Thursday, December 20, 2012

Introducing the Real Studio WebSDK

As one of the most requested features since the initial release of the Real Studio Web Edition, Real Studio 2012r2 includes the first public release of our Web Control SDK. You can find the SDK in the Extras folder, which contains documentation, some example projects and even a tool for creating your own IDE icons!

jQuery Calendar Sample Project
Originally designed as a way to simply allow developers to wrap existing controls (which it still does), the WebSDK has been expanded to allow the creation of custom controls from scratch. Developers who are familiar with Real Studio, HTML, CSS and JavaScript will find it easy to create whatever comes to mind.

Because there is the potential for a single project to use many different controls from different developers, Real Software created a central registry where developers are encouraged to reserve their preferred javascript namespace (see the documentation for more info on how to do this).

We've already received and reserved 12 namespaces and we're looking forward to seeing the controls you create!

Monday, December 17, 2012

A Great Alternative to Visual Basic

UPDATE June 2013: Real Studio is now Xojo. Read why Xojo is a great alternative to Visual Basic.

Did you know that Real Studio is a great alternative to Microsoft Visual Basic? That's right, if you have used VB in the past or are considering using it now, you might want to instead take a look at Real Studio (Xojo) to see if it will fit your needs better.

What's wrong with VB?
When referring to "Visual Basic", it usually means one of two things: VB6 or VB.NET. There are current problems with both of these. I'll start with VB6.

Visual Basic 6, or VB6, was last updated in 1998. In its heyday, it was a very popular development tool and was used to create a wide variety of apps, especially in-house applications used by small businesses. Surprisingly, it is still in use today, even though it was effectively abandoned by Microsoft years ago. In fact, many consultants using Real Studio make a pretty good living migrating older projects from VB6 to Real Studio. And many of our customers are former VB users.

If VB6 still works today, why even consider switching? As I mentioned, it's no longer updated by Microsoft. Although it does work in more recent versions of Microsoft Windows, that does not mean it works well. The IDE is also rather difficult to use as it uses the now derided MDI (multiple document interface) style that results in lots of small windows embedded in a main window. And the VB6 language is not very sophisticated. In particular, it is not fully object-oriented making many tasks more difficult than they need to be and your code more complex.

So what about VB.NET? That is newer, right? Surely it doesn't have these limitations. And that would be correct. VB.NET uses Visual Studio as its IDE and Visual Studio is modern and powerful. VB.NET is a a fully object-oriented language, supported by the powerful .NET framework.

But in both cases, VB.NET is complex and difficult to learn. Because Visual Studio is designed to work with a wide variety of programming languages (C#, C++, VB.NET), it can often confound people simply looking to quickly create apps. And VB.NET is a decent language, but the .NET framework is large, powerful and complex. Microsoft changes it rapidly and it can be overwhelming for many developers.

Why Real Studio?
Here at Real Software, we strive to keep things simple. We want to make it so that anyone can create their own apps and we strongly feel that Real Studio is the best way to do that.

As in the tale of Goldilocks and the Three Bears, Real Studio is "just right". It is more powerful than VB6 while at the same time more approachable than VB.NET. It is likely you will have your first app created in Real Studio before you even finish downloading and installing Visual Studio!

And don't forget that Real Studio is a cross-platform development tool. With Real Studio, a single project can create desktop apps that works on Windows, OS X and Linux. You are not forced to do your development on Windows, either. Do you want to do development on OS X or Linux? You can do that with Real Studio. In fact, any single development platform can create apps for all the other platforms supported by Real Studio. If you are developing on OS X, you can create apps for OS X, Windows, Linux and even the web.

Yes, Real Studio can also create web applications. Of course, so can VB.NET (using ASP.NET), but ASP.NET requires a Microsoft server running IIS. Real Studio web applications can be deployed as simple stand-alone applications or can be deployed using Apache, the most common web server on the planet, using Windows, OS X or Linux.

Simple stated, Real Studio allows you to quickly create apps.

