|
Dunno if it's best to post this here or in the Web Design thread, but here goes. I've just been given a lovely petard to hoist myself upon, or (god willing) do something kickass from scratch as a Jr level dude. I'm to make a little console app to consume a web service that I will also be creating. Doesn't sound too bad, does it? I mean, I get to use .NET throughout, and the boss even realizes that I'm gonna take hella longer than his experienced web person would, since he wants me to learn. He's also not a programmer at all. Console app part isn't hard. Hell it would be super easy if the guy who was supposed to do the web service did so and didn't dump "oh hey see you in two weeks!" on me. What I'm going "ohshit I don't have a sr guy around I'm doing this by myself oh god what if I blow it up" about is that I've never made a web service before, never worked on a production website, or for that matter handled bank account numbers and credit card numbers or other Very Important Things. There are of course tutorials out there, but best practice and common sense only comes with experience, of which I have none. My current idea is as follows:
I feel like an idiot. This is the first time in a while I've not known how to get going with a project.
|
#
¿
May 29, 2013 20:12
|
|
|
|
| # ¿ May 22, 2024 08:47 |
|
|
Ithaqua posted:You didn't give any information on what the components are actually supposed to do. Basically, there are two tables that my desktop app will look at when called by our main program. It will send them to a DB behind our website through a web service I will be creating, mostly doing inserts. Updates will only be required for a few transactions, IIRC only vcard stuff. AFAIK Checks/ACH/etc just, well, GO and don't have final authorizations or anything. A lot of the specifics about what goes on behind the web service up in the website is still a black box to me due to various circumstances and I mostly just want to get my data into two corresponding tables in the website's DB. Ithaqua posted:Start reading up on WCF web services with https binding, that should get you pointed in the right direction. Any good sources besides the MSDN? That's a good starting point at any rate. I think I just have some frazzle/freakout going on since I did not expect to get as much as I did. This must be a rite of passage or some poo poo. Ithaqua posted:[edit] For "getting started" purposes, just get a web service going minus encryption. I think a big "ARGHHH" I'm having now is I can't find where the drat web guy put the project file for the website, so I'll just be doing a by itself mockup, which means having to create.... a new frigging DB, and other things. A lot of my frustration is because I'm the only guy in-house. Everyone else is doing this all remotely with their own little fiefdoms and I'm the greenhorn/FNG trying to make everyone play nice and open up, and there's a lot of stalling involved while I wait on other people. That said, I'm still a 1099 myself! I'd much rather be at home with my goony huge monitor and ergonomic things right now but that's a totally separate issue and I'm venting.
|
|
#
¿
May 29, 2013 20:52
|
|
|
It could just be the wrong version of the framework if he hasn't updated it.
|
|
#
¿
May 29, 2013 20:55
|
|
|
Man we're on a roll with info-lacking "I have a problem  " today.
|
|
#
¿
May 29, 2013 21:01
|
|
|
Ithaqua posted:Silly question, potentially: What's the rationale behind hosting it as a web service? Right now the way we do "endUsersLocalMachine wants to upload data to our website's SQL" requires all sorts of bullshit with the firewall, hard-coding every IP involved to let them get access to our DB for a DB to DB connection. We want something secure as possible that is a lot easier to use, and just lets someone with our software and the right credentials do it, and only that. We also want to make sure that it's write only; they'll go through the website itself to see their remittance data, not through accessing the DB itself. So, I and the remote guys decided "Oh, hey, web services and stored procs and such seems like a good idea." Then the web guy's primary job went YOINK and here I am.
|
|
#
¿
May 29, 2013 21:14
|
|
|
 you goons. Help me get a job then help me do the job.I love programming.
