An important aspect of any project is the quality of the code written by developers.Usually the quality of code is reviewed manually but nevertheless it’s time consuming and sometimes the review process becomes stressfull due to tight schedule of the projects.

To address this issue a good number of automated code review & analysis tools are available in the market.

We explored some of the popular open source tools being used by large community of devlelopers.And found out below listed tools to measure – 1.Code Review 2.Static Code Analysis 3.Code Coverage

1.Code Review Tool:

Checkstyle

Checkstyle looks for these things:

• Javadoc comments
• Naming conventions
• Headers
• Imports
• Size violations
• White space
• Modifiers
• Blocks
• Miscellaneous checks (including some useful checks like unnecessary System.out and printstackTrace)

2.Static Code Analysis Tools:

PMD

CPD

FindBugs

The tool checks for the following things in code:

• Unused local variables
• Empty catch blocks
• Unused parameters
• Empty if statements
• Duplicate import statements
• Unused private methods
• Classes that could be Singletons
• Short/long variable and method names
• Cyclometic complexity

3.Code Coverage Tool

Clover

Cobertura

These tools checks for the following issues-

• calculates the percentage of code accessed by tests. It can be used to identify which parts of your Java program are lacking test coverage.
• Poorly tested, highly complex code
• Coverage lost due to recent changes
• Precise per test coverage to ensure relevance of your tests

Most of these code review and analysis tools are integrated with the popular IDEs e.g. Eclipse,NetBeans etc and thus it simplies the process for checking the quality of self written code by a developer.

But we were looking for a platform where we can consolidate all the reports generated by these tools and display in a graphical interface.We found out a nice tool called Sonar.

Sonar is a continuous quality control tool for Java applications. Its basic purpose is to enhance the existing continuous integration tools to place all the development projects under quality control.

Some of the important features of this platform are-

1.We can review the reports(generated by PMD,FindBugs,CheckStyle,Clover etc ) of all projects at a glance

2.We can drill down to source code step by step from module->package->class->lines to find why a project has for instance so many coding rules violations?

3.There are 600 coding rules offered inside the platform.

4.Measuring all classical metrics related to Lines of Code, Cyclomatic Complexity, Duplicated code, Comments etc

5.Display unit tests result and associated metrics like code coverage

An important point is it uses Maven as internal build tool.So projects needs to be build using Maven.Maven is a new & advanced open source build tool available in market and it is available as a plug in for the IDEs(Eclipse,Netbeans etc).But there is a option for non Maven projects also in Sonar and it is available in Sonar Light version.Sonar can be integrated with a continous integration build server like Cruise Control,Hudson(available as plugin).

To sum up these tools/platform are leveraging a great utility in the entire development & release phase of a project, starting from coding to release the build of a project and thus can be used to enhance the existing development process.

Useful link-

http://sonar.codehaus.org/features/

http://docs.codehaus.org/display/SONAR/Sonar+in+a+nutshell#Sonarinanutshell-TheDashboard

http://docs.codehaus.org/display/SONAR/Collect+data

http://maven.apache.org/index.html

Maven Help Guide:

Overview

Basically, when you would like a PLSQL (or java or c) routine to be the «source»
of data — instead of a table — you would use a pipelined function.

Simple Example – Generating Some Random Data

How could you create six unique random numbers between 1 and 49 with one SQL statement?

We would generate the set of numbers to pick from (see the innermost query that follows); any table with 49 or more records would do it. First the quick-and-dirty solution without a pipelined function.

select r
from (select r
from (select rownum r
from all_objects
where rownum < 50)
order by dbms_random.value)
where rownum <= 6;

R
———-
10
2
19
34
12
21

That query works by generating the numbers 1 .. 49, using the inline view. We wrap that innermost query as an inline view and sort it by a random value, using DBMS_RANDOM.VALUE. We wrap that result set in yet another inline view and just take the first six rows. If we run that query over and over, we’ll get a different set of six rows each time.

This sort of question comes up frequently€€maybe not about how to generate a set of six random numbers but rather, “how can we get N rows?” For example, we’d like the inclusive set of all dates between 25-FEB-2004 and 10-MAR-2004. The question becomes how to do this without a “real” table, and the answer lies in Oracle9i/10g with its PIPELINED functioncapability. We can write a PL/SQL function that will operate like a table. We need to start with a SQL collection type; this describes what the PIPELINED function will return. In this case, we are choosing a table of numbers; the virtual table we are creating will simply return the numbers 1, 2, 3, … N:

create type array
as table of number
/

Type created.

Next, we create the actual PIPELINED function. This function will accept an input to limit the number of rows returned. If no input is provided, this function will just keep generating rows for a very long time (so be careful and make sure to use ROWNUM or some other limit in the query itself!). The PIPELINED keyword on line 4 allows this function to work as if it were a table:

create function
gen_numbers(n in number default null)
return array
PIPELINED
as
begin
for i in 1 .. nvl(n,999999999)
loop
pipe row(i);
end loop;
return;
end;
/

Function created.

