"The sample code uses limited error handling"


I'm looking at adding SSPI security to the socket server code for a client; first stop is MDSN and the samples section. Although I can understand why the MSDN samples are generally just 'here's the API, this is the order you call things in, run along now', I think it would be nice if they were better; especially since I often find pieces of pretty much untouched MSDN sample code deep within client's applications... I guess it's not really something for Microsoft and the MSDN team to provide though... Pity.


Whilst perhaps not directly equivalent, Howard and LeBlanc in their MSPress book "Writing Secure Code" book say something very closely related. They say:
* Samples Are Templates
If you produce sample applications, some of your users will cut 'n' paste the code and use it to build their own applications. If the code is insecure, the client just created an insecure application. I once had one of those "life-changing moments" while spending some time with the Microsoft Visual Studio .NET team One of their developers told me that samples are not samples--they are templates. The comment is true.

BTW the book should be read by all developers, particularly those developing server apps on Windows but also by those writing any app on any platform.


I agree. It's actually quite scarey when you see some production code that is just a cut'n'paste of a sample with no error handling included...

I'd love to see the MSDN samples moving away from things that are put together to just show a minimum use of the technology to things that show how you should actually use the APIs properly (with error handling and with details of how to do the complicated things properly). I realise that this would cost more to produce but I think it would be worth it as people would be able to produce good apps for the platform faster (and the apps would be better)...

For something like Longhorn where all manner of things will change massively (for the better (we hope)) I think this is even more important...

I've just spent the day understanding SSPI by building C++ classes to wrap the concepts. A day of much enlightenment, but I wish there had been a sample that had done much of it for me... I guess the main problem is that there are a lot of different target audiences...


Leave a comment