Tuesday, May 31, 2005

Adding VSS shortcuts to SQL Query Analyzer

Like many cf programmers, I've gotten into the habit of doing almost all of my queries in SQL Stored Procedures. It helps protect from SQL Injection attacks because you are forced to parameterize all of your passed in values. Plus for some reason, I find cfsqlparam to be one of the ugliest parts of the cf language. I know it's a little irrational, but it just bugs me. Cfprocparam seems so much cleaner.

If you wind up working this way, you soon find out how important it is to manage your queries in .sql scripts. Once you get into the habit of storing your sql files, its natural to want to put them under source control.

I've been carrying this process around for a few years. Query Analyzer lets you add items to it's tools menu. It will also let you pass a few parameters along to the commands you can execute.

If you open up Query Analyzer and click tools|customize|tools, you can add items to the menu.

Here are the items I generally add.

Anything in bold, you will need to replace with your own information.

Menu ContentsCommandArgumentsInitial Directory
Set Project Pathss.execp $/myProject/-yusername,password
Set Working Folderss.exeworkfold $(FileDir) -yusername,password
Add Current Filess.exeadd $(FilePath) -yusername,password$(FileDir)
Check Outss.execheckout $(FileName)$(FileExt) -C -yusername,password$(FileDir)
Check Inss.execheckin $(FileName)$(FileExt) -yusername,password$(FileDir)
Undo Checkoutss.exeundocheckout $(FileName)$(FileExt) -yusername,password$(FileDir)
Diffdiff.bat$(FileName)$(FileExt)$(FileDir)
Getss.exeGet $(FileName)$(FileExt) -yusername,password$(FileDir)


You'll have to add a small batch file to use the diff utility. If you try to call it the same way the other commands are being called, your command window will close as soon as the program is done diffing. You won't get a chance to actually look at the files.

Here is the content of my diff.bat file:

ss diff %1 -yusername,password
pause

Make sure you add the path to your diff.bat file to your environment variables, otherwise you will need to specify the complete path to the file in the command line in Query Analyzer.

If you are used to the process that Dreamweaver or CFStudio uses to checkin/checkout files to VSS, this will take a little practice. Query Analyzer doesn't keep an open handle on the files you open. You will need to make sure you manually save a file before you check it in. Otherwise, the unedited file is checked back in, doing nothing. Don't worry, it starts to feel pretty natural after you do it a while.

You also need to change the project and working path entries when you decide to work on a different project. If you start seeing files checked into the wrong project, chances are you need to edit those entries.

Many people find it easier just to use the VSS GUI instead of this. I can certainly understand that. It's a little safer. I find that I tend to like this method a little better because it's one less program I have to keep running and switching between.

It looks like MS is adding some nice source control hooks into Sql 2005. You can add different source control providers through MMC plugins. Too bad they screwed up the remote access portion of VSS. Maybe they will change it before it's actually released, but I wouldn't hold my breath.

NOTE: you have to save your sql file before you can do a checkin. Normally this won't be a problem because that is probably your normal workflow. If you attempt to do a checkin and you don't get a command window asking for a comment, most likely your checkin didn't work. Make sure you have saved the file and run through the "Set project path" and "Set working folder" options again before you try to check in.

Thursday, May 26, 2005

Software Estimation (Part 1) - What method to use

"If a woman can have a baby in nine months, why can't nine women have a baby in one month?"

I think that is from The Mythical Man-Month, but it's been so long since I read it, I'm not sure. The thought is still valid, though, especially when applied to software estimation. Almost always, the concept of adding developers to a project late in the game is raised by non-technical managers in charge of a project when they see the schedule slipping. Many times, the manager's expected timeframe for building the software has nothing to do with the actual project and is driven by external business forces. I've seen CEO's put an idea for a new system and a request for a confirmation of their time guestimate into a single sentence. "Hey, Mike, it should only take you about three months to build a new system that automates our inventory system, right?" It can be quite a shock getting a question like this.