|
|
#
¿
May 30, 2013 03:27
|
|
|
And now babby's first thing-that-must-be-secure-and-will-go-into-production. I've been playing with WebAPI and there's all kinds of stuff I've seen for POSTing data to it, or big bulk file uploads, or poo poo with Azure, and serialization with json or xml or whatever. That's all fine, but not exactly what I'm looking for. What I AM looking for is a way to securely (as much as is reasonable) send small (a meg at most, honestly, and even that is big) send files from a C# console app to the WebAPI that I'm developing, and XML/JSON serialization just makes the stubble on the back of my neck raise up. Can I REALLY send rows from two tables that contain checking account/CC numbers securely if it's done through some kind of encryption layer? How do I call that? What I want to know is what kind of connection I can pick to put into the WebAPI's controller that would be good for having sql rows or data tables or serialized lists of objects that would be easy to set up for the WebAPI, the console app that's sending the stuff, and not be a pain to test or debug and log. The senior guys here have said line by line is better than a datatable, so I'm going to do that unless a goon here gives me a good reason not to. I'm glad to be able to play around like this, but I'm still green as poo poo, and it's making me a little paranoid of security, honestly. I've done desktop stuff with C#/.NET and am very comfy with that, and I've done some VERY minimal WebForm stuff. This is all very new to me and I feel lost and like I'm easily going to gently caress something up, bad, if I don't cross my t's and dot my i's over and over.
|
|
#
¿
Jun 3, 2013 15:25
|
|
|
Ithaqua posted:You don't want to send files, and you don't want to serialize data tables or data rows, either. You want to have an object that represents your data that's passed from your application to your service. Passing a table/datarow with an uncertain structure means that your service is tightly coupled to the source of the data. You don't want that. What if a field name changes? What if the structure of the data changes? It means you have to change two things: The service AND the application that consumes the service. If you have a strongly-typed object that represents a contract between your application(s) and your service, you just make sure that the data fits in the contract object and you're golden. The service never needs to change unless you have to add more functionality to it. Well, that's just it. I've made a class for each table which is basically "tablenameRow" and set my properties to the relevant SqlDataTypes. I make an object for each row, basically. My little console app will be creating them from a local table and then sending them to the web service. I apologize for not being more clear. What I'm wondering is how to set up the webservice to expect such objects to be passed to it, and how to pass them securely. Back to google!
|
|
#
¿
Jun 3, 2013 16:14
|
|
|
uXs posted:If you're not a security expert you should stay as far away from credit card handling as you can. Let someone else do it. You literally told me to quit my job, just FYI. What I'm doing is keeping track of payments that were handled already for remittance/record keeping, not actually sending it to the payment processor. If that's still a danger, welp! If it makes you feel any better one of the other contractors is going to look it over before this goes anywhere near production. Then again, he's 450 miles away, and this feels like something way out of my league. Am I liable for this stuff? Is this a situation where I really should say "$BOSS, I have to recuse myself, sorry, get mad if you want but I'm not facing liability." ?
|
|
#
¿
Jun 3, 2013 16:32
|
|
|
zokie posted:If none at your job at least mentioned PCI-DSS quoting your job might not be such a bad idea. PCI-DSS? What's that?  My boss is a very hands-off, just do it kind of guy who does not know computers at all. He basically bought this business off of an associate of his who was just milking it, not getting new clients or updating anything. He's turning it around, getting new customers (great at sales!) and such, but basically all the dev work and IT work is done by contractors who are remote with the exception of myself being the jr dev in the same office, and one of the IT people being close enough to show up to work too. Everyone else is far, far away. The Web Guy has a lot of experience but is away for the next two weeks with his main job so I'm doing the web side of it. The Senior guy working on the old product itself has 20 something years experience but is doing this as a side gig, too. I doubt he has much web experience. Is "biz guy hires tons of contractors" a common 'thing?'
|
|
#
¿
Jun 3, 2013 16:42
|
|
|
uXs posted:If you're a junior dev, you definitely should not be handling credit card data. When I find full time, I think I might want to just run. I have no ethical problem with getting the general scaffolding of this set up, but I can't in good conscience let it get deployed until someone who knows what they're doing looks at it all. I need to find a classy way to do this as a professional, and not just leave a dear john and run for my life. I also might as well get paid to practice on web api poo poo, though. Anyway gently caress contract work.
