Technical Musings

A Recipe for Setting Up Automated Test Projects

2012-02-16T03:04:28Z

Assuming that you are already sold on the notion of automated testing, it can be useful to put a little thought into how projects will be setup. There are many approaches to this; my approach is based on experience, the wisdom in xUnit Test Patterns, and standard coding best practices. I will try to keep this language agnostic, though my examples will be in C#.

]]> Separate Projects

First, to maximize the benefit of unit testing, let's make a clear (and industry standard) delineation between unit and integration testing:

Unit test are in isolation from external resources, e.g. files, databases, web services; in SQL, it might be isolation from foreign keys.
Integration tests utilize these resources.

One benefit of this distinction is that external resources may cause errors that have nothing to do with your code, which therefore would be false alarms. Another benefit is speed - the isolated unit tests will run much faster than the integration tests, giving you feedback that much more quickly. Slow tests will just frustrate you as you sit around waiting for them to complete, and you'll be less likely to run them frequently.

Thus it is best to put these into separate test projects. Run all of the unit tests very frequently, and run the integration test as often as is reasonable. The same principle applies to any automated UI or performance tests.

Project Setup

Each class should have its own test file, and each namespace its own folder - just as you would do for non-test code. If a class has many methods, or some methods require many different tests, it may be helpful to create multiple test files for a class. For example, you might have "MyClassTest_MethodA.cs" and "MyClassTest_MethodB.cs".

Helper Classes

It is often useful to put some code into a static class for re-use across multiple tests. For example, if you use Guids frequently, then create a static Guid variable that can be re-used everywhere:

public class Helper
{
    public static Guid GuidOne = new Guid("dd28ce17-218f-42cc-a023-caaf455cdfc5");
}

I've also used my Helper classes to build an object with other constant values, where that same object will be used in many different tests.

public const string TestPattern = "^[^ ]+";
public const string TestValue = "as df";

public static RegExTest BuildStandardTest()
{
    return new RegExTest()
    {
        Pattern = TestPattern,
        TestString = TestValue
    };
}

Test Template

The basic art of testing is to know your inputs and your expected outputs. At the code level this applies to methods / procedures; at the system level it applies to the application; and to the user, it typically applies to particular UI screens. Between these two sit the system under test. For a proper unit test, the system must be isolated before it is called. Finally, you must validate the output.

Prepare input
Isolate the system under test
Call the system
Evaluate output

Just as with regular code, test code should be well structured. As non-production code, it might be more forgivable to take a few shortcuts; still, comments should not be omitted. I like to put these four steps into the comments. The name of the test should clearly indicate its purpose. If there are multiple code paths to test for a single method, it might be challenging to come up with meaningful names for each. Method level comments should clearly describe, in plain English, the purpose of the test. To be a real stickler about traceability, the method-level comments might mention a user story to which the test applies.

Example from my Reggie project (more about Moles in a separate article):

/// 
/// A test for the TryIt method.
/// 
[TestMethod()]
[HostType("Moles")]
public void t_TryIt()
{
    // Prepare input and expected values
    string pattern = "pattern";
    string testString = "testString";
    string expected = "anything will do";

    // Mockup the RegExTest class
    bool tryPatternWasRun = false;
    Reggie.BLL.Entities.Moles.MRegExTest.AllInstances.TryPatternMatch = (RegExTest iTester) =>
        {
            tryPatternWasRun = true;
            Assert.AreEqual(testString, iTester.TestString, "wrong TestString");
            Assert.AreEqual(pattern, iTester.Pattern, "wrong Pattern");
            return expected;
        };

    // Run the system under test
    string actual = ExpressionTest.TryIt(pattern, testString);

    // Validate results
    Assert.AreEqual(expected, actual, "Wrong output");
    Assert.IsTrue(tryPatternWasRun, "TryPattern wasn't run");
}

In some cases isolation may not be required; in this particular case, I knew that TryIt would be calling method TryPattern, and I bypassed it. Since TryPattern doesn't call any external resources, I didn't have to code it this way. But by doing so, I completely isolated the TryIt method from everything else.

