I’m heading over to the .NET Developer’s Association meeting tonight to hear Jim Blizzard tell us all about IIS 6.0.

In related news, since the 3rd Monday this month is so close to Christmas, there won’t be a Seattle VFP Users Group meeting this month. In January, David Anderson will be continuing his data series with a talk about Remote Data improvements in VFP 9.0. See you then!

Last night, we had a doubleheader: Carole Shaw of the Fred Hutchinson Cancer Research Center, and Robert Scoble, Microsoft Geek.

Carole spoke about how she had created a data dictionary service to help her work with temporal data - data with a time component, so that you track not only how things are, but how they used to be, with either a time or a state attached to the data. In her field, data is frequently refined as you go along. Her main example was a questionnaire that she had put together. In one version of the survey, the answer to the menopause question was yes or no. In another version, it asked age ranges, so that “yes” in one version was the same as “30 or younger” in another. Another example of date-based changes is when a test is changed during the course of a survey, so that the results that are returned are slightly different for each population. The data dictionary she wrote is a collection of collections. It stores context, entities, rules, attributes, and properties for various pieces of data. Whenever the meaning of the data changes, she can rebuild the dictionary to reflect the new states. Each record in the data has a version stamp, so it can be associated with a particular context in the dictionary.

She also talked about the challenges of sharing data among various groups, all of whom want it in a different format. Visual FoxPro is a good tool for converting data between the various formats.

After a break (well, during, actually), Robert started his talk. After riffing on TabletPCs for a while, he started explaining what the big deal with blogs is. His 5 points are:

• Easy to do
• Discoverable
• Live feedback (referrer, etc.)
• Permalinking
• Syndication

First, blogging is easy. You can go to a site like Blogger.com, sign up, choose a template, and then just type, without knowing anything more about the web.

You aren’t just blogging in a vacuum: there are established ways for people to find what you’re talking about. Weblogs.com is a site that you can ping whenever you make a new post, so that people know you’ve got something to say. Sites like Feedster and Technorati index blogs so you can see what other people are saying on the topics you’re interested in.

Many blogging tools have feedback mechanisms like Trackback and referrer logs built in, so you can see that people are linking to you, and what they say. Referrer logs are a traditional part of the web: they show what on your site was looked at, and how the viewer got to you. Trackback is more specific to blogs: it’s a method to tell a blog, “Hey, I just linked to you!”

Part of the above is permalinks. Instead of linking to the top of a long page, each blog entry has a link associated with it, so you can go right there. With permalinks and the above tracking tools, you can carry on a conversation across two or more blogs.

Arguably, what’s really made blogging take off is syndication. This allows you to create a summary of your blog that can be imported by specialized tools and read in a single place, instead of needing to hit multiple web pages. Tools like NewsGator or RSSBandit on your desktop, or Bloglines on the web, allow you to see when people have updated their blogs without needing to go to the sites and evaluate for yourself if there’s anything new to read. Robert tracks 1400 blogs in NewsGator: I track a significantly smaller number in Bloglines.

Afterwards, he talked a bit about the coming features in Longhorn, and how they’ll affect us as developers and users.

Next month’s speaker will be Richard Stanton again, and he’ll be showing us more about Reporting in VFP 9.0. Hopefully, the public beta will be out by then so everyone can go home and play with the stuff he shows us. :-)

See you on June 21st! :-)

At tonight’s meeting of the Seattle Visual FoxPro SIG, Robert Scoble will be speaking about blogging and RSS. Everyone’s invited!

Last night, the Seattle VFP Users Group learned a lot about SVG, or Scalable Vector Graphics, from Lauren Clarke of Cornerstone Systems Northwest.

SVG is an emerging technology for Data Visualization and Navigation, as well as Process Navigation. It’s an application of XML, which means that all the SVG markup is valid XML as well. It’s used for drawing vector-based shapes and text, along with images. To view it, you can download a plug-in from any of several sources. The one that Lauren uses comes from Adobe. SVG is similar to Microsoft’s VML: one of the primary differences is that VML renders natively in IE, without requiring a plug-in. However, the momentum seems to be behind SVG at the moment.

He started off by demoing a form with an SVG map of Africa, and a grid showing the countries and population. He was able to drive the app from either side — either clicking on the map to select the countries in the grid, or clicking on the grid or doing queries to highlight to countries on the map.

