Category Archives: Clarion Win32

New application security features in Clarion

We’ve added two new linker options that can make your applications more secure from malware exploits; ASLR (Address space layout randomization) and DEP (Data Execution Prevention).

ASLR (Address space layout randomization)

ASLR also often referred to as DYNAMICBASE, modifies the header of an executable to indicate whether the application should be randomly rebased at load time by the OS.
ASLR is transparent to your application. With ASLR, the only difference is the OS will rebase the executable unconditionally, instead of doing it only when a base image conflict exists. ASLR is supported only on Windows Vista and later operating systems, it is ignored on older OS versions.

Why should you use ASLR? On platforms without ASLR support (versions of Windows prior to Windows Vista), there is a well know exploit approach for an attacker to find and manipulate code that exists within its modules (DLLs and EXEs) when the modules have been loaded at predictable locations in the address space of the process. Address space layout randomization (ASLR) randomizes the memory locations used by programs, making it much harder for an attacker to correctly guess the location of a given process, including the base of the executable and the positions of the stack, heap and libraries.

In the next build of C11, the “Dynamic Base Address” option is set on by default at the project level.

If you want to set it from the EXP file, the command is:

DYNAMIC_BASE
on any line by itself (outside of the Exports)

DEP (Data Execution Prevention)

The purpose of DEP is to prevent attackers from being able to execute data as if it were code. This stops an attack that tries to execute code from the stack, heap, and other non-code memory areas. DEP prevents malware from writing code into data pages then executing it.

In the next build of C11, the “Data Execution Protection” option is set on by default at the project level.

If you want to set it from the EXP file, the command is:

DEP
on any line by itself (outside of the Exports)

Summary

The combined use of DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven to be effective against the types of exploits that are in use today. DEP breaks exploitation techniques that attackers have traditionally relied upon, but DEP without ASLR is not sufficient to prevent arbitrary code execution in most cases. DEP is also needed to make ASLR (Address Space Layout Randomization) more effective.

Adding these two malware countermeasures to your applications is especially useful for applications that handle financial data, credit cards, health info, and more.

To set these linker options in Clarion at the Project level:

Open the Project properties page:

en

then click on the “Compiling” tab and set the checkboxes to ON

ASLR and DEP
ASLR and DEP

C10 update released (Nov 8)

Today we released another update for C10. It’s a big release with over 150+ fixes/changes/features. the release includes some small but useful features like export to JSON from Topscan, option to display the Owner/password in Topscan -when Owner is visible as text Copy/Paste is available. (Password icon toggles ON/OFF), improvements to the SystemString and JSON classes, better error handling in the SQL drivers, and much more.

Aside from future bug fixes H5 is now considered code complete. Though we are always looking for feedback and new ideas on areas that we can improve. We’ve also updated the App Broker to use LibreSSL that offers better performance, stability and improved security. LibreSSL is a fork from the OpenSSL stack.

If you want to deliver your app to mobile/tablet devices, give H5 for a try, it takes only minutes to see the possibilities. It also works great on the desktop while at the same time completely changing the UIX of your app.

Read about all the changes in this release here

News from CIDC 2017

We are back from the 2017 Clarion International Developers Conference, held in Orlando Florida this year.  I know it’s not possible for everyone in the community to attend the conference, so this post will cover topics that Diego and I presented.

Starting with Clarion 10 – we have a new build just about ready for release within a few days. It’s a significant build with over 150+ fixes/changes and new features.  I’ll post a link to the readme as soon as it’s finalized. Some of the new features were requests for new functionality in the H5 stack. Diego presented H5 in-depth, and quite a few developers were convinced that H5 has a place in their future.

On to H5 – H5 is now code complete. The combination of the AppBroker and your App on the server side, and Bootstrap+jQuery+HTML5 on the client, gives you the simplest path to deploy your App to phones/tablets almost instantly. You re-use 100% of your existing business logic, you customize the UI using CSS themes. And just by a copy/paste of Javascript code snippets you can extend your app to all kinds of new possibilities. Things like signature capture, geolocation, data graphing can be added for free. If you haven’t tried H5 yet, take 15 minutes and give it a try.

On to Clarion 11 – here’s a screenshot of a slide I showed during the keynote

C11 is the biggest update to the Clarion codebase since moving from DOS to Windows – the new internal classes are the base for the evolution of Clarion for many years ahead. I’ll do a separate post covering C11 with more details on what is coming. We think we’ll have C11 into alpha testing within a couple weeks!