The validation portion could be skipped in some cases; for example, if you expect an exception to be thrown, many languages will let you specify an "expected exception" rather than having to catch the exception and test its type. For example:

/// 
/// A test for TryIt with null Pattern input.
/// 
[TestMethod]
[ExpectedException(typeof(ArgumentNullException))]
public void t_TryIt_NullPattern()
{
    // Prepare input and expected values
    string pattern = null;
    string testString = "testString";

    // Run the system under test
    ExpressionTest.TryIt(pattern, testString);
}

Mythical Man-Month: Code Reuse and Discoverability

2012-01-08T02:09:21Z

Fifth and final installment in a series. "The best way to attack the essence of building software," Dr. Brooks writes, "is not to build it at all." (p222). With this he introduces a brief discussion of the importance of code reuse, and of its challenges.

]]> Building software for reuse is expensive: it requires greater attention to architecture and more hardening. Perhaps more importantly, it is difficult to user and learn. Code intended for general use often must be more flexible, with a greater number of parameters, which makes it harder to understand. The biggest problem of all I call discoverability; that is, how does anyone know what code is available for reuse?

There are many tools and methods available to help software developers today. Brooks himself refers to the power of object orientation, inheritance and polymorphism for enabling reuse. Refactoring, combined with a complete set of automated unit tests, should significantly reduce the up-front cost of developing for reusability. Language features such as Generics and Anonymous Delegate allow for a great deal of flexibility in reusable code.

Static code analysis tools can help spot common flaws in security, design, naming, and more – thereby helping to improve not only the maintainability but also the discovery of functionality. For the .Net developer, Pex's automatic discovery of unhandled exceptions can do much to improve, quickly, the code hardening efforts.

XML code comments, which can be enforced in static analysis, are quite helpful in explaining the purpose of a class and its methods. Brooks mentions the importance of code samples, beyond general documentation, for explaining complex reusable code. These can be embedded in the Remarks section of an XML comment. For the .Net developer, these comments can be compiled into web pages using Sandcastle. Load these pages into IIS. Perhaps configure a search engine. Take a suggestion from Brooks by publishing a weekly summary of the new/updated documentation.

FFor all that, the human touch is probably the most potent approach; peer review and pair programming provide ample opportunity for sharing about available components and modules.

With all these advantages today, the only excuse for not building your code to be reusable is that you know it won't be reused. In that case, don't waste your time. Refactor later if you were wrong.

Notes on Configuring CruiseControl.Net

2011-12-18T04:50:23Z

Recently I began carving out some time for using CruiseControl.Net in earnest. The book Continuous Integration in .Net was, and I'm sure will continue to be, of great help. Nevertheless, I think it will behoove my own memory, and perhaps help a few others, to record some notes on a few practical details.

]]> AccuRev Integration

Integration with the source control tool AccuRev is very easy, as I'm sure is the case with other SCMs. The only problem is redundancy – and a plain text password. Each configured project needs to have a block within it, containing the path to the executable, login information, and workspace, and other settings.

Even if there are multiple projects in the same Stream, each project must repeat that information. And due to that plain text password, it is best to use Windows security to restrict editing of the configuration file to only those who absolutely must have it. Presumably all developers in a group will have an AccuRev account; however, one of the advantages of separate accounts is the ability to track who uploaded what. How will you know if someone maliciously slips some code in using the "shared" account?

Publishers

The element is crucial for viewing detailed build results. Never go without it.

The element will allow distribution of alerts to groups of e-mail recipients. This is a powerful feature. How do you decide who to include? Now that I have over a dozen projects configured, I will let it run for at least a week before introducing anyone else into the distributions. That way I can make sure I don't accidentally spam them. No need to receive notifications for every-day good builds. Just send out Failed and Fixed notifications. Be sure to get the nested right – I accidentally left out the top level at first and scratched my head for a minute when the file wouldn't validate, though the mistake wasn't that hard to find.

