I'm looking at adding SSPI security to the socket server code for a client; first stop is MDSN and the samples section. Although I can understand why the MSDN samples are generally just 'here's the API, this is the order you call things in, run along now', I think it would be nice if they were better; especially since I often find pieces of pretty much untouched MSDN sample code deep within client's applications... I guess it's not really something for Microsoft and the MSDN team to provide though... Pity.
"The sample code uses limited error handling"
Categories:
2 Comments
Leave a comment
Follow me on Twitter: @LenHolgate
About this Entry
Frankenstein programming was the previous entry in this blog.
Back to the refactoring project is the next entry in this blog.
I usually write about C++ development on Windows platforms, but I often ramble on about other less technical stuff...
Find recent content on the main index or look in the archives to find all content.
Recent Entries
- Breakpoints that are conditional on other breakpoints...
- Be careful what you ask for...
- Framework releases
- Are all fully patched Windows boxes really vulnerable to this easy UDP DDOS attack?
- Strangely fatal UDP issue on Windows...
- Practical Testing: 38 - Bringing the code up to date, again...
- I don't do roadmaps, but...
- C++ Tools - Deleaker
- C++ Tools - CppDepend - 2017 update...
- VMWare bridged networking intermittently failing
I have other blogs...
The Server Framework - high performance server development
Lock Explorer - deadlock detection and multi-threaded performance tools
l'Hexapod - embedded electronics and robotics
I also write about...
.Net
Books
C++ Tips
CC.Net
CLR Hosting
CORBA
Continuous Integration
Debugging Tools
Dumbing down is dumb
ENet
Geek Speak
General
Get a life
Holiday Pictures
Java
Linux
Lock Explorer
Managed XLL
OLEDB
Rants
Refactoring
Reprints
Role Playing
Socket Servers
Sound and Vision
Source Code
Testing
Way back
Winsock Registered I/O
x64
Whilst perhaps not directly equivalent, Howard and LeBlanc in their MSPress book "Writing Secure Code" book say something very closely related. They say:
* Samples Are Templates
If you produce sample applications, some of your users will cut 'n' paste the code and use it to build their own applications. If the code is insecure, the client just created an insecure application. I once had one of those "life-changing moments" while spending some time with the Microsoft Visual Studio .NET team One of their developers told me that samples are not samples--they are templates. The comment is true.
BTW the book should be read by all developers, particularly those developing server apps on Windows but also by those writing any app on any platform.
Alan
I agree. It's actually quite scarey when you see some production code that is just a cut'n'paste of a sample with no error handling included...
I'd love to see the MSDN samples moving away from things that are put together to just show a minimum use of the technology to things that show how you should actually use the APIs properly (with error handling and with details of how to do the complicated things properly). I realise that this would cost more to produce but I think it would be worth it as people would be able to produce good apps for the platform faster (and the apps would be better)...
For something like Longhorn where all manner of things will change massively (for the better (we hope)) I think this is even more important...
I've just spent the day understanding SSPI by building C++ classes to wrap the concepts. A day of much enlightenment, but I wish there had been a sample that had done much of it for me... I guess the main problem is that there are a lot of different target audiences...
Len