On to Clarion.Net 4.0 – it’s been in use within the IDE since the first release of C10. And we released it to several developers who needed to update their production programs to support .Net 4. We plan on making a general release before the year end, and it’s likely that when we release C11 we’ll update it to .Net 4.5. We are supporting a new feature in the next release, during the compilation of the Clarion code we’ll generate C# code and project file (into a separate folder) that provides the exact same functionality as your Clarion code. That means for those who want to work with WPF or share code with a C# project, you can easily bring the code into VS.

On to mobile dev – over the last 2 years we experimented with just about every approach to mobile dev available. From pure native code solutions, to cross-platform C#, to hybrid apps using free frameworks like Apache Cordova or PhoneGap, and more.

Using the native code approach means you can’t develop for iOS without access to a Mac, period. And of course it means learning Objective-C or Swift, and Apple’s Xcode IDE. To support Android with native code you need to write code in either Java or Kotlin, and learn Google’s Android Studio IDE.

With a hybrid mobile approach you can code in a single language (Javascript) for both iOS and Android. But it has several drawbacks; while you can achieve a nice looking UI using HTML, you can never achieve a native look and feel for either platform. And as your app grows in size and complexity, it’s very likely you’ll run into performance problems.

When we set out our goals for mobile dev with Clarion these are a few factors we felt were critical:

  • Provide a (scalable) solution to deploy to mobile/tablets
  • Re-use unique Clarion knowledge/skills
  • Provide access to your database to any modern client app (Mobile/web)
  • Deliver real-time data updates for both the client-side and the back office (your Clarion Win32 app(s))

All of the approaches mentioned so far have a few things in common:
You need to learn either a platform specific language (or two languages if you develop for iOS and Android) or a specific framework and its tools (Ionic, Cordova, etc.) And you need to write a LOT of code.

That’s why we decided to use Native React. React Native is the next generation of React – a Javascript code library developed by Facebook and Instagram, which was released on Github in 2013.

With React Native, you don’t build a “mobile web app”, an “HTML5 app”, or a “hybrid app”. You build a real mobile app that’s indistinguishable from an app built using Objective-C or Java. React Native uses the same platform level UI building blocks as native iOS and Android apps. You just put those building blocks together using JavaScript and React.

Some of the Benefits:
You write JavaScript with React Native but the components/controls are rendered as native platform widgets. Performance is nearly identical to native code apps as long as you understand the nuances of how React Native works. You share the vast majority of your code between both platforms (iOS and Android). You get the benefits of the entire React Native ecosystem. And it looks like in the future we’ll have code sharing with Web apps.

What about the database? If we can generate a great looking, highly performant mobile client, how do we attain real-time data sharing between the Clarion back office applications, and the mobile client apps?

And we have an answer for that with the new Clarion REST server. It’s a full web server that can deliver regular web pages, along with processing JSON requests for data. It delivers real-time data updates for both the client-side and the back office (your Clarion win32 app(s)). It’s 100% Template driven, (so it re-uses your Clarion skills and knowledge) to create a custom REST server without writing any code (based on your Data Dictionary using any of the Clarion database drivers). That means you can securely open up your database to any modern client app that can consume JSON data.

And the Clarion REST server is simple to create using the templates and your Clarion skills. You won’t need intensive training classes or weekly webinars to understand it. Its model is similar (in a way) to the IP Server model, where you create a custom Data dll with templates and any embedded code as needed.

This has become a long post so I’ll end here – there’s a lot to look forward to in Clarion’s future.

Clarion 10 update (May 2017)

Today we released another update for C10. This update fixes some subtle ODBC/SQL driver issues that were reported to us, as well as a number of other issues.  The ODBC driver bugs we fixed required some very specific combinations/conditions, check the readme file for the details.

The H5 technology also continues to improve, you’ll find a number of fixes and new features, as well as performance improvements. We’ve also updated the App Broker to use a more recent version of OpenSSL that offers better stability and security.

If you want to deliver your app to mobile/tablet devices, jump in and take H5 for a test ride, it takes only minutes to see the possibilities. It also works great on the desktop while at the same time completely changing the UIX of your app, and opening up your app to the ever expanding world of Javascript libraries.

Read about all the changes here

Some highlights for the C10 release

These are highlights of new features in 10.0, for the complete list of fixes, changes and enhancements please refer to the readme text file as its always up to date with all of the latest new features, changes and fixes. All of this information is in the main Help file under the “What’s New in this Version” topic with links to the related topic content.

Compiler:
Big performance boost – in most cases your build time will be cut in half (or better).

  • New scanner for the Clarion (CLW) compiler
  • Support of nested OMIT/COMPILE blocks. Every source/include file
    can have nested OMIT/COMPILE blocks with a maximum nesting equal to 8 with a condition that when evaluated does not omit source, plus one additional OMIT/COMPILE with condition evaluated to omit source code.
  • The compiiler’s scanner uses the OS settings to determine the type of characters to expect. That allows for local national language alphanumerics to be used in identifiers (LABEL).