Similarities between Visual Basic and Real Studio
Real Studio makes a great alternative for Visual Basic because it shares many similarities with it. This is a short list of some of the things that VB users will find familiar:

Real Studio uses a programming language that is very similar to Visual Basic. It has commands like If..Then..Else, For..Next, While..Loop, Dim and more. You'll have no trouble at all reading (or writing) Real Studio code. You will also find the object-oriented capabilities of VB.NET quite similar to Real Studio. If you've used Visual Studio at all, you'll find that Real Studio works similarly but is far simpler to learn.

Data Types
Real Studio shared many of the same data types with VB6 and VB.NET, including: Integer, Double, String, Currency, Boolean, Variant.

Real Studio has many common controls that will be familiar to you, including: Buttons, Labels, TextFields, TextAreas, ListBoxes (grids), PopupMenus, ProgressBars, toolbars and more.

VB6 and Real Studio Controls

Differences between Visual Basic and Real Studio
Of course, Real Studio also has quite a few differences from Visual Basic as well.

Shared Libraries
Real Studio cannot create DLLs, ActiveX controls, .NET assemblies or any kind of shared libraries. Since these are all Windows-specific technologies, that is somewhat understandable. You’ll either need to rethink your design or just re-use these components from within Real Studio (and thus limiting yourself to deploying only on Windows).

Compiler and Run-time
Real Studio apps are compiled to native code. They do not contain byte-code that is run by a virtual machine (as with .NET). The run-time library is included with your applications so there is nothing additional that needs to be installed on users' computers.

Language and Framework
As I’ve mentioned before, Real Studio is fully object-oriented. Unlike VB6, you can have classes that use inheritance and other object-oriented features.

The Real Studio framework is designed to be simple to use and support cross-platform applications. It is different than the VB6 framework and the .NET framework.

File I/O
One of the biggest differences between VB6 and Real Studio is file I/O. Real Studio consolidates all its file processing into a few classes: FolderItem, TextInputStream, TextOutputStream and BinaryStream. VB6 uses hard-coded file paths and less flexible file access methods, primarily because it only needs to work with Windows-specific file paths.

Data Types
Real Studio is strongly typed, just like VB.NET. VB6 allows you to do some things the “old-school” BASIC way, the most significant of which is using variables without declaring them (the type is inferred by a suffix on the name). Real Studio does not allow this. Use the OPTION EXPLICIT command in all your Visual Basic code to have VB enforce explicit variable declarations.

Switching to Real Studio
We offer a tool to help make it easier for you to make the switch from VB to Real Studio. Our Visual Basic Migration Assistant can help you move your VB projects over to Real Studio, but only at a high level. This tool moves your project files, source code and user interface (to some extent) to a Real Studio project. The tool does not convert the code in any way, nor does it create a working version of your VB project in Real Studio. It is just a means for you to get your code into Real Studio so you can refer to it while working on the Real Studio version without having to keep a copy of VB around.

If you find yourself frustrated with VB.NET or are looking for something to replace VB6, be sure to test out Real Studio. It might be "just right" for you!

Friday, December 14, 2012

WebSDK: Image Delivery Hints

When delivering custom web controls to your developers or customers, it can be problematic if your control has required images. Here are some hints to make the process easier on you and your customers:

1. Embed needed images right in your controls as private base64 constants... just like your IDE icon! This means that your users will not have to add lots of additional assets to their projects to get your controls to run, nor do you run the risk of name conflicts with other images!

Private Constant myImageConstant as String

2. Create WebPicture properties on your control so the variables don't go out of scope.

Private Property myImage as WebPicture

3. Convert these base64 strings into WebPictures in the Open() event:

myImage = new WebPicture = DecodeBase64(myImageConstant)
myImage.mimetype = "image/png" //This MUST match the image data
myImage.filename = "myImage.png"
myImage.session = nil //Very Important!

4. Make sure that any images that will not change from Session to Session are stored in a Shared Property so they are only stored once!

Shared Private Property myImage as WebPicture

You should only initialize them once as well. Using the code from step 2:

If myImage = nil then
  myImage = new WebPicture = DecodeBase64(myImageConstant)
  myImage.mimetype = "image/png" //MUST match the image data
  myImage.filename = "myImage.png"
  myImage.session = nil //Very Important!
End If

NOTE: Make sure you set the Session property to nil, otherwise it will only be available in the session that created it!