There are really only two ways you can respond to a statement like this:
  1. Capitulate and agree just to get the ball rolling. This does a disservice to the executive who now thinks he/she knows how to estimate software. Plan on getting more requests like this. You'll look like a software guru for a short period of time until you have to have your first meeting where you have to tell everybody that it's probably going to take 9 months. That's when the executive says that he meant the "office supplies" inventory, not our product inventory. It seemed like you were spending a lot of time in the shop.
  2. Hedge. Let the executive know that you will need to do some work to get the details of the new system down on paper before you can commit to a schedule.
As an industry, I think we shoulder a lot of the blame for encouraging this type of thinking. I can't tell you how many times I've seen a developer group start writing test code as soon as they refill their coffee cup after their 2 minute discussion with the executive in the hallway on their way to the kitchen.

Our businesses need us to provide a regimented way of analyzing projects and producing consistent estimates of project size. There have been many attempts at doing this over the years. Systems like Cocomo, sloc and various statistical methods have been developed to try to solve this problem. Most have proven to be unreliable or difficult to implement. Some, like counting lines of code, have been proven to be flat out wrong.

Probably the best method for estimating software size and effort is Function Point Counting. Function Point Counting has many laudable features including:
  1. Standardization of approach - there is a set of comprehensive rules that can be followed to produce consistent estimates of project size.
  2. It's verifiable - you can have two analysts working under a common set of assumptions come up with the same estimate.
  3. It's objective - you can take your finger and point to a line and say "This part of the estimate is incorrect"
  4. It is aware of the differences between the initial estimate of a new piece of software and estimates for changes or modifications to an existing piece of software.
  5. It includes a post mortem estimate so you can track how you did.
  6. Precision - estimation errors are handled to some degree by abstracting actual feature counts to generalizations of complexity.
  7. The estimate is built from the users point of view.
  8. It's platform independent and tunable.
Sounds great, so why doesn't everybody use it? Well, there are a few problems.
  1. It's very time consuming - you can use a significant amount of your project budget just putting together your estimate.
  2. It has a pretty steep learning curve. Getting good at function point counting takes time, effort and review by others good at fp counting.
Here's the deal breaker: You can't do a decent fp count until you have a relatively complete software design. Most people won't have something like that until after the first two phases of their project (inception and elaboration). By the time you are able to pull an estimate together using function points, you may be as much as 1/3 of the way through your project. Not acceptable.

After looking at the function point method for a while, it becomes obvious that if you could increase some of the levels of abstraction that you might be able to base your estimate on use cases instead of attributes of the project. Gustav Karner proposed this concept as part of his university thesis, but I haven't been able to find his work online anywhere. A synopsis of his work can be found at http://www.bfpug.com.br/Artigos/UCP/Damodaran-Estimation_Using_Use_Case_Points.pdf.

There are some additional guidelines that we have to put into practice to consider using Use Case Point, but I'll get to that later.

I think this approach currently provides our best opportunity to produce workable estimates quickly and early in the project life-cycle.

Next: Nuts and Bolts.

Part 1: What Method to Use
Part 2: Nuts and Bolts
Part 3: Working with the Factors

Enterprise Architect 5.0 released today.

The corporate edition is still a bargain @ $225, about 10% of comparable products out of Rational.

It looks like there is still no round-tripping for CF components possible with this release. I haven't had a chance to really dig into it yet. There were rumors going around that the scripting language was going to be extended to allow reading of unsupported languages, but that may have been pushed to a future release.

UML tools for software development and Modelling - Enterprise Architect Full Lifecycle UML modeling tool

Monday, May 23, 2005

Successful attack on AES encryption

Dan Bernstein has a provocative paper on how he succesfully executed a complete AES key recovery in a lab setting. AES (Rijndael) is the current algorithm being promoted by NIST as the preferred method of encrypting data.