Dictionary Global Search and Replace
Powerful global Search and Replace for all the settings/attributes of FILEs, FIELDs.and KEYs.

TCP Networking – Client/Server communications
Drop-in a template to put network communications into your applications (using TCP/IP over a LAN/WAN or the Internet). You can pass messages (or files) between applications running on the same computer, and from one computer to another. You can also broadcast messages to all connected computers or processes. The templates and underlying QuickAppConnect class handles all the difficulties associated with socket programming.

The associated Code templates listed below provide support for the following
Socket “Actions” without writing any code:

  • Connect to Server
  • Disconnect from Server
  • Start Server
  • Stop Server
  • Initialize IP and Name
  • Send Message
  • Send Notification
  • Broadcast Notification (broadcasts a message to all connected apps)
  • Broadcast Shutdown (tells all connected apps to shutdown)

Language extensions – templates for Sending Emails, Emailing Reports, and Sending SMS (Text) messages
The new implementation for emails supersedes the prior implementation, and provides many more features, and is far easier to use. Based on the latest support implemented in the Microsoft .Net Framework.
(The original email implementation continues to ship for backward compatibility.)

Use HTTP or HTTPS to download web pages, or any other type of file. You can also post form data to web servers. Very easy way to send HTTP web requests (and receive responses) to Web Servers, REST Web Services, or standard Web Services, with the most commonly used HTTP verbs; POST, GET, PUT, and DELETE.

Web Requests (PUT, GET, POST, DELETE) via HTTP/HTTPS
HTTPWebRequest()
HTTPWebRequestToFile()

Amazon Simple Storage Service (Amazon S3)
Easily provide secure cloud server access in your App using the Amazon Simple Storage Service (Amazon S3).  Use it for backing up data, sharing files amongst remote clients, news feeds, etc.

JSON Support

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write, and easy for computer languages to parse and generate. JSON is an easier to use alternative to XML. JSON can be fetched or uploaded with an HttpWebRequest.

Image manipulation functions;
ImageToPNG, ImageRotateFlip, ImageSaveThumbnail

Background Threads

The WorkingThreadManager class allows you to run a PROCEDURE on a background thread without any UI, and receive events on its status. The implementation is by a template and the class design is thread-safe.

Exception log viewer

The exception log viewer will read the map files created when you built your project and use these to turn the stack trace in the exception log into a list of procedures so that you can quickly and easily find the point of failure.

Project System

Support for the – #file copy srcfile dstfile – command.  If the command is included via the PRAGMA command in a source file, the copy occurs directly after the compilation of the source file.  If the source file does not need recompiling, the copy occurs directly after the source file would have been compiled.

The project language supports the – #file copy srcfile – command.  This comand copies the srcfile to the destination directory for the current project.  The copy only occurs if the build is successful.  The copy occurs after the destination binary (the exe, dll or lib) has been built.

Application Options

Now you can choose to have the %FILE Template symbol return files in the same order that they are displayed in the dictionary editor.  This means that some lists of files inside the application generator will appear the same as the dictionary editor.  However, take note, the File sort order also affects the order of code generation, so that files will be generated in a different order to what they were previously. To turn this feature on you need to go to Tools/Application Options/Generation tab and check the “Sort %FILE the same as the Dictionary editor” check box. Note: If you use LIKE in your file structures the changed order of generated FILEs could possibly cause compiler errors.

Lock Retries
You can now set how many times generator tries to gain access to a file in the Application Options window. This option can be useful in situations where automatic backups are running and briefly locking files.

Template Registry
The Application Generator now supports product version identifiers in the naming convention for the TemplateRegistry.trf file.  For example, Clarion 10 by default uses the name TemplateRegistry10.trf.
If the Application Generator does not find a registry .trf file with the version appended name, it then looks for TemplateRegistry.trf (without the version identifier).  By default when a new .trf is created it is created using the version number as part of the file name.

Dictionary Editor

  • The Dictionary Editor now remembers dialog sizes and positions
  • The Dictionary Editor now stops you from adding GROUP fields to keys of SQL tables
  • The Dictionary Editor now stops you from adding dimensioned fields to a KEY

ClarionCL
Now you can trace the location of a file and the folders search order used by the Redirection system from ClarionCL using the /rt switch.