5. Use Spritesheets for better compression. If you have lots of little images that will be used all the time, it might be worth it to combine them into a single larger image and then use CSS to specify the section of the image to use at runtime. A single image means one download, and from then on, the browser will use the one from its cache.

WebSDK: Deferring User Commands

One of the things that trips up new and experienced web app developers on a regular basis is the concept of what commands can be sent to the browser at what time during the initial setup of a web control. The general idea is this:

When the Open() event fires, the control has not been delivered to the page yet. Sending commands to manipulate the control will likely result in javascript errors.

When the Shown() event fires, the control has been delivered to the page, has been set up, and is ready to receive javascript commands.

It seems fairly straightforward, and yet we still get a lot of questions about why users can't do this or that in their applications in the Open event.

If you're creating custom web controls for distribution, there is a way to help users avoid this issue, but it takes careful thought on your part because it's easy to get things out of order if you don't plan ahead.

One solution is to defer calls to ExecuteJavascript in the Open event and send them at the beginning of the Shown event:

  1. Create two private properties on your control:
    Private deferredCommands() as String
    Private inOpenEvent as Boolean = False
  2. Override the ExecuteJavascript method:
    Sub ExecuteJavaScript(Script As String)
      if ControlAvailableInBrowser() or not InOpenEvent then
        deferredCommands.Append script
      end if
    End Sub
  3. Create an event definition for Shown()
  4. Implement the Shown() event:
    if Ubound(deferredCommands)>-1 then
    End If
    RaiseEvent Shown()
  5. Create an event definition for Open()
  6. Implement the Open() event:
    InOpenEvent = True
    RaiseEvent Open()
    InOpenEvent = False
Using this method, you can be sure that user code will not be sent to the browser before your control and its code reaches the browser.

BE CAREFUL! If you only defer some commands, you could cause user code to execute out of order. For example, if you defer property assignments but not function calls, a function may get called before the user property assignments have been set.

Thursday, December 13, 2012


One of the great new features in Real Studio 2012 Release 2 is the WebCanvas class for web projects. This class provides an implementation of the HTML 5 Canvas that uses an API that is very similar to the Canvas control used by desktop projects.

When you add a WebCanvas to your web page, you get a Paint event where you can do your drawing using the "g As WebGraphics" parameter. Taking a look at WebGraphics, you can see that it shares many of the same properties and methods of the Graphics class used by desktop projects.

There are Draw and Fill commands for drawing shapes, pictures and strings. You can use the properties to control the size of the drawing pen as well as font and style information.

In addition, there are two additional properties, LineCap and LineJoin, that control how lines are drawn.

So what can you do with a WebCanvas? Pretty much everything you could do using a desktop Canvas control, including drawing: your own custom controls, graphs, pictures, text and more. You can even do animations, however, due to general Internet latency you will find that they cannot update as frequently. They will still work, but depending on the latency between the user's browser and the server running the web application, you may find a noticable delay. However, with careful use of a WebTimer, you may be able to create some animations, such as the CanvasClock example that is included with Real Studio 2012 Release 2.

CanvasClock is a web implementation of the desktop GraphicalClock example. It draws an analog clock on the screen (in a WebCanvas) and then uses a Timer to animate the second hand.

In addition, there are several other new examples included with Real Studio 2012r2 that demonstrate WebCanvas: CanvasBoxes, CanvasChart and WebGridExample.

CanvasChart has been incorporated into our updated example web application, which you can view here:

Click on the "Sales Chart" button on the toolbar to view a chart of invoice amounts created using WebCanvas. You can even click on individual points on the chart to view the actual amount.

Lastly, you can check out the Using WebCanvas video on the Real Software YouTube channel:

Give WebCanvas a try and use it to make great looking web applications with Real Studio!

Wednesday, December 12, 2012

TextArea LineSpacing and LineHeight

New to Real Studio in 2012 Release 2 are two new properties for TextArea: LineHeight and LineSpacing. As you might guess, these properties control the height of individual lines in a TextArea and the amount of space between each and every line in the TextArea. These properties affect all the text in the TextArea.

LineHeight and LineSpacing are fully supported on OS X Cocoa and Windows apps. LineSpacing works on Linux, but only if the Text Area contains a single TextSize.

