or having compromised data would be a very bad thing.
Because of our setup, we are able to qualify for relatively inexpensive prices on the ms products we need, so that isn't a big issue. We can't afford to pay for someone to do this for us, but as long as nothing else breaks, we can take the time to learn how to do this right.
I figure that is the most important thing at this stage, learning how to do it right.
I appreciate the advice thus far, now I have some terms to search in google for (data access layer is a particularly rich search expression).
Thanks for everything thus far

"Maturity is a bitter disappointment for which no remedy exists, unless laughter can be said to remedy anything."
-Vonnegut

 

[jmeckley]

If your budget allows, I would purchase 3rd party tools for GUI/BLL/DAL tools. so you can focus on the business process rather than designing building blocks for the business process.

*FYI I do plug some of the 3rd party tools I use below. they are only for reference, not a sales pitch.*

GUI.
MS AJAX offers easy AJAX programming (though not effecient) and pretty control extenders which end users love.

Most application require dates so a quality calendar control is usually a good thing to have. asp.net has one, but it's clunky in terms of styling, and postbacks. MS AJAX Control Toolkit contains a calendar control. Most 3rd party asp.net suites have their own calendar control too. Personally I use BasicDatePicker [www.basicdatepicker.com].

Many companies design enhanced GUI controls for .net. some of the bigger names I see advertised are:
telerik [www.telerik.com]
infragistics [www.infragistics.com]
component one [www.componentone.com]
dev components [www.devcomponents.com]
I haven't used any of these suites. they are more advanced than I need at this time.

BLL.
Business logic layers are either lacking, or $$$. this is usally the most customized section of the app as this is where the real work is done. 9/10 times this is home built because the requirements a so specific to the process. some common BLL functions (audits, logging, error handeling, security) can be found in 3rd party tools.

MS Enterprise Library comes with some Business Logic tools:
Exception Handeling
Logging
Caching
Data Encryption (different from SSL encryption)
and a few other I believe.

I use the Excpetion Handeling and Logging blocks in my apps. nHibernate is another logging application. I haven't used it, but it seems most developers I read about prefer this over MS Ent Lib.

DAL.
MS has an open source DAL with Enterprise Libary 2.0 & 3.0 [

http://www.microsoft.com/downloads/...70-406b-4f2a-b723-97ba84ae80b5&displaylang=en

]. Castle also has one called ActiveRecord [www.castleproject.org]. google "OR Mapper" or "Entity Relation Model" for more information. (allot more). I use a product called LLBL Gen Pro O.R. Mapper [www.llblgen.com].

Jason Meckley
Programmer
Specialty Bakers, Inc.

 

[Hans8823]

Take a look as the ASP.NET 2.0 Data Tutorials to learn more about Data Access Layers:

http://www.asp.net/learn/dataaccess/default.aspx?tabid=63

 

[chrissie1]

nhibernat is an ORM based on the ver popular Java ORm hibernate.

alternate logging is log4net based on log4J also from Java.

And then there is unit testing.
For which I would recommend Nunit but there is also mbunit , csunit, ... and Rhino mock.


Christiaan Baes
Belgium

"My old site" - Me

 

[chrissie1]

I think we scared him.

Christiaan Baes
Belgium

"My old site" - Me

 

[bigfoot]

A most interesting thread.

Thank you, spizotfl for asking and to the rest for answering.
I'm in the same boat but my company already have a lot of hardware in place.

I've always used 3rd party controls for everything. This is my first time using M$ controls.

 

[spizotfl]

Thanks for all the suggestions. Going through the tutorial on the asp.net site, so an extra thanks for that.

"Maturity is a bitter disappointment for which no remedy exists, unless laughter can be said to remedy anything."
-Vonnegut

 

[MdotButler]

Just my 2 cents. It may be worththe money to get a good ASP.NET book geared to get you off the ground. One of my first reads was ASP.NET 2.0 in 24hrs authored by Scott Mitchell.

Not too overwelming yet touches on all the aspects of this thread.