|
|
#
¿
Jun 3, 2013 16:49
|
|
|
Uziel posted:Oh boy: So just how far does liability go? To the business? To anyone working on that part of it? Like, do I have a good reason to say "Hey, sorry, I'm done, here's why" or can I keep plugging away at this and then say "don't deploy this until XYZ happens" and stay busy?
|
|
#
¿
Jun 3, 2013 16:50
|
|
|
uXs posted:Do you actually need those credit card numbers? No other way of identifying customers? We kind of are that processor. Or at least we're a middleman giving it to them. Not sure of the proper terminology. We're getting the information from their own accounting software; we read it into our own software to just automate the billing and tracking and record keeping. What I'm doing is taking copies of that data, sending it to a DB that's on our website, and setting it up so we can offer them a web portal that lets them look at their remittance data, as well as their payees. Yeah I feel exceptionally in over my head right now.
|
|
#
¿
Jun 3, 2013 16:54
|
|
|
Essential posted:When you dig into PCI-DSS you realize how tight they are, for instance you can have NO unencrypted at rest credit card numbers. Meaning, if you are doing record keeping you need to make sure the credit card numbers are encrypted. This includes having credit card information written down, you cannot do that either. Nor can you have credit card information recorded on voice. There are a few time-limited exceptions, such as if you must write down a credit card number to process a sale, you have something like 24 hours to process the sale, then the paper must be shredded. What does at-rest mean? We're getting it plain text from their billing software locally, then the little console app will send it to the web service, then send that to the db on our website. Do you mean that our customers need to store their stuff encrypted on disk? Or do you mean the actual strings in memory have to be encrypted?
|
|
#
¿
Jun 3, 2013 16:56
|
|
|
Dietrich posted:Oh god. The senior guy is very much into "KISS" and shoots those ideas down a lot. They don't even like when I suggest more thorough testing or validation of data. Did I mention I'm junior as poo poo? Is learning to not be a lovely programmer always something that starts with realizing you're a complete idiot about more than trivialities and school didn't prepare you for poo poo? I feel that the only good thing I'm doing right now is realizing I need help and that I can't get it at this workplace. We don't even have source control.
|
|
#
¿
Jun 3, 2013 16:59
|
|
|
Ithaqua posted:This is totally unacceptable, especially for a team where most of the members are working remotely. I feel like I'm getting a crash course in how NOT to develop. Holy poo poo. Also to everyone w/r/t PCI stuff: we only get the last four digits of data. Clients can store however they want but what my stuff will be seeing is only masked data. Phew. The fact that I had to go bug my boss instead of having this info given to me is also making me kick myself for taking this job.
|
|
#
¿
Jun 3, 2013 17:03
|
|
|
The way things were was SrGuy is doing his poo poo with the legacy code, and WebGuy is doing his poo poo with the website, and all things were essentially separate. Looks like getting people on source control and getting some better testing/design implemented might be good experience and resume padding, at the very least. Blaaaaaaah I can't wait for a better ran shop.
|
|
#
¿
Jun 3, 2013 17:35
|
|
|
Conf call revealed they had a SVN all along when I brought up TFS. Thanks for the suggestion, though! Too bad I can't get set up for it until 5 pm tonight when the sr guy is done with his main job. Right now I'm figuring out the best way to do what dietrich suggested, and separate the code for "move the data from that desktop to the web service" from "this is what the data is and where it goes." Would having the class define "this goes here and that goes there" while having the client just send the object to the web service, and the web service call a method defined for the object's class to do the "poo poo goes here and there" for the sql insert/update work, or am I not looking at it the right way? Not being able to even get into the projects for the existing stuff is frustrating. The fact that I am VERY new to web stuff is also frustrating. Sink or swim is not very fun!