Again, you have to enter the same configuration over and over again for each project. Unless there's something I haven't learned yet, such as the introduction of a variable.

webURL

Initially I tried to configure MyProject with URL http://myserver/ccnet/MyProject. That didn't work so well. What does work is http://MyServer/ccnet/server/local/project/MyProject/ViewProjectReport.aspx.

Custom Project Files

Undoubtedly there is a better way to do this. But, in the tradition of red, green, refactor – in several cases I made custom csproj files that hard-coded reference links to other custom assemblies. Some of the projects were building just fine and some weren't. This definitely solved it. Now I'm at green. Later perhaps I'll try to figure out exactly why the original project file failed and try to refactor. For now, this is good enough.

Actually, here's one more advantage of a custom project file: you can add extra steps that you don't want to run every time you build locally. For example, generating XML documentation and then running SandCastle.

Unit Tests

So far I have ignored unit tests in my configuration, because my unit tests tend to include a lot of database-related code. There is extensive use of mocking (via Moles) so that non-database code does not call the database, but the database code of course still does. It runs on a UnitTest database on each developer's local machine. Unless I build an automatic deployment/install system for database code changes, it would be impractical to create a UnitTest database that can be accessed by the build server.

Therefore I plan to separate those tests into a different test project. The original project will now be more purely "unit tests" (as opposed to integration tests) and can be run with the project build. I could probably do more to separate the tests: for instance, try to inject a fake stored procedure response in order to test mapping code. But is that ultimately worth the extra effort? Not sure yet. It is already a bit of a shock for customers to get higher-than-expected estimates due to the extra time unit testing (though most do understand that this typically will result in higher-quality code from day 1).

Next Steps

I need to integrate FxCop and StyleCop for code analysis. We have written standards for code quality. Might as well automate the process of checking on adherence. SandCastle integration would also be nice – particularly if I can set it up to automatically deploy the generated documentation to a web directory on the build server.

Reggie - Regular Expression Generation/Testing Tool

2011-12-15T22:27:40Z

I've started a new project on CodePlex, called Reggie, and posted the initial working source code. Reggie's goal is to be a simple developer tool for writing and testing Regular Expressions. It is inspired by the venerable Regulator tool and will be created in WPF using the MVVM pattern.

Mythical Man-Month: Planning for Change

2011-12-11T17:17:59Z

Part four in a series. In the chapter titled "Plan the System for Change," Dr. Brooks again lays out the foundations for Agile software development. His was an era of dumb-terminals and highly scheduled availability. And yet, here he is saying, "plan to throw one away; you will, anyhow." When RAM wasn't cheap, and good programmers even more rare than today, how does a project manager or architect justify throwing out the first design on purpose? By recognizing that "[t]he only question is whether to plan in advance to build a throwaway, or to promise to deliver the throwaway to customers."

]]> This followed an analogy to the creation of a physical pilot plant for testing out a proposed manufacturing design. That sounds to me like a prototype. Spend an early iteration on a quick-and-dirty prototype of your design, run it by the users, and incorporate the feedback into a fresh implementation. But it does seem to miss the beauty of refactoring: get it working, then clean it up. Perhaps the refactoring concept did not work as well in those green-screen, procedural days, before you could re-compile every few minutes.

It is not sufficient, Brooks posits, to expect changing requirements and hope for the best. Thus he goes on to advocate that the software development group be organized for success in a changing environment. But he also makes the assertion that software needs more control, not less, which on the surface seems to be a call for a strict waterfall. He doesn't want tentative plans.