Instead of trying to crack the encrypted string, this approach attempts to learn about the encryption process as it executes by examining outside effects. In this case, the specific time certain parts of the encryption/decryption software takes to run leaks information to a potential attacker.

The autor notes that while this type of attack can be thwarted by not relying on array lookups, the performance hit is substantial enough to make use of the algorithm impractical.

I don't know if an attack like this has actually been pulled off in the wild yet. It sounds like your system would have to be pretty heavily compromised before this type of attack could take place.

cachetiming-20050414.pdf (application/pdf Object)

Another Dreamweaver feature requrest

One thing I'd like to see changed in DW is the order in which stored procedures are displayed in the databases panel. It looks like they are sorted on the object's ID in the sysobjects table. They may actually not be sorted because that is the column on the sysobjects table that has its clustered index. It might just be a straight query.

The ID that gets assiged to the object seems pretty arbitrary to me. I'm sure there is some underlying logic that determines how an id gets chosen, but it escapes me.

It would be nice if the stored procedures were sorted alphabetically by name like the tables are. It would also be nice if the system stored procedures could be hidden as well.

Strangely enough, if you delete the stored procedure and recreate it, SQL will put the new copy in the correct position. I have trouble getting this to work consistantly, though.

If you know of a Dreamweaver or SQL hack that would put these in order for me, I'd be eternally greatful (well, until it causes some other problem).

Sunday, May 22, 2005

Man Steals Bush's Identity

Humor Warning: The following post and it's referenced story contain no factual information. The story is intended solely for amusement purposes. If you are offended by humor or have trouble distinguishing parody from fact, do not read the following post or the associated story. Click Here to avoid anything even remotely amusing.

The notorious identity thief H4xX0r1337 strikes again. This guy seems to be everywhere online. Now he has finally victimized the President of the United States.

It's really amazing how this guy was able to infiltrate the White House and hold a press conference while the President was on vaction.

Note: H4xX0r1337 is hacker speak for HAXXOR LEET or Hacker Elite. You can get a little practice reading the hacker language by going to Google, selecting preferences and changing the interface language to 'Hacker'. After you do this, you may want to switch back to English. Just remember that English in Hacker starts with the letter 3.

Arizona Man Steals Bush's Identity

Tuesday, May 17, 2005

Google on a hot streak

I thought Goog @ 170.00 was a risky purchase, but now at $232.32 it seems like a bargain. That was only 2 months ago.

After looking at their annual report and seeing that they are getting set up to authorize double the number of shares they have outstanding now, I smell a split coming. I always love the post split bump on a stock. Just think of the demand that gets released when the price per share goes from $232 to $116 (2:1). It's only a psychological effect. There's no dilutive or concentration effect on existing shareholders. But, for some reason, it seems more palatable for many investors to buy twice as many shares at half the price.

Of course, I could just be full of crap. I know several people that will attest to that (bugger).

What happened to the classifieds?

Has anybody noticed that the Classifieds section of the ColdFusion forums is now missing? I think it was dropped when cfmx7 was released.

Too bad. I've used it for years when looking for work, partners or employees. True, the traffic had seemed to die off recently, but I took that as just part of the ebb and flow of forums in general. I've referred many companies to the forum when they are looking to hire some cf talent.

The Adobe forums don't have anything like the Classifieds either. Oh, and while I'm at it, Adobe: dress up that forum package a bit. Man, for a design oriented company, you sure have some ugly crap on your site. Why not roll a new Flex based app? Showcase your new product and provide a richer community experience at the same time.

Back on topic: Now that the Macromedia Classifieds are off-line, where do you go to find good cf people?

Macromedia Forums
Adobe Forums

Monday, May 16, 2005

Drunk on the job

While you lucky people in CA have been able to have your favorite boutique wine shipped directly to your home, we poor drunks in states like Maryland and Minnesota have had to trudge down to the local wine shop to get our spirits. In many cases, we couldn't get a vintage from a small winery that didn't have a huge marketing deal with a national distributor.