Suppose we needed three rows for something. We can now do that in one of two ways:

select * from TABLE(gen_numbers(3));

COLUMN_VALUE
————
1
2
3

or

select * from TABLE(gen_numbers)
where rownum <= 3;

COLUMN_VALUE
————
1
2
3

Now we are ready to re-answer the original question, using the following functionality:

select *
from (
select *
from (select * from table(gen_numbers(49)))
order by dbms_random.random
)
where rownum <= 6
/

COLUMN_VALUE
————
47
42
40
15
48
23

We can use this virtual table functionality for many things, such as generating that range of dates:

select to_date(’25-feb-2004′)+
column_value-1
from TABLE(gen_numbers(15))
/

TO_DATE(‘
———
25-FEB-04
26-FEB-04
27-FEB-04
28-FEB-04
29-FEB-04
01-MAR-04
02-MAR-04
03-MAR-04
04-MAR-04
05-MAR-04
06-MAR-04
07-MAR-04
08-MAR-04
09-MAR-04
10-MAR-04

Note the name of the column we used: COLUMN_VALUE. That is the default name for the column coming back from the PIPELINED function.

Typical Pipelined Example

This are the typical steps to perform when using PL/SQL Table Functions:

• The producer function must use the PIPELINED keyword in its declaration.
• The producer function must use an OUT parameter that is a record, corresponding to a row in the result set.
• Once each output record is completed, it is sent to the consumer function through the use of the PIPE ROW keyword.
• The producer function must end with a RETURN statement that does not specify any return value.
• The consumer function or SQL statement then must use the TABLE keyword to treat the resulting rows from the PIPELINE function like a regular table.

The first step is to define the format of the rows that are going to be returned. In this case here, we’re going to return a INT, DATE followed by a VARCHAR2(25).

CREATE OR REPLACE TYPE myObjectFormat

AS OBJECT

(

A INT,

B DATE,

C VARCHAR2(25)

)

/

Next a collection type for the type previously defined must be created.

CREATE OR REPLACE TYPE myTableType
AS TABLE OF myObjectFormat
/

Finally, the producer function is packaged in a package. It is a pipelined function as indicated by the keyword pipelined.

CREATE OR REPLACE PACKAGE myDemoPack
AS
FUNCTION prodFunc RETURN myTableType PIPELINED;
END;
/

CREATE OR REPLACE PACKAGE BODY myDemoPack AS
FUNCTION prodFunc RETURN myTableType PIPELINED IS
BEGIN
FOR i in 1 .. 5
LOOP
PIPE ROW (myObjectFormat(i,SYSDATE+i,’Row ‘||i));
END LOOP;
RETURN;
END;
END;
/

Test It:

ALTER SESSION SET NLS_DATE_FORMAT=’dd.mm.yyyy’;
SELECT * FROM TABLE(myDemoPack.prodFunc());

A B C
———- ———- ———
1 31.05.2004 Row 1
2 01.06.2004 Row 2
3 02.06.2004 Row 3
4 03.06.2004 Row 4
5 04.06.2004 Row 5

Conclusion

Pipelined functions are useful if there is a need for a data source other than a table in a select statement.

The C# 4.0 is the next release of C#. The major theme in C# 4.0 is dynamic programming. Dynamic here means, that objects structure and behavior is not captured by a static type, or at least not one that the compiler knows about when compiling your program.

The secondary theme is co-evaluation with Visual basic. Further any new features will be introduced in both the languages at the same time.

Features of C# 4.0

1. Dynamically Typed Objects
2. Optional and Named Parameters
3. Improved COM Interoperability
4. Co and Contra Variance

Optional and Named Parameters

Many a times we come across situations where we need to make call to methods that accepts many arguments, and most of the times not all the arguments that the method accepts will be passed, we usually pass null. Sometimes we create Overloads for better use, but we still have to pass the default values for those Overloads.

For e.g. Consider the following method which creates the table cell.

public TableCellInfo CreateTableCellInfo(string text, System.Drawing.Color textColor, int textSize, double width, double height, Nullable<System.Drawing.Color> backColor, BorderInfo leftBorder, BorderInfo rightBorder, BorderInfo topBorder, BorderInfo bottomBorder, SymbolInfo symbol, bool isTextCenterAligned, TextVerticalValues textVerticalValue)

Not all the arguments are required each time we call the method, the string text, width and height of the cell are mostly used.So we create secondary overload of this method and supply default values in that overload. Finally call the overloaded method.

In C# 4.0 what we can do is we can specify the parameter as optional, to declare a parameter as optional all we have to do is set a default value to that parameter.