One of the signs of true genius is recognizing new data, accepting that a former conclusion might be wrong, and moving forward with the new premise. In new chapter "The Mythical Man-Month after 20 Years," Brooks accepts that "[t]he biggest mistake in the "Build one to throw away" concept is that it implicitly assumes the classical sequential or waterfall model of software construction." Thus in 1995 his vision of software development was updated to include the reality of incremental and iterative design. His 1986 paper, "No Silver Bullet" (ch 16) actually spelled out the need to "[utilize] rapid prototyping" and "[grow] software organically." A common misconception about Agile development is that it is uncontrolled. In the context of the whole, Brooks is calling for careful governance without the stultifying commitment to tollgates and a single-pass design that are called for by waterfall.

The Mythical Man-Month: Wiki and Customer Service

2011-11-26T15:57:19Z

Part three in a series. Many of the recommendations Dr. Brooks makes in this work can seem outdated at first glance; however, it does not take much to bring them into today's software development environments. Take the telephone log for example:

"One useful mechanism is a telephone log kept by the architect. In it he records every question and every answer. Each week the logs of the several architects are concatenated, reproduced, and distributed to the users and implementers. While this mechanism is quite informal, it is both quick and comprehensive." (p69)

]]> Read the book for more context. Updated in modern terms: as an architect, or any kind of subject matter expert (SME), questions and answers over the phone, e-mail, or in-person should spawn an update to the enterprise Wiki (addition or clarification). Consider pro-actively sending a list of updated Wiki pages at least once a week, or even in a brief daily status update. If the answer to an active question is already there, find a polite way to direct the questioner to the Wiki. Here's where good customer service is important. In many cases this might be a missed opportunity to be of service:

One-line e-mail: "Did you look in the Wiki?"

One can imagine a much snarkier-sounding e-mail coming from a frustrated developer who does not want to be interrupted with "trivialities." But that's an unfortunate attitude, one that fails to recognize the importance of respect and service to other group/team members, without whom the developer's job might be meaningless. Perhaps a better response would be:

"Yes, I had a difficult time understanding that as well. We've documented that in the Wiki; please click under XXXXXX and then find the link with YYYYY in it."

Better yet, if time permits: copy and paste from the Wiki into an e-mail, and include the Wiki link for future reference. This is, of course, a double-edged sword. Somehow, someway, "users and implementers" must be encouraged to read the documentation for themselves, and discouraged from asking a thousand questions that have already been answered.

I do not recall that Brooks's sagacity encompassed this area. The best that I've come up with is this: offer to schedule an hour with the individual later in the day/week, and ask the individual to hold all but the most critical questions until that time. This gives the person an opportunity to find their own answers, allows you to continue focusing on your current efforts, and the face-to-face time may even be more appreciated than the individual responses would have been.

The Mythical Man-Month: Conceptual Integrity

2011-11-20T16:30:21Z

Aside from being a fascinating inside-look at some of the challenges faced by the mainframe programmers of the sixties, The Mythical Man-Month presents many lessons-learned that are no less applicable today. This is the second article in a series exploring some of these lessons, in particular: conceptual integrity.

]]> "Conceptual integrity" is one of the most important concepts in the book. Many of Dr. Brooks's recommendations throughout the book are predicated on the importance of ensuring a system's coherence, from the project management to user interface, from documentation to memory management optimizations. Brooks

"contend[s] that conceptual integrity is the most important consideration in system design. It is better to have a system omit certain anomalous features and improvements, but to reflect one set of design ideas, than to have one that contains many good but independent and uncoordinated ideas." (p42)

Brooks talks about simplicity being more valuable than diversity of function – because it is easier to construct and utilize a coherent, slightly simpler system than to create and use a complex one. How often have any of us opted for the simpler device rather than the gadget with all the bells and whistles, simply because we were concerned that the extras would break, or would be hard to learn? The same goes with software systems: keep the design simple. Only add as much diversity and complexity as are needed to get the job done. I suspect that this approach was influential in the formation of Agile principle number 10: "Simplicity – the art of maximizing the amount of work not done – is essential."