I guess all that has changed now. Which is great! I've done some of my best creative CF work a little tipsy. Well, at least I think I have until it wears off and I look at the code again. (Doh!)

Generally good news for the small vineyards and adventurous consumers with discriminating palettes

ABC News: Court Strikes Down Ban on Wine Shipments

Tuesday, May 10, 2005

Jumpstart CFCs with Enterprise Architect

Unfortunately, EA does have a somewhat steep learning curve. The part that handles the ColdFusion stuff is in what they call MDG technology if you are hunting around through the help files. Here's how you can get started.

  1. Create a new project
  2. On the right side of the screen you should see a "Project View" panel.
  3. At the bottom, there are generally two tabs, "Resource View" and "Project View". You'll do most of you work in the project view, but for this, switch to the resource view.
  4. At the top of the tree, you should see a folder called "MDG Technologies". Right click on it and select "Import Technology".
  5. Click the ellipsis next to filename and browse to the xml file you downloaded from my blog. You should see the options light up for the types of things that are going to be imported.
  6. Click the "Import" button
At this point, you're ready to create some cfcs. Switch back to project view and add a class diagram.
I generally do mine under "Logical view | Logical Model". Drag a class onto the stage and add a few properties and methods. Once you are done, you can right click on the class, pick a location for the file and have ea generate a cfc shell for you.

Let me know if you need a little more, but that should get you off the ground.

Updated CFC generator code

Monday, May 09, 2005

SQL Server Service Pack 4 released

In case you missed it, Microsoft released a service pack to SQL Server 2000 on May 6th.

It's probably a good thing to pick this up if you're running SQL server considering what happened with Slammer.

There are 4 parts to the release:
  1. Database components
  2. Analysis Services components
  3. SQL Server Desktop Engine components (MSDE)
  4. SQL Server 2000 64-bit components.
There is also a readme file for each one.

It looks like an update to Books online has not been made available yet. The current version is for sp3a.

Wednesday, May 04, 2005

How do accounting firms get away with this?

The Wall Street Journal has an article this morning that I find just amazing. (You won't be able to get it online unless you have a subscription, which I don't because I can't stand their pricing strategy) Anyway, the article is called "Take This Job and ... File It" by Diya Gullapalli. I talks about the high turnover in the big accounting firms of their mid-level professionals because of the excessive workload imposed by the Sarbanes-Oxly law.

One of the interviewees claims to have worked about 700 hours in overtime in a year and was rewarded for her efforts with a $2000.00 bonus. Why do these young people let their employers get away with this? The accounting firms are charging their clients between $100 and $200 an hour for the efforts and paying $2.86!?

These people should demand that they make half their billing rate as compensation. So at $100/hr if the person bills 1750 hours in a year, they make $87,500.00. Some allowance should be made for excessive amounts of work done for the firm directly (non-billable time) so they can't make sales work or service performed for the firm adversely affect the compensation package.

This way, if somebody works a ton of overtime, it's compensated. If the employee is aggressive with their billing rate and can sell it, they get rewarded as well as the firm.

On the other hand, if you don't make your hours, you don't make the dough.

This is pretty much the way we handle our Software services. It doesn't make any sense to me to abuse your labor force. All the time and effort you've invested in bringing them around to your way of thinking goes down the drain when they leave. It seems strange that accounting firms don't see this.

Monday, May 02, 2005

New road rocket!


270hp worth of road ripping fun. Probably my last all gasonline powered vehicle. This thing makes the thought of driving to work almost something to look forward to.

My new 2005 Acura TL. In many ways made possible by the good folks at Macromedia by making products I can use to make a living. Many thanks.

New look for the blog

For some reason, I find messing around with the blogger code to be somewhat cathartic. If you hadn't noticed, I dig bright colors in odd combinations. They just seem so groovy.

I think the green titles lack a little contrast. Maybe I'll try a dhtml drop shadow next weekend.

I also lost the little weather pod. I just didn't fit with the design well. I think a new skin is in order.