So the above method would be modified as shown below

public TableCellInfo CreateTableCellInfo(string text, System.Drawing.Color textColor = System.Drawing.Color.Black, int textSize =8, double width, double height, Nullable<System.Drawing.Color> backColor = System.Drawing.Color.White , BorderInfo leftBorder = null, BorderInfo rightBorder=null, BorderInfo topBorder =null, BorderInfo bottomBorder=null, SymbolInfo symbol=null, bool isTextCenterAligned =true, TextVerticalValues textVerticalValue = null)

And where we need to call the method we can call it by specifying the required parameters only i.e text, width and height.

public TableCellInfo CreateTableCellInfo( €œDefaulttext€, 5, 4);

Incase we want to specify a different value other than the default value for the optional parameters then we can make use of the named parameters and pass the required arguments by names as shown blelow.

public TableCellInfo CreateTableCellInfo( €œDefaulttext€, 5, 4, Nullable<System.Drawing.Color> backColor = System.Drawing.Color.White );

Optional parameters allow you to omit arguments to member invocations, whereas named arguments is a way to provide an argument using the name of the corresponding parameter instead of relying on its position in the parameter list.

Simple example:

Consider this method

public void M(int x, int y = 5, int z = 7);

Y and Z are optional parameters

M(1, 2, 3);//ordinary call of M
M(1, 2); // omitting z €€œ equivalent to M(1, 2, 7)
M(1); // omitting both y and z €€œ equivalent to M(1, 5, 7)

In case we want to omit Y then we can use named parameter and pass Z by name as shown below.

M(1, z: 3); // passing z by name

Overload resolution

If we have overloads of the method, while calling the method if more than one signatures of the method are equally good for calling, the method that doesn’t have optional parameter is preferred.

Consider following example to understand this better:

M(string s, int i = 1);
M(object o);
M(int i, string s = €œHello€);
M(int i);

If we want to make a function call like

M(5);

Evaluating the above methods, out of given signature, 2nd (public static void M1(object o) ), 3rd (public static void M1(int i, string s = “Hello”) and 4th method (public static void M1 (int i)) are suitable for call.

Calling a method M1(object o) involves boxing operation and assigning 5 into int is better than converting 5 into object, so that is not a suitable method.

Out of the remaining 2 the method without optional parameter is preferred so the method that is being called is M1(int i) and output is €œint i€.

References:

http://code.msdn.microsoft.com/csharpfuture/Release/ProjectReleases.aspx?ReleaseId=1686

The usual security stuffs PHP developers handle are
1. Encryption / decryption
2. Validating the User with session Login

Since PHP is to develop web applications, the major secjurity issues with web applications are
1. Cross Site Scripting
2. SQL Injection
3. Trusting User Input
4. Check the referrer

These are the 4 major secutity issues we need to handle in our PHP scripts

1. Cross Site Scripting Prevention

Most of the developers won’t validate the incoming data like querystring and post data.As a result this leads to stealing of cookie or redirecting to different site, etc€¦ For eg, A user will post comment in a blog with a code €œNice Post <img src=€http://site.com/images/myimage.gif€ onload=€window.location=’http://mysite.com/’€ />

This results in redirection of site to €œhttp://mysite.com/€, whenever a user visits the blog.

To prevent from XSS attacks in PHP
Check and validate properly all user inputted data that you plan on using and dont allow html or javascript

code to be inserted from form.

you can Use htmlspecialchars() to convert HTML characters into HTML entities

you can use strip_tags() to only allow some tags

2. SQL Injection Prevention
For eg:

<?php

$firstname = €œJulien’); DELETE FROM mytable; INSERT INTO mytable (firstname) VALUES (’hacked€;

$sql = €œINSERT INTO mytable (firstname) VALUES (’$firstname’)€;

//€¦running the $sql query

?>

To Prevent in PHP

i. Use the addslashes() function which will escape both single and double quotes, by adding backslashes before them, to prevent multiple queries from being executed.

ii. Validate the data with the length of the input field. For eg:

<?php

//escape trouble characters
$firstname = addslashes(firstname);

//make sure not longer than expected length
$firstname = substr($firstname, 0, 32);

$sql = €œINSERT INTO mytable (firstname) VALUES (’$firstname’)€;

//€¦run the $sql query

?>

3. Check the referer: Check to make sure that the information being sent to your script is from your website and not from an outside source. While this information can be faked, it’s still a good idea to check.

For eg: If you have a Login form in your website with username and password textbox. There may be some other hacker who can create same type of form and can use form action to your website. To prevent this type of attack, we can get the referer using $_SERVER['HTTP_REFERER'] and validate before processing.

4. Don’t trust user input anytime. Don’t include, require, or otherwise open/delete a file with a filename based on user input, without thoroughly checking it first.

€œThe better way to reduce programming effort with better security is using a good framework to develop the project.

For eg: Symfony, CakePHP, Zend Framework, etc all these frameworks provides good solution for all the major security issues which we face and also you can maintain the standard in your code and deliverables.€