|
|
#
¿
Jun 3, 2013 19:32
|
|
|
That's what I was doing  I either need to learn better lingo or work on my grammar. Or both. I didn't understand Dietrich, or, I explained it badly.
|
|
#
¿
Jun 3, 2013 20:41
|
|
|
Just got home and I have to take a call in a few, so I just whipped up something cheeky to see if I get the point or if I'm missing it. http://pastebin.com/kMCNff5B When I'm back at work I could get some code, but you asked me after I left for the day. Hey at least an interview is tomorrow where they have actual senior people and they're actually in the same state (and room!) as me, hooray.
|
|
#
¿
Jun 3, 2013 21:41
|
|
|
Ithaqua posted:See, you're doing the thing I said not to do. Your model class should be acted upon, not take actions. The only purpose your model has is to structure your data appropriately. Okay, the model should just be properties/getters/setters, period - are constructors acceptable or should there be a factory method? Dietrich's advice to make there be less places I'd have to make changes to behavior if the table changed made me think I should tie that in with the objects themselves. If the Controller handles "looks at model and then does the SQL insert/update" and the desktop app does "turns the local data from the DB into the model" then I'd have two places to change it. There's not a great deal of logic there to worry about, so I'm not concerned. Hell, everyone at work insists it won't change at all and if it does it would be once in a blue moon at most, so I'm not worried about that so much as learning how to do it how good programmers expect things to be written. I feel like I either completely misread something or the fact that my work does not use orms and tends to lean on stored procs is why I'm being guided into this style. Or there's something else I'm not getting, or I wasn't ever supposed to centralize "making objects of the model" and "doing a thing with that model object" in the first place.
|
|
#
¿
Jun 3, 2013 22:22
|
|
|
Is there any way to use postAsJsonAsync with a List<> of some object to a web API? I'm not going to be sending enough that it would be a bother to just loop over a list and send each object one at a time, but it feels better to do that instead. Is looping over the list posting each object an especially bad idea? I'm also wondering if I could just make OneBigPayloadObject to do the same, and how much of a good idea/bad idea/horror/hilarious example of my naivete down the road it would be. I also really don't "GET" HTTP POST/PUT/GET yet, since I've never done web before. Is there a good primer to read that explains in plain english what I'd need to know if all I want to do is "send some lines of a SQL db via JSON to a controller which will ins/update to a db on the server" ? It's really simple stuff and doesn't have to be up to par with gang-of-four, at least not for now. I'd rather get it working first and then get it to something I could show off with any time left at this job. Nothing like being completely out of your element to get a big dose of imposter-effect mixed with realizing you don't give up easily, but hey, that's the name of the game isn't it?
|
|
#
¿
Jun 10, 2013 17:29
|
|
|
Transactional integrity IS important, so I'll be doing all at once. Apparently it would send any plain old object as is, but if I want to put it in a list I have to actually give the objects I put into the list a serializable attribute. I think. Time to find out!
|
|
#
¿
Jun 10, 2013 18:02
|
|
|
Now apparently Sql Datatypes don't work? quote:{"Error getting value from 'x_iIntMin' on 'System.Data.SqlTypes.SqlInt32'."} All google supplied was the source code for the type and I get this snippet: code:
|
|
#
¿
Jun 10, 2013 18:22
|
|
|
The general strategy I was using was to simply make instances of an object representing a row from the table that I want to upload, serialize a list of those rows (the lines from the table I'm sending), send it up to the server, then run the insert/update script/proc/what on that those lines. I take it I'd be better off making an object for transmission that was just plain old integers strings dates and such, then? Dumb, dumb question: since I want to serialize and send sql data, what's so bad about doing exactly that? Is it just bad practice? What's the reason that I should never do that?