He also showed a Fox report that used SVG to build monthly sales reports (using a bit of slight-of-hand behind the scenes, since Fox doesn’t speak SVG natively).

All you need to get started with SVG is a text editor and an SVG viewer. No other software is necessary, although it’s useful to have third-party tools like Corel Draw which can save as SVG — that way, you can edit the file and see how to do what you’re trying to figure out.

Another thing about SVG is that its output is vector-based, instead of bitmap-based: you don’t lose resolution as you zoom in.

You can link in CSS files to set the style of your drawing, which can cut down dramatically on the size of your files. Other ways to cut down the size are the <g> (group), <use>, and <defs> tags, which have close conceptual matches in VFP. Also, after you define a drawing with the <defs> tag, you can link to it as a separate file using the HREF clause, just like in your HTML files. It also supports SMIL2 to animate your drawing - want to zoom the pieces of your pie chart onto the screen? No problem!

Another similarilty to your web pages is the <A> tag (which was implied above with the map). A major difference from HTML, though, is that if you create an imagemap, you need to define the boundaries within which a click is recognized. With SVG, only what you drew is recognized. In other words, if you draw a circle, there isn’t a box around it to click on, or a polygon that approximates the edge of the circle: the circle itself is the link.

In the second half of the meeting, he walked us through all the stages of building a graph in Fox — from the initial data to the final pie chart. It was amazing at how intuitive the whole thing was (even if Lauren had to throw up the “Warning, Math Ahead” sign a few times).

He has a white paper on his site with more information about using SVG and VFP: check it out!

Well, this time, it didn’t rain. :-) However, due to major communication breakdowns (caused by someone *cough, cough* not following up when he should have), attendance was minimal. Mike Stewart, from the FoxPro test team, was kind enough to give his presentation anyway for the benefit of those who weren’t scared away by the late notice.

His presentation was entitled “Security for Visual FoxPro Applications”, and he originally gave it at DevCon a couple of years ago. Rather than being a way to secure your applications as such, though, it was an overview of what developers needed to know about securing Windows in general.

The first thing he touched on was Physical Security. If an attacker can walk out with your computer, or even just your hard drive, he can break your security at his leisure. If he has time to reboot your computer with a Linux boot disk, he can mount your NTFS drive and read the data without logging in. One way to slow an attacker down is simply to lock your workstation. It’s as simple as hitting Windows+L in later versions of Windows: that will bring you back to a login screen.

Strong passwords are important. Don’t choose passwords that can be trivially cracked by a dictionary attack (literally going through the dictionary trying words): add mixed case letters, numbers, and special characters. Don’t just choose something like FoxRocks!1, and then change it to FoxRocks!2 - that’s trivial to crack. Windows 9x systems have compatibility with LANMAN: unfortunately, this puts huge gaping holes in password security when it upper-cases the password and breaks it into 7-character chunks. In the above example, that leaves “FOXROCK” vulnerable to a dictionary attack, and “S!3″ is much easier to crack. The passwords are stored in the SAM file. This touches again on physical security, because if an attacker can take that file away on a floppy, it’s game over. The important thing here is to Educate Your Users.

The next important thing is to use the least privileges you can get away with. In other words, don’t run as Local Admin! Unfortunately, this is difficult, since some programs are not well-behaved when you aren’t an administrator. One way to get around this is to use the RunAs command. You can either right-click on the EXE and choose Run As… and select an administrator account, or you can use “runas /user:Admin program.exe” from a command prompt.

The Microsoft Baseline Security Analyzer will analyze your system and tell you what you have and haven’t done to secure your system.

Social engineering: what do you do if someone says “hey, this is the helpdesk, can you verify your password for us?” The important thing to remember here is that you _never_ need to give your password away: if they have a need to know, they already have the rights that will enable them to do their job without asking.

Cryptography: don’t try to roll your own. Unless you’re a crypto expert, you’ll probably get it wrong. VFP ships with a Foundation Class to help you encrypt your data: _crypt.vcx. Remember, though, that encryption will slow your access down a lot, so try to avoid it.

Buffer overflows are not an issue for Fox apps, since you work within the VFP runtime, rather than doing direct memory access.

Mike recommended SecurityFocus.com as a good resource: one of the things they’ve talked about has been that COM+ can handle security for your DLLs without needing to roll it all yourself. Mike recommends handling setup programatically, since you can get a bit better control that way.