You can change these properties using either the Properties Pane or in code.

This value is a simple integer that sets the line spacing. For example, if you wanted the text in the TextArea to be double-spaced, then you would set LineSpacing to 2. LineSpacing is a Double so you can also using a decimal such as 1.5. So in the Open event handler of a TextArea, you can simply use this code:

Me.LineSpacing = 1.5

Used to adjust the height of each line, LineHeight allows you to adjust the height using whatever is specified as the TextUnit for the TextArea. So on OS X, you can adjust the LineHeight using points like this (in the TextArea Open event handler):

Me.LineHeight = 18

You can see the differences in the screenshot below:

Tuesday, December 11, 2012

Web Apps, WebSessions and Threads, Oh My!

During the 2012r2 beta cycle a bug was reported regarding data bleed between WebSessions but were unable to reproduce it internally. We've been looking into the issue today as we finally have an example project that reliably reproduces the problem. If you see this behavior in your project, please be aware this bug:

  • Only appears to happen on the default page
  • Only happens if you're using a tight-loop or thread with a low sleep period
  • Any data that has been entered by a user in one session will appear in the same fields on another browser.

What you can do about it

If you're using a thread or a loop, set a sufficiently large sleep period. Unfortunately the low threshold seems to be somewhat dependent on the speed of the hardware you are running on, so you may need to do some experiments.

What we're doing about it

We're working diligently on isolating and fixing this bug. Our plan is to have a new beta out with this and a few other minor fixes soon.

Introducing the Crypto Module


With the release of Real Studio 2012r2, we can take the wraps off our new Crypto module. This module provides access to additional hashing algorithms SHA-1, SHA-256, and SHA-512, as well as keyed hashing functions HMAC and PBKDF2.

The language reference for the Crypto module is available at, but I'll give you an overview of everything it does right here.

Simple Hashing

The Crypto.Hash function provides you access to the simplest hashing. You pass in a MemoryBlock and any of the Crypto.Algorithm values, and get back a binary hash. For users familiar with our MD5 function, the code Crypto.Hash("password",Crypto.Algorithm.MD5) and MD5("password") both return identical results.

There are also convenience functions Crypto.MD5, Crypto.SHA1, Crypto.SHA256, and Crypto.SHA512, if you don't need the flexibility the Crypto.Hash function provides.

Hash-Based Message Authentication Code (HMAC)

Crypto.HMAC works much like Crypto.Hash, except that it requires one additional parameter: a key. In simplest terms, HMAC produces hashes that are "stronger" than non-HMAC hashes.  A very common use of HMAC is to add a "salt" value to a password. Rather than simply applying the salt to the beginning or end of the password before sending it to MD5, you can use the salt as the key and produce a stronger hash.

For example, this code:

Const Password = "password"
Const Key = "key"

Dim PlainHash As String = EncodeHex(Crypto.Hash(Key + Password,Crypto.Algorithm.MD5)
Dim HMACHash As String = EncodeHex(Crypto.HMAC(Key,Password,Crypto.Algorithm.MD5))

Results in

PlainHash = 084201E2889684A768A54EA3B0E05D6D
HMACHash = A95669C550C0C9CC91EF29A91873CA4F

To a human, those results appear very similar. To a computer, the HMACHash will be harder to break.

Password-Based Key Derivation Function 2 (PBKDF2)

Building upon HMAC, PBKDF2 is even more secure, simply because it is much slower. In fact, it is as slow as you want it to be. The Crypto.PBKDF2 function adds two parameters: Iterations and Length. Iterations is the number of loops the function will make, which essentially means the greater the iterations, the slower the function. Length is the number of bytes you want the desired hash to be.

Following up on the earlier example, we can run a the same values through PBKDF2 at 1,000 iterations and retrieve a 16 byte hash:

Dim PBKDF2Hash As String = EncodeHex(Crypto.PBKDF2(Key,Password,1000,16,Crypto.Algorithm.MD5))

Produces the hash 1C0792068A80FD07931CD4A86C001D27

Now here's the beauty of PBKDF2. On my machine, the plain MD5 hash took 0.02ms. The HMAC-MD5 hash took 0.03ms. The PBKDF2-MD5 took 1.22ms. This means my computer could brute force the HMAC-MD5 at a rate of about 30,000 hashes per second. But the PBKDF2 could only achieve about 1,000 hashes per second. Every computer is different, of course. But regardless, being 30 times slower is still quite valuable.