MSSQL Driver
Now you can get the MSSQL driver to use SCOPE_IDENTITY to retrieve server identity values by adding /AUTOINCUSESSCOPEIDENTITY=TRUE in the driver string

SQL Drivers (all)
The SQL drivers now set FILEERROR() and FILEERRORCODE() to give more details when you try to define a KEY who’s component is a GROUP

IDE
When you select “Open Containing Folder” from the context menu of the tab for a document in the IDE it now highlights the file in the opened folder

Open File Dialogs
New option to use the Redirection System File Open Dialog as the default.

Text Editor
Find All in the text editor now runs in the background allowing you to do other things while the search is continuing.

Clarion 9.1 update is out today

An update to 9.1 is being released today, here are a few of the more important fixes;
FIX: OLE Automation could be treated as side-by-side instead of an OLE server in a separate process

This fixes OLE server automation, such as automating MS Office components, and came about as a result of the support added for registration-free COM.  Surprisingly even after months of beta testing this wasn’t found until after the 9.1 gold release.

And these two, related to problems with either unusually large amounts of Procedure data, or .APPs where templates have been unregistered without removing the associated embed code:

FIX: Possible IDE lockup when there is very large number (hundreds) of local/global variables/tables in the Procedure and the IDE is processing the closing of an embed.
FIX: Possible failure on closing APP if embed tree with orphan embeds has been touched.

There are many other fixes and changes, you can see the full list here.

And of note for those using SQL backends;
FEATURE: The Clarion to SQL converter now converts the following operators for the specific drivers –
% (Modulo) All drivers
^ (Power) Pervasive SQL, Oracle
& (Concatenate) All drivers. *Note that ODBC uses the ANSI standard ||
XOR (Exclusive OR) SQLAnywhere, MSSQL

Clarion 9.1 Gold release

After a long and very thorough test cycle involving  thousands of users, Clarion 9.1 Gold is released today!   From the implementation of support for the Win8 API for accepting Touch input, to the new support for Registration-Free COM, and the new i64 family of functions, this is a very important release. All told there were almost 350 public fixes/changes/features implemented.

The release today includes additional changes/fixes and enhancements since the last beta release. View the complete list here.

To learn more about 9.1 you can read some of these older posts:

https://clarionsharp.com/blog/9-1-pre-release-update/

https://clarionsharp.com/blog/9-1-and-reg-free-com/

 

9.1 – beta 6 released

The 6th beta is out today (March 27). There are ~50 fix/changes/new features added to this release. We expect that next week we’ll make a final pre-release available to all users. You can view the complete list here.
Some of the new features in this release –

  • New WindowManager method ModalEvent added that can be used to test if the current event is modal or not
  • The ODBC driver now supports generating JOIN structures where the the column names in the ON clause of the outer join are in the same order as their respective table names in the OUTER JOIN clause
  • The ODBC interface to TPS now supports LEFT OUTER JOIN clauses on the left hand as well as the right hand side of a join. If a join is on the left hand side, then it must be enclosed in brackets
  • a new XMLWriter class to easily write new XML files

9.1 – beta 5 is out

Yesterday (March 13) we released an updated beta version.  We are getting close to a general release and we’ll know better after the beta testers have had a few days to work with this release.

On the topic of conversions between LONG and TIME data types we introduced two new Pragmas. You can control how the conversions between a TIME field and a LONG are handled using these PRAGMA settings:

PRAGMA (‘define(time0=>off)’) or PRAGMA (‘define(time0=>on)’)

PRAGMA (‘define(sqltime0=>off)’) or PRAGMA (‘define(sqltime0=>on)’)

Summary of behavior when these pragmas are set on/off:

PRAGMA (‘define(time0=>off)’)

This is the default value. TIME(0) is converted to 1 (TIME:MIDNIGHT), i.e. mid-night to mid-night.

PRAGMA (‘define(time0=>on)’)

The compiler generates code to convert TIME(0) to 0 (TIME:NOTIME).

PRAGMA (‘define(sqltime0=>off)’)

This is the default value. The compiler does nothing additional for fields of SQL tables having the TIME data type.

PRAGMA (‘define(sqltime0=>on)’)

If the TIME value to convert is a field of a FILE, the compiler generates a call to the NULL function. If the result from the NULL() function is TRUE (field has a NULL value), the TIME field is converted to 0 (TIME:NOTIME) value. Otherwise, conversion is controlled by the define(time0) pragma.

It is easiest to set the PRAGMA to the desired value at the Project level (Project Properties) But PRAGMA directives can be set before any line in your code where TIME value is being used in an expression converting TIME to LONG).

Related; All SQL drivers have been updated so that a call to NULL(datefield) or NULL(timefield) will return TRUE if they are part of a DATE/TIME Group, and the corresponding column on the server is NULL.