Cross-site scripting is EEEEEVIL! Some web sites are vulnerable to being sent script commands instead of the expected data. One unnamed site (which I could supply the name for myself, having seen the cookie bounced back to my screen on occasion) used to store the logon password in plaintext on a cookie on the machine. A cross-site scripting attack could have caused this information to be submitted to a hacker’s site.

SQL Injection: this involves sending commands to a SQL engine, instead of just data. For example, say that you have the command “SELECT * FROM table WHERE name = ‘&lcSubmittedName’” - what happens if lcSubmittedName = “Fred’ AND EXECSCRIPT(’RUN FORMAT C:\’)”? (Syntax not quite correct, but you get the idea.)

DBCs should always be set to Read-Only. There is no reason to write to a DBC at run-time, but if you do, you could be hacking the DBC_BeforeOpenTable() event to do something nasty. It’s also possible to hack the backlink in the tables to point to a different dbc, with that same evil code in the DBC events. It’s a bit harder to make a DBF read-only: most apps would object to this. It’s possible to write code to verify the backlink when opening the tables, though.

Mike will be sending his slide deck to be posted on the group’s web site in a couple of days: it includes a bunch of links to useful security sites.

It’s getting traditional — or at least seasonal. Tonight’s meeting of the Seattle VFP Special Interest Group was almost as wet as last month’s, but the attendance was a bit better - including one first-time attendee who claimed he had been drawn in by the pizza. :-)

Richard Stanton led us through a demo of the latest features in Europa reporting — in fact, this was the first time the reporting features had been presented in the US. He explained that there was a huge emphasis on extending the reporting features, rather than replacing them, so that our existing investment in FRXs would be protected.

The first thing he demonstrated was multi-detail bands. The example he used was an employee - orders and employee - territories pair of relations. He set up the employee table in the group, and then created two detail bands: one with orders for the controlling alias, and one with territories for a controlling alias. The report he generated looked like this:

Employee1
   Territories
      Territory1
      Territory2
   Orders
      Order1
      Order2
Employee2
   etc.

This is… umm… non-trivial to do in earlier versions of VFP, but is almost trivial in Europa. Another thing he showed us was the possibilities of including the same detail band twice. He added another orders band, but instead of outputting the records in the detail band, he used report variables that reset after each detail band, and put the order count, total, and average order in the detail footer, which then displayed directly below the Employee header.

Another new feature is the PROTECTED keyword. Since the Report Writer is included in the runtime, it’s not uncommon to allow the end-users to modify the reports. This allows you to lock down given items so they can’t be modified, edited, or deleted.

Europa will also include a report builder. One example Richard gave was that now, if you double-click on a label, you don’t get a positioning dialog: you get a five-tab dialog that gives you access to all sorts of info, including the ability to edit the label text and to set absolute positioning (watermarks, anyone?). The architecture for this will be fairly open, so if you don’t like the supplied ReportBuilder.app, you can build your own.

If you open a Europa report in VFP8, it will open correctly if you’re only using a single band. If you have multiple bands, VFP8 won’t mess it up for you: it will just refuse to open it.

After that, we had some extra time, so YAG, Ken, and Richard collaborated on some free-flowing demonstrations of other Europa features. We saw auto-anchoring controls, that remained in the correct place as the form was resized. We saw rotating text and polygons (not just rectangles anymore!). We saw the different ways you can now put a picture on a CommandButton. In fact, we saw so many things I forgot to take notes, so those are just the highlights. :-)

We had two special guests tonight: Susan Graham, former Fox Software employee and VFP manager elaborated a bit on a story from Fox Tales involving Dave Fulton, a new 4-wheel-drive truck, an Ohio snowstorm, and an enforced workday; and Robert Scoble popped in to see the new Europa stuff that I invited him to check out.

The next meeting will be Monday, December 15th. We have a tentative speaker: I’ll post in the usual places as things finalize. See you there!

Just wanted to remind the locals that Richard Stanton, of the VFP development team, will be demonstrating some of the new reporting features in Europa, the next version of Visual FoxPro, at the next meeting of the Seattle Visual FoxPro SIG.

Several years ago, a former PM for VFP said something to the effect of “if you’ve been asking for something for the past three releases, and it isn’t there yet, take the hint!” Well, the community kept asking, and I guess they finally wore them down. :-) Features that have been announced publically include access to report objects at runtime, new output types such as HTML, text rotation, multiple detail bands, and a hook so that you can replace the Report Writer with your own designer.