Web Application Code Execution Order Change

We made an important change in Real Studio 2012r2 with regards to code execution order. Until now, commands sent to a browser were queued in such a way that it was possible for property assignments to get out of order with other commands if you were not careful. While this internal queuing process worked for our internal framework (we were able to control the process with our own controls), with the advent of the Web Controls SDK, we had to switch to something that makes a little more sense to the average user.

For example, if your code looked something like this:

  MoviePlayer1.DesktopURL = "DesktopMovie.mp4"
  MoviePlayer1.MobileWifiURL = "WifiMovie.mp4"

It was possible for the code to be sent to the browser like this:

  MoviePlayer1.DesktopURL = "DesktopMovie.mp4"
  MoviePlayer1.MobileWifiURL = "WifiMovie.mp4"

In this case it was possible that the previous movie would start playing and then a new one would load because the properties were set second. Our controls were designed to handle this internally, but it made for some very hard to find bugs. 

As mentioned above, starting in 2012r2, property assignments and method calls are sent to the browser in the order they are specified in your code. We suspect that this will clear up a number of strange bugs that have been reported about properties not getting set properly.

Monday, December 10, 2012

Marketing your app for free!

So you have created a pretty cool Real Studio app that you think others could use.  Why not sell it?  Maybe you didn’t plan to sell it or maybe you developed it with the hopes it could help bring in some extra cashflow.  Either way, here are a few tips on free marketing for your app!

First, I want to tell you about a great opportunity.  As many of you know we have recently announced sessions for the Real Studio Developer Conference, taking place April 23-26 in Orlando, Florida.  This will be our biggest event of the year with one-of-a-kind educational and networking opportunities.  If you use Real Studio to make some or all of your income, you need to be there!  If you are just a hobbyist and want to learn more about how to leverage your Real Studio skills, you need to be there!  And if you are evaluating Real Studio to see if its the right app development tool for you, what better place to make your decision than after talking to people who rely on it and have used it for years? 

We will have some sessions at the conference that will greatly benefit anyone who wants to effectively sell their app.  To call out a few, Richard Duke, CEO of Mediatec, will discuss How to Succeed in Business Using Real Studio.  In this session he will talk about rapidly creating and deploying apps, pricing, sales incentives, system maintenance and further ways to generate income.  Another session I am really looking forward to is Ingo Molitor’s (founder of Bluetelligence LLC) session on the Mac App Store!  Ingo is going to talk about Apple’s requirements for the MAS, code signing and Gate Keeper.   Also, did you see we have TWO sessions on iOS?  That’s right.  iOS in Real Studio - basic and advanced.  This is THE place to be if you want to learn more about Real Studio and get your hands on the latest and greatest from Real Software.  Today we are offering $200 off the price of registration.  I promise you will be glad you came!

There are tons of things you can do to market your app, many which come with a hefty price tag.  Thanks to social media, internet accessibility and a little creativity, there are some free things you can do to help get the word out and start some momentum. 

8 Free Marketing Ideas!

1. Create a website or blog for your app:  Creating a web presence for your app is paramount.  For those who are not creatively inclined there are a lot of free templates out there to help you get started, like Tumblr and Blogger.  Having a dedicated URL to pass out to prospects is very important and your URL needs to be something they can easily remember.  Additionally, you will want to put your URL everywhere - in your email signature, on your Facebook page, Twitter, etc.  And be sure to add social media buttons to your blog or website (like Facebook, Twitter, Digg, etc.) so visitors can share your app with their community. 

2. Create a video to showcase your app:  Always remember to show don’t tell!  Screenshots are a good way to feature your app, but a video is worth so much more.  And I’m not talking professional quality demo video.  Just record yourself walking through your app, show prospects how to use it, and why it’s worth downloading.  Once your video is complete you will want to feature it on your website, upload it to YouTube, Vimeo, Facebook, Twitter, and Pinterest.  Spread the word!  Make sure to add relevant tags to help with some SEO!

