Develop Reference

Notify user if their search criteria are met

I developing a sale system using asp.net mvc. My search system allows users to save their search criteria and will notify them by email when a new product is posted is met their criteria. I tried the following:
The first way: Create a function to send bulk mail through gmail and I put this function in the post function. You can see the code described below to understand what I said:
public ActionResult PostProduct()
{
....
var list = Check(); // get a list of user email when their search criteria are met with the posted product
Send(list); // send email to the list
// I don't know how long does it take to complete this function?
}
However, this method requires a lot of resources from the server and takes a lot of time to respond (if the number of emails up to 1000, it would be a bad thing), but I can customize the parameters into email content (such as links, images, ...)
The second way: I used a mail service (MailChimp) and I called its API successfully, sending mail seems easy but I can not adjust the input parameters. That means I can not customize the content of my email.
I would like to ask people if there is a better and wiser way of doing things than I used to. Thank for reading

Best approach of doing full outer join on parse.com with Xamarin.Android (c#)

I have this common scenario of displaying comments with user details and I'm trying to figure out the best way to do this on Parse.
(Let's say we have a class comment: id, post, user and a class user: id, photo, name).
I was trying to do something like this that it isn't possible on Parse:
var userDetails = ParseObject.GetQuery("User");
var query = ParseObject.GetQuery ("Review")
.WhereEqualTo ("business", application.currentBusiness)
.WhereMatchesQuery ("user", userDetails);
It is not working because users is a Relation, let me explain more:
From what I have read on documentation there are 2 ways to have relations in parse. one with arrays and one with pointers.
Arrays are good when you want to include the whole object (in my case the user) but not for more than 100 results.
Pointers are better for a big database but in order to get for every comment the user details I will have to do one extra query.. that's a lot of queries...
So my options are those I think:
1) Retrieve the whole query with a full outer join with arrays
The problem with this is the speed if my app is getting bigger and bigger
2) Retrieve the whole query with a full outer join with relations
Many many queries. I will reach the parse.com limit of request/sec very fast.
3) Store the details I want in the comments class along the User_ID
This might be a good idea but I'm using Login with Facebook and after the login, the user photos will be updated if it has change since the last time, so if I want to use this idea I have to somehow disable the update of the photo.
4) Use arrays and retrieve only a certain number of comments each time.
This sounds like the best approach, I will get every time around 50 seconds and I can implement a ListView that will load more comments when we are reaching the end of the List.
What do you think guys? What do I have to do? Am I missing something here?

The best solution after all was to use Pointer for the User.
With the pointer and the .Include you can get the whole user object without doing many queries and without destroying the connection of the User class with the comments class by storing the whole User object on the Comment class, nice.
Also if someone want to know how to make a join with pointers and how to retrieve the object then here is q query to retrieve comment and photo:
var query = ParseObject.GetQuery ("Comments")
.WhereEqualTo ("Article", _article)
.Include ("user");
And here is how to access the photo
_user.photo = queryResult.Get<ParseObject>("user").Get<ParseFile>("profile_pic").Url;

Obfuscate HTTP Handler designed to return image

I'm trying to retrieve an image from a HTTP Handler.
An issue which I'm having is trying to make it so that only the application can access the image, I've tried editing the anonymous IIS authentication to allow the application pool identity but this still lets users through.
Here's an example:
ASPX page makes a call to the handler (picService.ashx?id=1) passing in an ID via query string
HTTP Handler sends back image
The image source is Services/picService.ashx?id=1
This all works fine. Now if a user wanted to go and visit picService.ashx and type in any old ID, it would return the image which correlates to that ID. I'm working with sensitive information so this isn't acceptable.
I've had a look at HTTP Forbidden handlers but I'm not sure whether I'm going down the right route.
I've also tried returning the image in the ASPX page but you can't do this due to the Image control needing a URL.
How can I return an image from a database and have the source of the image be secure?
Should I be doing this a different way? Or am I on the right track (http forbidden)?

A technique I have used in the past is to have the page (step 1) create a GUID, and register a cache item keyed by the GUID that has the actual image URL in the object. The page constructs the url for the handler, using the GUID and passes to the handler
The handler (step 2) then knows to go to cache to get the actual value and return the content.
This way you only expose the temporary "magic" value. Its definitely obfuscation and not a substitute for proper security.
As an example (from memory, syntax may be off a bit)
In the aspx or caller
string keyValue = Guid.NewGuid().ToString();
int yourImageID = 5;
Cache.Add(keyValue, yourImageID) //expire in 5 or 10 seconds
string url = "Handler.ashx?imgID=" + HttpUtility.UrlEncode(keyValue);
Response.Redirect(url, false);
In your handler (I use ashx mostly, choose whatever suits your need)
string key = HttpUtility.UrlDecode(context.Request.QueryString.Get("imgID"));
int yourImageID = (int) context.Cache.Get(key);
//get your image from the db and return the content
Again, just because I used a guid doesn't mean you have to, but if you are trying to obfuscate the IDentity, then choose something that does not correlate to the IDentity.