|
|
#
¿
Jun 10, 2013 18:52
|
|
|
Literally just getters and setters, a constructor, and the properties themselves, period. Though I used stuff like SqlInt32 vs just int, or SqlString vs String, etc. Not sure if it's NDA-kosher to paste a representation of a schema of a table.
|
|
#
¿
Jun 10, 2013 19:14
|
|
|
So I should store things as "plain old" ints/strings/whatever, and then cast to SqlTypes when it gets to the controller? And yeah I don't think I'm quite dumb enough to post stuff that is sensitive on SA.
|
|
#
¿
Jun 10, 2013 19:28
|
|
|
My job literally just called me posted:
I don't even know what to say. Edit: I literally don't know if I'm on a candid camera thing or if everyone thinks I'm trolling but I'm serious, that's what I'm being paid to do right now. Fuck them fucked around with this message at 23:14 on Jun 10, 2013 |
|
#
¿
Jun 10, 2013 22:44
|
|
Nothing, why?
|
So is there any way to format a string of the format "1900-01-01 00:00:00.000" as DateTime? Is it actually NULL and I'm just not in the loop? Ugh.
|
|
#
¿
Jun 14, 2013 17:11
|
|
|
JawnV6 posted:Haven't actually used it, but does DateTime.TryParse() handle it? I was thinking I could just take a SQL datetime to a .NET Datetime and used .Parse, not .TryParse. I guess I can just have an IF statement to catch bad dates and put something else in there, but I do wonder why that particular time is wrong - is it the value or the format? ARGH. Edit: Okay it seems to be NULL. Why then can't it read a string that is something and not NULL and just pass that along or whatever? Fuck them fucked around with this message at 17:19 on Jun 14, 2013 |
|
#
¿
Jun 14, 2013 17:17
|
|
|
The actual line of code to parse the string is basically: CultureInfo enUS = new CultureInfo("en-US", true); DateTime.ParseExact(row[2].ToString(), "dd/MM/yyyy hh:mm:ss tt", enUS), (It's a parameter being passed to a constructor, no I don't have a missing semicolon ) When I print the string that comes out of a .ToString() call for row[2], I get "1/1/1900 12:01:00 AM" Why 1/1/1900 12:01:00 AM is not dd/MM/yyyy hh:mm:ss tt is lost to me 
|
|
#
¿
Jun 14, 2013 17:33
|
|
|
ninjeff posted:Are you reading out of a SqlDataReader? If so, why do you need to parse anything? If the column's type is nullable datetime then you can do something like this: reader.IsDBNull(0) ? new DateTime?() : reader.GetDateTime(0). I've basically been cargo-culting and googling how to do my job as a sole jr dev with nobody around within 500 miles at my present and over at the end of today job, so I've just gone from memory and whatever tutorial I've stumbled on. I used SqlDataAdapter to fill a DataTable, and now I'm reading off each element of each row from the DataTable and casting as strings. I should be able to parse a drat string as a DateTime and I've never had this much trouble doing so before.
|
|
#
¿
Jun 14, 2013 17:35
|
|
|
Dietrich posted:Let me echo the importance of using DateTime? instead of DateTime for nullable date columns in SQL. If you don't, you'll end up with a bunch of 1/1/1900 dates in your database and stupid logic to control them. It is a date time. I've had trouble with the typing being correct so I thought "screw it, just make it a string!" because I just want to get done and move the hell on. I guess I need to pull everything from SQL in a way that preserves types, but then I have to cast those SQLTypes to a serializable type before I serialize it because serializing SQL data types is apparently bad.