3. Twitter:  Did you know Twitter has well over 500 million users and over 340 million tweets per day (source)?  And it’s free!  While not all 500 million people are in your target market, it is a great way to spread the word about your app to a large community.  Simply tweeting about what makes your app special is not going to generate too much buzz,  but using it to get in front of key industry people to request reviews or connect with the media - can make a big impact to helping to spread the word.

4. Guest Blog Posts:  Many of the big-name blogs out there welcome guest posts.  Not only do you get to talk about your labor of love in front of a new audience that you otherwise would not have connected with, but you will also get a link to your own URL, which will get you some good SEO.  Good SEO = more traffic, more downloads and more conversions!  Keep in mind, however, that simply writing a sales pitch for your app will probably not get accepted.  Try to think about a topic that would be of interest.. maybe a problem your app can solve?  Talk about it generally and then offer some solutions.  Even if your topic is not 100% relevant to your app that is OK!  Geoff recently wrote a guest blog post on password security for LockerGnome and that generated a nice traffic boost for us!  Also, did you know we accept guest blog posts?  If you have an idea for something you think might be interesting to our audience, email it to and we will try to work it into our blog rotation!

5. We Will Help You:  Did you know that besides guest blog posts Real Software also offers a number of opportunities to help market your app?  If you submit a press release to us at, we will send it to our news list that includes hundreds of media contacts and we will post it on our forums which is used by 7300 developers.  Additionally, if you have a good story, we may want to include it in a customer success story that we will pitch to the media on your behalf! 

6. Facebook:  I have mentioned a few things about Facebook already, but be sure to leverage your own network to help spread the word.  Post your video to your own page and ask your friends to share it!  Your friends will see it, share it with their friends, and their friends friends and so on!  That’s how to go viral! You should also create a Page for your app!  It’s a great way to get your existing users together and tell them the latest and greatest about your app!

7. Banner Swap:  One thing that I don’t see happening much on the app sites I visit is banner swaps.  Help out your fellow Real Studio developers and they’ll help you!  Reach out to someone else who has an app and a website/blog and offer to swap banner ads.  You will each benefit from it and it’s a nice way to get some free marketing.

8. Public Relations:  Think outside of the box.... really, really far outside of it!  Sure you could purchase the biggest booth and a full page ad with Mac World, and also put banner ads on every website you can think of, but that comes with a hefty price tag!  Take a different spin on an old concept or think of something new and exciting.  Make a theme song for your app, hand out bumper stickers, or even dress up as your app. 

Create unique shareable content that others with talk about and the viral effect will happen naturally.  If you’re not sure about an idea, feel free to email me:

Happy Marketing!

Thursday, December 6, 2012

Follow up Regarding Password Security

I'd like to follow up on my earlier post about Password Security and what companies can do to keep their users safe. Security Ledger just posted about a computer that can attempt up to 348 billion passwords per second, cracking any 8 character password in as little as 5.5 hours. I'm not talking about a super computer in some university lab, this machine looks like something anyone could build. Meaning any person or organization with a big incentive to crack passwords could build something like this. 

I can't think of a better reason to change your passwords to something long, ideally a sentence made up of many words. Such a passphrase (rather than password) would be quite difficult for even a computer such as this one to crack.

Notice in the article which hashing types can be cracked the fastest. PBKDF2, which will be available in Real Studio 2012 r2, is not specifically mentioned. However, it is almost certainly one of the "slow hash" algorithms that were tested.

Wednesday, December 5, 2012

TabView for iOS

We continue to make progress on supporting iOS development in Real Studio. Last week we focused on the iOS TabView.
The TabView is similar to our current TabPanel control in some ways but there are three important differences:

1. TabView tabs are always along the bottom, whereas in a TabPanel they are along the top. A TabView can include icons or not, though a TabView that doesn't include icons is rare.

2. A TabPanel is a control. A TabView is not. While a TabPanel can be just about any size and positioned just about anywhere on a layout, a TabView must either consume the entire screen (as in the example above) or one portion of a SplitView. The Settings application on iPad is an example of a SplitView. 

3. A TabPanel can contain other controls. A TabView cannot. Well, to be more correct, a TabView can contain other layouts which can contain controls.