I think the author would agree that this principle is to be applied to the system generally, and must be applied very carefully when looking at individual components. As I read this section, I reflected back on mistakes made a few years before, when I first came onto a project in a file-processing environment. I couldn't articulate a significant problem until reading this: none of the .Net developers involved understood the system architecture, and therefore our solutions were incoherent. We had diverse ways of reporting errors (if any), of accepting input parameters, of creating output data.

Even as some of the individual lessons were learned, the bigger picture was not realized. Only after reading this book did I realize why some people have been less-than-thrilled about our use of Reporting Services for some new reports, instead of plain text, and I just installed a new application that does the same. We did so in order to have an easier time designing the report, and to have better looking output (simpler for the programmers). That's nice, but not at all what our users are used to, expected, or wanted.

What they want is something that prints the same way as all of the existing file-based reports. They want to be able to find the file on the system and reprint it when the existing paper copy gets chewed up. They don't want to learn how to go to Reporting Services to print the report; plus, we made the mistake of using the .Net version (RDLC). If reprints are needed, we'll have to either output a permanent PDF, or support two versions – the other loaded into SQL Server's Report Manager. Further, I've realized that testing is simplified when the report is in text: then it is easy to regression test the application, using a file diff tool to compare the output before and after an update.

We were the new kids on the architecture block, and we didn't get it. Sometimes we still don't. Brooks makes an analogy about ancient cathedrals. That RDLC report – it's like repairing a section of a Gothic cathedral by building a cantilevered steel-and glass structure. It might technically fit the need, but it probably won't be what anybody wanted.

Rediscovering C++ / Performing SQL Bulk Copy Operations

2011-11-13T19:53:58Z

When last I worked with C++, it was while working on my master's thesis ten years ago, using a basic text editor in a Red Hat Linux 5.0 installation. A new task in front of me: replace a Reporting Services report, which was exporting to CSV, with a new solution that will allow me to create multiple files, with max 150,000 records each. The first challenge is speed: with that many records, only bulk copy will be reasonable. The second is splitting the file. I thought about calling BCP from a C# process, because unfortunately managed code only offers bulk loading into a SQL Server database, not from database to file. But C++ is another story, thanks to the Bulk Copy Driver Extensions made available by Microsoft. So, time for a C# developer to brush up on C++, and learn it the Visual Studio way!

]]> To get started, I found the Microsoft SQL Server Community Projects & Samples site, and the Bulk Copy functions documentation linked above. Download the project samples to get a quick-start on coding for bulk copy operations; I found the projects How to bulk copy a SELECT result set, BulkCopyFormatAndData, and How to process ODBC errors particularly useful for my goal. Creating a new Visual C++ console application, I was able to quickly stitch together a working prototype that would perform a hard-coded query, using a hard-coded ODBC connection name, and bulk-loading to a hard-coded file. It displayed any error messages at the console. In customizing the error logging, I re-taught myself about sprintf (actually, sprintf_s) and stringstream. The ODBC driver does not always provide a helpful message, so I threw together a few methods for testing whether or not I could create a file (for writing the BCP output and BCP error files) or whether or not a file exists already (for the BCP format file), using the CreateFile function for both.

Next I decided to re-learn how try/catch works in the C++ world, and chose to do so without the Microsoft __finally extension (resource 1, resource 2). I was most surprised when I found that a compilation failure was due to my use of the new keyword, as in throw new MyException(). It also took me a few tries to get the syntax correct for overriding the what() method for my custom exception, which is inheriting from the STL's exception class. It came down to getting the correct modifiers on the declaration in the header file, combined with a problem I ran into several times: using the expected namespace in the code file. That is, I couldn't simply put virtual const char* what() into my code file – I needed to put virtual const char* MyException::what(). Perhaps I needed a using namespace statement to avoid this.