Hold on to your hats, folks — we’re going for a ride next version! :-)

Tonight’s meeting of the Seattle VFP Special Interest Group was disappointing. Not because of the content, but because so few people braved the elements to come out and see it. When I’m the one presenting, that’s fully justified. :-)

Tonight, though, Aleksey Tsingauz, of the Fox development team, walked us through the use of CursorAdapters. CursorAdapters are object wrappers for data connections. Where views can only do local and ODBC data sources, CAs can connect to native, ODBC, ADO, or XML data sources with equal fluency. Aleksey showed us the main properties, grouped by topic. There are (can be, actually) custom commands for Inserting, Updating, or Deleting data, and you can hook in Before or After the command fires. You can also do automatic transforms on the data using the ConversionFunc property: Aleksey’s example was ALLTRIMming Fox character fields to go into SQL Server varchar fields.

Cursors can be attached to and detached from CA objects at will. If the cursor is not compatible with the object and you’re using the automatic functions, rather than custom-coding them, it will be rejected. However, if you’ve written the custom functions, your Customer CA object will be perfectly happy attaching to your Employee cursor.

The AfterCursorFill event can be used to create indexes for your cursor, among other things.

BeforeUpdate lets you see the actual command which is being sent to the back end. This is useful for troubleshooting. AfterUpdate lets you overrule failures. It has an lResult parameter that is passed by reference, so that if you can repair the failure, you can flip the flag so that the TABLEUPDATE() function reports that the update succeeded. The various events fire once per row updated, unless you set the CA into batch mode — I didn’t quite get the syntax for this.

Aleksey then proceeded to demonstrate the various PEMs he had been explaining.

One thing that came out during the demos was that the various DataSourceTypes (Select, Insert, Update, and Delete) do _not_ need to match. You could have the select going through ADO, and an update going through ODBC. You could even write a native function that would process the update and then pass it back to the server.

He also demonstrated accessing the data through Stored Procedures on the back end. This is something you can _not_ do with remote views, though you can write lots of code to do it with SQL pass-through.

All in all, an informative and satisfying meeting. Next month on the 17th, Richard Stanton will be previewing some of the new reporting features in Europa, the upcoming version of Visual FoxPro. This will be a don’t-miss meeting, so mark your calendars!

For more information about CursorAdapters, see the online documentation at MSDN. Aleksey will be sending his slides and demos in the near future to be posted on the SeattleVFP.org site.

I just came from an interesting meeting of the Seattle VFP Special Interest Group.

John Ratliff of Parity Corporation gave us a rundown on using Linked Servers in SQL Server. When he proposed this topic, he had been very excited in the possibilities, but by the time the meeting rolled around, he had found that they weren’t all he had hoped for. Linked Servers allow you to define an OLE DB data source (or an ODBC one, through the MSDASQL provider) as if it were a native SQL table. This allows you to do hetrogenous joins, which isn’t easy (if even possible) if you’re trying to do two different ADO connections from a client app. The main obstacle that he found is performance. Queries performed against the linked servers ran an order of magnitude slower than the equivalents through SQLEXEC() in a Fox app. I don’t know if this is an issue with his configuration or if it’s endemic to VFP linked servers.

Barry Pollack then demonstrated his EMCEE application. It manages Boxoffice, Fundraising, Marketing, etc. for smaller theatres. He took great pride in showing it off, and it was, IMHO, deserved. :-) Most of his demonstration was taken up by the Boxoffice module. He showed us how he had developed Marquee selection in VFP (dragging across a set of items to select them, as you can do at design time), and then how that fit into the ticket ordering system. He sold himself a few tickets, and both the steps he went through and the code he showed us were quite elegant. :-)

At the next meeting on October 20th, Richard Stanton of the VFP development team will be previewing some of the new Europa reporting features. There are also rumors of an used book auction, and thoughts about having pizza for a pre-meeting social. I’ll be updating the meeting notice on the Universal Thread’s User Group Tracker as things finalize, and the meeting reminder will go out about a week ahead of the meeting.

It’s not how well you speak, it’s how well you recover from the goofs.

Last night, I was giving a talk on SQL Server security to my VFP user’s group, and consistently mispredicted the outcome of particular settings I was doing (I thought that GRANT permission on a user would overrule DENY permission on the user’s group. Unless I was doing something really stupid, that isn’t the case). So, the group got to learn from my mistakes, instead of doing it in front of a client, and we moved on.