The way you word your question there is no way to get it 100% secure. So what trade-offs are you willing to allow and what are you not?
What exactly are you trying to prevent? Only one user not seeing another user's image? Or prevent right-click, save image as as well?
One idea that comes to mind is combine the user's ip address with the id of the image, hash that, throw it in a cache (or use a guid as a key to look up those values). Maybe remove it from the cache once that hash is used, therefore only allow the image to be loaded once by one ip per page it is supposed to be on.
You should be able to throw the mapping between a generated ID and real into the session, or HttpRuntime.Cache.Insert(cacheName, cachedValue) Database is probably not the best answer, they are small amounts of data, and you can set the expiration time to a small value, so unless you have millions of users at a time...
Using a Flash control to load the image would be secure in terms of can't right-click save image as. Also probably could encrypt the stream, or split apart the image headers or something if you're worried about someone intercepting the image stream. They could still get a url to the image, but your flash control could use special headers which would be difficult for the average user to ever figure out.

First and foremost you have to know what do you consider as OK to show photo . What is your authentication parameter. Like if user is allow to see the pic when is authenticated , check the same in , ashx page before allowing it to see. Because calling inside the html as src or putting the same in browser does not make any difference for server . So you need to check some validation in case user is not at all supposed to see in any way directly or in directly

Store the URL and parameter in Session state and access the Session in the HttpHandler. To do this you would need to implemement the IRequiresSessionState in your handler:
Problem with HttpHandler and session state
Getting Session State in HttpHandlers (ASHX files)

Create Unique Image (GUID to Image)

I'd like to do something like SO does with profile pictures of new users. It seems to create a unique image based on a value.
How can I repeatedly create the same unique image from a GUID?
I'm open to doing this on the server, but would prefer a client side solution to create it on the fly.
Something like these:
Edit: How can I repeatedly create the same unique "nice looking" image from a GUID?

What you are looking for is called an Identicon.
I think this post might either give you want you want or give you some sample code to look at in order to generate your own images.
http://www.puls200.de/?p=316

GUID is byte array - so it is already a raw data for an image if you treat the same data as bitmap.
If your question is "how to create nice image" it is different story.

Can I pass a .net Object via querystring?

I stucked at a condition , where i need to share values between the pages. I want to share value from Codebehind via little or no javascript. I already have a question here on SO , but using JS. Still did'nt got any result so another approach i am asking.
So I want to know can i pass any .net object in query string. SO that i can unbox it on other end conveniently.
Update
Or is there any JavaScript approach, by passing it to windows modal dialog. or something like that.
What I am doing
What i was doing is that on my parent page load. I am extracting the properties from my class that has values fetched from db. and put it in a Session["mySession"]. Some thing like this.
Session["mySession"] = myClass.myStatus which is List<int>;
Now on one my event that checkbox click event from client side, i am opening a popup. and on its page load, extracting the list and filling the checkbox list on the child page.
Now from here user can modify its selection and close this page. Close is done via a button called save , on which i am iterating through the checked items and again sending it in Session["mySession"].
But the problem is here , when ever i again click on radio button to view the updated values , it displays the previous one. That is , If my total count of list is 3 from the db, and after modification it is 1. After reopening it still displays 3 instead of 1.

Yes, you could but you would have to serialize that value so that it could be encoded as a string. I think a much better approach would be to put the object in session rather than on the URL.

I would so something like this.
var stringNumbers = intNumbers.Select(i => i.ToString()).ToArray();
var qsValue = string.Join(",", stringNumbers);
Request.Redirect("Page.aspx?numbers=" + sqValue);
Keep in mind that if there are too many numbers the query string is not the best option. Also remember that anyone can see the query string so if this data needs to be secure do not use the query string. Keep in mind the suggestions of other posters.
Note
If you are using .NET 4 you can simplify the above code:
var qsValue = string.Join(",", intNumbers);

Make the object serializable and store it in an out-of-process session.
All pages on your web application will then be able to access the object.

you could serialize it and make it printable but you shouldn't
really, you shouldn't
The specification does not dictate a minimum or maximum URL length, but implementation varies by browser and version. For example, Internet Explorer does not support URLs that have more than 2083 characters.[6][7] There is no limit on the number of parameters in a URL; only the raw (as opposed to URL encoded) character length of the URL matters. Web servers may also impose limits on the length of the query string, depending on how the URL and query string is stored. If the URL is too long, the web server fails with the 414 Request-URI Too Long HTTP status code.

I would probably use a cookie to store the object.