Garbage collection is basically taken for granted in C#, but I know it is all up to me in C++. With the help of a Stack Overflow Q&A on Memory Management in C++, I am starting to explore this arena. Perhaps creating a custom Exception class wasn't such a good idea; I'm forgetting the cardinal rule that you don't use it for program flow, although it sure does simplify my code (a sub-function throws an exception, and I don't have to code for various return values after each invocation of that sub-function). Not only that, but throwing exceptions makes it more likely that you'll end up with memory leaks. In fact, even as I'm typing this I realize that I have foolishly failed to properly de-allocate a resource (see below; would have avoided this in C# through the using (...) construct). This Q&A led me to do some searching on stack-allocated constructors, turning up When to use "new" and when not to, in C++?. Now I have some understanding of the lack of new in the exception-throwing.

HANDLE h = CreateFile(filePath, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (h == INVALID_HANDLE_VALUE)
{
	throw MyException(filePath);
}
CloseHandle(h); // not de-allocated if the exception is thrown!

Alternately, I could wrap this all in a try/catch, add CloseHandle(h) into the catch and re-throw the exception. Or, I could simply put the CloseHandle(h) inside the if clause, before the throw statement.

Now I've moved on to creating a DLL and linking that to my main executable, with the hard-coded values changed into class variables that have proper getters and setters (didn't want to use the proprietary Properties offered by Microsoft). Running against a deadline, I may try to use this DLL from C# so that I can perform the file manipulation (splitting by 150,000) in familiar code. But how hard can it be to split a file in C++? Surely not too difficult.

Review and Reflection on "The Mythical Man-Month" by Frederick P. Brooks Jr.

2011-11-10T03:05:44Z

Dr. Brooks is my new… well, I can't think of an appropriate noun. Certainly not a deity. One book does not make him a favorite tech author. Static text cannot make him a mentor. Maybe tech hero?

]]> The Mythical Man-Month is a true classic. Many have heard of it; I wonder how many in my generation have taken the time to read it? Although it was written primarily* in the mid-seventies, based on experiences from the mid-sixties, it nevertheless offers

Brilliant insights on the working of computers and software;
Brilliant insights on the workings of the people who work on them;
Unintentional but illuminating lessons in history;
A powerful argument for the importance of process but against its ossification;
And of course, much sage advice.

(* the copy I found at a Half-Price is a 20th-anniversary edition with additional information, and valuable, essays written in the eighties and nineties).

This post will begin a series of reflections based on little sticky notes I used to remind myself of Lessons Learned or To Be Explored. That in itself was a lesson learned, but from elsewhere. I had probably thought to do it before, but was too frugal to "waste" my sticky notes this way. Should've been doing this for years.

Design Updates and Fresh Content

2011-10-13T03:00:39Z

Currently I'm working on updating the main blog at safnet.com with a refreshed look and feel (the design was last changed "way back" in 2008), then I'll move on to this technical blog. In the meantime, this garish built-in template will serve to remind me that work needs to be done.

New tech-blog entries have been rare primarily because I have been spending much of my technical-writing time on internal documentation at work: trying to build-up a thorough set of documentation in a SharePoint Wiki. Most of that content is proprietary, and would not be useful outside the company anyway. But I do hope to start posting comments here again soon, starting with a few entries after recently reading the classic The Mythical Man-Month.

Protecting Against SQL Injection in Dynamic SQL Statements

2011-02-26T17:42:16Z

Microsoft's Books Online article on SQL Injection does a great job of reviewing the possible attacks against dynamic SQL statements (using EXEC or sp_executesql). I won't re-hash their discussion and suggestions. What I offer below is a sample remediation effort for this set of statements (the @Fields and @Values variables are actually stored procedure parameters):

DECLARE @Fields VARCHAR(1000), @VALUES VARCHAR(1000), @SQL NVARCHAR(2500);
SELECT @SQL = 'INSERT INTO MyTable (' + @Fields + ') VALUES (' + @Values + ')';
EXEC(@SQL);

]]> This represents the heart of what this stored procedure does. To protect against SQL Injection, I first added a section of code that checks to make sure that all of the fields in @Fields are real fields – this is positive input validation:

CREATE TABLE #temp (Field NVARCHAR(200)) 