|
|
#
¿
Jun 14, 2013 17:43
|
|
|
Dietrich posted:You want to use a SqlDataReader to read data from tables, and that thing has extension methods that will spit out the standard datatypes. You should not have do to any of this manually or even think about it. I'm working with ancient code and lazy, remote devs for all of 4 more hours, and then I'm gone, soooooooooo...  I'm never going to take this kind of a job again. Fuuuuuuuuuck. Time to gently caress with SqlDataReader then. Edit: So I try reader.GetDateTime(2), and VS says I should put it to a string and parse it first The row is date time. That parameter for the constructor for my model is date time. GetDateTime is supposed to be date time. Why does it want me to make it a string? Fuck them fucked around with this message at 18:05 on Jun 14, 2013 |
|
#
¿
Jun 14, 2013 17:49
|
|
|
Oh dear god I was mistaken as poo poo the entire time. I broke down every row into it's own variable to step through, and the problem was trying to take a string to an int, and not knowing how to handle a NULL from the DB Ugh. The DateTime went through just fine! Why the error was something to do with that is beyond me, I might have hosed up the argument order for that constructor I was putting things into. poo poo. So, uh, how do you handle NULL coming from the db. That (Type?) trick? Edit: At least my poo poo works when there's data in the row and it isn't NULL. I can't believe I wasted so much time on this
Fuck them fucked around with this message at 18:17 on Jun 14, 2013 |
|
#
¿
Jun 14, 2013 18:13
|
|
|
I'm done here in a few minutes wooo When I get my final paycheck I need to go get some books already. I can't thank everyone here enough, seriously.
|
|
#
¿
Jun 14, 2013 18:36
|
|
|
So the project I'm in now WAS using Entity, now it's not, and I'm basically navigating my first ever big project with abstraction layers and hundreds of files, etc. It was 555 the first time I checked VS's count. Hah. Since I don't have the VS edition where I can just go "make me a call graph" I'm doing it myself, and I can't find very cleanly where the bubbling up from the controller for "make a drat record and put it in the goddamn db dammit" actually reaches the methods that actually touch the database oh so intimately.If it matters, the project is VB.net (The state that gave us the contract said so, not us!). Are there any free tools out there or do I just get to play "memorize key combos for definitions and references" and click methods all day and let it just coalesce? I know how each part works, but I can't find where the hell the business object is passed to the function that takes the properties of it and sticks them into command.Paramaters to send to the stored proc. It's like there's the business object generation track, and then just sitting elsewhere there's something waiting for it, but I can't find where it's actually passed 
|
|
#
¿
Jul 3, 2013 16:36
|
|
|
Dietrich posted:You sure there isn't some sort of dependency injection going on? I'm pretty sure there is a good object model behind there, since my team lead was big on making sure I knew that before making big changes, and would be mentoring if he didn't get sick-as-a-dog. I also say this because there's some pretty clear this->that->the_next_thing going on, it's just that I see two chains which don't 'talk'. No Safe Word posted:Yeah frankly if F12 (Go to definition) and Shift+F12 (Find all references) don't cut it, the easiest way to actually dig through the execution path is to attach the debugger and step through it all, which will cover you in the cases of dependency injection and any other sort of indirection. Gonna do that! Thanks! Ithaqua posted:NDepend. There's a 14 day trial. Gonna do that after I try it the step-thru way, thanks for the find!
|
|
#
¿
Jul 3, 2013 17:51
|
|
|
Dirk Pitt posted:I have some terrible dependency graphs in an application I wrote last year before I wizened up to DI and the factory pattern. It has a feel for my newbie self to be more than decent. The only thing that makes me go "WTF?" is two files named (A_Thing_I_dunno_if_I_can_talk_about)Repository.vb, though one is a business object, and the other is a service, and in totally different parts of a BIG project.
|
|
#
¿
Jul 3, 2013 18:28
|
|
|
|
| # ¿ May 22, 2024 08:47 |
|
|
Even with NDepend I can't manage to get a graph from the controller going "HEY, MAKE THIS AND PUT IT IN THE DB " and a chain of calls to where a method goes "OKAY! LOADING PARAMETERS AND CALLING THAT STORED PROC!  "Now, on the other hand, I CAN do this with step-in debugging. Maybe I'll just do it by hand? Ugh.
|
|
#
¿
Jul 3, 2013 19:32
|
|