Tim Mitchell

For your listening enjoyment, I have compiled a list off essential audio for .NET developers and SQL DBAs. This list is far from comprehensive, but it represents my must-hear list each week.

Hanselminutes (http://www.hanselminutes.com) - This is a (mostly) weekly show that focuses on the expertise of Scott Hanselman. The tagline of the show calls Scott a 'technologist', which is a very humble term, in my opinion; he strikes me as the guy who knows almost everything about almost everything. This show is generally focused around .NET programming, but delves into other areas of technology. If you only listen to one podcast per week, make sure it's this one.

DotNetRocks (http://www.dotnetrocks.com) - This weekly show, hosted by programming veterans Carl Franklin and Richard Campbell, encompasses a wide variety of .NET programming topics. Their guest list reads like a whos-who of programming excellence, and the material covered is both broad and deep.

ASP.NET Podcast (http://www.aspnetpodcast.com) - This is a good program geared toward ASP.NET developers, and is hosted by Wally McClure. Although the show has had some audio problems in the past, the content is solid.

SQL Down Under (http://www.sqldownunder.com) - As the name suggests, this is a SQL Server broadcast based in Australia. This is the best SQL Server-specific podcast that I have found, and it does not disappoint. Their guests have included the likes of Kimberly Tripp, Adam Machanic, and Kalen Delaney.

SQL Server WorldWide Users Group Podcasts (http://www.sswug.org/sswugradio) - This repository hosts audio content from the SSWUG staff and others. The What's Happening broadcasts by Stephen Wynkoop are weekly publications of news and events in the SQL world; this is a useful download, but you must listen closely as Stephen talks very fast. Some of the audio here requires a paid membership in SSWUG.

If you have not checked out the above audio programs, do yourself a favor and listen in sometime.

For some reason, today I came across at least a half-dozen blog posts and articles about how to avoid SQL injection attacks.  It had been a while since I had read about SQL injections, and an odd thought comes to mind:

Why is SQL injection still an issue?

This is such an easy problem to get around.  The use of stored procedures or parameterized queries will wholly eliminate this threat, and is just as easy (in many cases, easier) than building dynamic SQL.  I have a no-exceptions rule that I never allow dynamic SQL in production code.  I have built a few prototypes for demonstration purposes that use dynamic SQL, but in those cases I usually want to actually demonstrate the SQL query as much as the app itself.  For live systems, using stored procedures prevents these attacks and can yield some performance gains as well by persisting the execution plan.  If you require more flexibility, you can use parameterized SQL from .NET applications.

Please forgive this soapbox rant about this issue, but it seems pretty clear to me.  Smoking causes cancer, drinking and driving causes death, and dynamic SQL causes injection attacks.  All three are bad and completely avoidable.