INSERT INTO #temp(Field)
SELECT QUOTENAME(Field) FROM dbo.fnSplitString(@Fields,',')   

-- Validate that all fields are real fields in the table
IF EXISTS (SELECT  1 FROM #temp t WHERE NOT EXISTS
                     (SELECT 1 FROM INFORMATION_SCHEMA.COLUMNS c WHERE c.TABLE_NAME = 'MyTable'
                           AND QUOTENAME(c.COLUMN_NAME) = t.Field))
BEGIN
       DECLARE @v_strMessage AS NVARCHAR(500);

       SELECT @v_strMessage = 'Invalid  field(s) in the @Fields parameter detected: ';
       SELECT @v_strMessage = @v_strMessage  + QUOTENAME(t.Field) + ', '
            FROM #tempOrderField t WHERE NOT EXISTS
                           (SELECT 1 FROM INFORMATION_SCHEMA.COLUMNS c WHERE c.TABLE_NAME = 'MyTable'
                                  AND QUOTENAME(c.COLUMN_NAME) = QUOTENAME(t.Field));
       RAISERROR(@v_strMessage, 17, 0);
END

If there are any invalid fields, then they will all be listed in an error message and the stored procedure will stop executing. Note that all of the fields are note “quoted” by the QUOTENAME function. Next, the @VALUES needs to be protected. In this case, the application may send an apostrophe in the data, legitimately. So I use the Replace statement twice – once to guard against stray single quotes, and a second time to overcome incorrectly doubled apostrophes.

INSERT INTO #temp2 (Values)
SELECT REPLACE(REPLACE(Field, '''', ''''''), '''''', '''') FROM dbo.fnSplitString(@VALUES,',')

Finally, to avoid buffer overflows, I change the @SQL to NVARCHAR(MAX). In general it is better to use sp_executesql instead of EXEC, so I also change to that. In this case I can’t benefit from it (exercise for the reader to understand why), but I still use it out of good habit.

DECLARE @v_strSql NVARCHAR(MAX) -- statement needs 5028 characters, but to protect from buffer overflows, changing to MAX
SELECT @v_strSql = N'INSERT INTO dbo.MyTable ('

-- add  the fields
SELECT @v_strSql = @v_strSql + Field + ', ' FROM #temp;

-- remove extra comma and add VALUES()
SELECT @v_strSql = SUBSTRING(@v_strSql, 1, LEN(@v_strSql) - 1) + ') VALUES (';

-- add the values
SELECT @v_strSql = @v_strSql +  Value + ', ' FROM #temp2;

-- again remove extra comma and close VALUES()
SELECT @v_strSql = SUBSTRING(@v_strSql, 1, LEN(@v_strSql) - 1) + ');';

EXEC sp_executesql @v_strSql;

In summary, four changes were applied, as suggested by Microsoft:

Validated input data where I could (the field listing)
"Quoted" fields with QUOTENAME (can be done for fields in INSERT, SELECT, ORDER BY, etc.)
Doubled-up on the apostrophes
Tried to protect against buffer overflow

Before making these changes, I made sure that I had automated unit tests that were passing with the old version. After updates, and a few bug fixes, the unit tests are again passing. I also wrote unit tests that included bad data to make sure everything still worked fine.

Explicit Column Mappings for SqlBulkCopy

2011-01-18T16:25:57Z

Recently, I received a code delivery that worked on our development server but failed in unit tests on my box. The culprit was a method that transformed a List into a DataTable and used that DataTable to load data into SQL Server using SqlBulkCopy. Lesson: apply column mappings.

]]> We went back and forth: "it doesn't work," I reported. "But it works on the dev server," says the developer. Can we both be right? I rebuild the code from my machine, where the unit test is not passing (due to an attempt to insert a value into a calculated column). Install on the dev server. Works without error.

Next day I'm reviewing another application that uses SqlBulkCopy. Another error. This time, data for one field is being inserted into another field. All along I suspected that the explicit ColumnMappings were needed. Now with a second data point, I went to look at the schema.

On the dev server, the first table had the calculated column as the last field, but on mine the last two fields were flipped.
An older version of the second table's create script did not have an identity field. It exists in production, but if the corrected script were not loaded on the developer's unit testing database, then the field would be missing. It is the first field in the table.

So, although I see nothing stating this in the documentation, it appears that the order of the columns in the destination table matters. In fact, without explicitly mapping columns using the ColumnMappings property, the source and destination are matched by index, rather than column name. Thus if Table1 is defined as (Field1 varchar(10), Field2 varchar(10)) and it is loaded using Object2 { string Field2; string Field1 }, then the values loaded into the database will be flipped, Object2.Field2 -> Table1.Field1. Add an explicit mapping and now it works.

Review: Fundamental Modeling Concepts: Effective Communication of IT Systems

2010-12-18T03:22:18Z

Fundamental Modeling Concepts: Effective Communication of IT Systems by Andreas Knopfel
My rating: 3 of 5 stars

I have mixed feelings about this book. I've spent several years working diligently on my flow-charting capabilities, using what scan resources I could easily and quickly sift through on the Web and in the Visio Help, studying the charts in all the comp-sci books I've read, and garnering feedback from my colleagues. This book might have sped up that process significantly, and has already had a positive impact on the communication efficacy of my charts. But, I simply didn't completely like the specific modeling "language" presented by the authors.

]]> The flow charting is good, though I prefer having a few more block types to illustrate the type of data being dealt with (i.e. documents vs databases). The petri net was interesting but seemed like overkill -- when that level of detail is needed, then it is probably time to move into UML. But my experience is limited; I certainly don't know what others would find. And then there's the entity diagramming (ERD), which was simply non-standard. Too much space was dedicated to the fine details of the mechanics of these three viewpoints on modeling, although I suppose that would be appropriate for anyone trying to use them as such and with little prior familiarity with flowchart or UML modeling.

The second half of the book moves beyond mechanics, and it is the more powerful portion. For it is there that we dive in to application, learning how the authors think and approach problems (most of which are in the domain of computing, but allusions are made to uses for other industries). The second half is also home to rare and valuable discussions of style, consistency, and simple communication. I suspect I shall return to the second half many times in coming years, looking for tips and reminders that will further improve the architectural models I build.

Recommended for: system architecture modeling and business analysis. Not recommended for: application design modeling. Even the authors agree that you should stick with UML for design of particular applications.

What about this "agile" thing?

2010-11-12T03:37:09Z

A friend just wrote to me, asking about agile. He's been seeing software job posting with the vague request/promise of "agile" in them, wondering what the big deal is. Initial reaction: if no specific methodology or agile principle is cited, then at worst they are glomming on to pop culture, at best they want to make sure you can (a) handle changing requirements, (b) deliver prototypes and/or working code frequently, (c) take an iterative approach to documentation, coding, and testing.

"Being agile" means both that you aren't going to freak out at the lack of a locked-down, step-by-step waterfall process, and that you aren't going to go cowboy and give the client a product at the last minute, with no conversations or demonstrations between the initial requirements "gathering" and delivery.

What about uint?

2010-08-19T01:38:01Z

I'm writing a class with several methods that take integer input. The input values cannot be less than zero. Since we're not on .Net 4.0 yet, I'm manually writing code contracts (that is, my functions check preconditions, e.g. before doing anything else, I write something like…

if (sequenceNumber < 0)
{
    throw new ArgumentOutOfRangeException("sequenceNumber", "Sequence number must be 0 or greater");
}

This got me thinking: why don't we ever use unsigned integers? Seems like having a uint would better communicate the requirement, and would simply not allow a negative number. The main answer seems to be that casting between uint and other data types, which is inevitable, is ugly. And that uint is not CLS compliant. Even though I'm not trying to write CLS-compliant code at the moment, I think I'll stick with int – because that is our existing convention, and I don't see enough reason to change the convention.