This brings up an important difference between how you will build iOS apps compared to how you are used to building desktop and web applications today. Because most of the applications you create will be universal (supporting both iPhone and iPad) you will be creating "views" which are simply layouts of controls (much like container controls today) and then dropping those views onto things like a tab in a TabView. This allows you to easily share these views between your iPhone and iPad user interfaces. Consider, for example, that the Settings app on iPhone only shows you the left side (the list of settings) initially. You then tap a setting to see its details. Those details are a separate view. The two views (list and detail) are shared by both the iPhone and iPad versions of Settings. The only difference is that the iPad version uses a SplitView to display both since there's enough screen space available.

These differences won't change much about how you work. After all, a view is pretty much the same as a container control, a window or a webpage. But as you can see, the TabView is a bit different from the TabPanel control you use on the desktop today.

I'll be blogging with more progress as we continue, stay tuned!

Tuesday, December 4, 2012

Limiting Simultaneous Web App Connections

Ever wanted to limit the number of users that could connect to your site from the same IP address? It's easy to do from the Session class.

1. Create a Shared Property on the Session class: Clients as Dictionary

2. Add a page to your app telling the user that there are too many users connected from their IP address, named TooManyUsers.

3. At the top of the Session.Open event, add the following code:

if clients = nil then clients = new Dictionary
dim addr as string = self.RemoteAddress
clients.value(addr) = clients.Lookup(addr,0) + 1
if clients.Lookup(addr,0) > 2 then
end if

4. In Session.Close:
dim addr as string = self.RemoteAddress
clients.value(addr) = max(0,clients.Lookup(addr,0) - 1)

Now, whenever a new session is created, it will increment the connection count for the IP address it is connecting from. If the number ever goes above 2, the user will be redirected to the TooManyUsers page. 

If you want to be really creative, put a WebTimer on the TooManyUsers page:

Period = 5000 (5 seconds)
Mode = 1 - Single

In the Timer1.Action event, set the code to something like:


This will not only show the user the error, but then after a short period of time, it will redirect them to another page of your choice, freeing up the server connection for another user.

Monday, December 3, 2012

10 Tips to Improve Password Security

In a recent Wired article, Mat Honan, the journalist whose Apple and Amazon account passwords were famously hacked, wrote about how passwords will no longer protect us and that they should be killed off. He made some excellent points about the weaknesses of password security both from the individual and company perspectives. Many people don't bother to use very secure passwords. I had high hopes, from the title of the article, that Mat was going to propose a new solution. He didn't.

Though, as Mat pointed out, it's unlikely anything will replace passwords anytime soon, that doesn't mean systems can't be improved. If you work for a company that has an application with users who log-in, there are steps you can take to improve the security of your users and their passwords. Here are 10 methods we use (or are in the process of implementing) to protect our customers at Real Software.

1. Don't Limit Password Length

The longer a password is, the more time it takes to guess it. Netflix limits the length of passwords to 10 characters! Unbelievable! For reasons I'll get into in tip #8, there is no reason whatsoever to limit the length of a password. 

2. Do Have a Minimum Length

Short passwords are easier to guess so have a minimum length. Our minimum is eight characters.

3. Don't Let the User Include Their User Name in the Password

If the user can choose their user name, they will often choose one that is a combination of their first and last names or initials. Many systems use the user's email address which is essentially public. To prevent the user from simply using this as their password or as most of their password, make sure their user name is not present inside the password they choose.

4. Don't Require Silly Characters

Requiring the user to have numbers or uppercase letters in their password achieves nothing. Length and uniqueness is what matters. Numbers and case result in the user creating passwords they can't remember. If they can't remember them, they write them down which is not good. As you will see in tip #6, there are easy ways to get the user to create a long password.

5. Don't Allow the User to Use a Common Password

It's probably not surprising to you that people often choose the same passwords as other people. 4.7% of people choose "Password" as their password. 9.8% of people use either "123456" or "12345678" as their password. Of the top 10,000 most frequently used passwords, 91% of them are in top 1000. At Real Software, we don't allow users to create a password that is on the top 10,000 list. You can download the top 10,000 list for use in your applications.

6. Suggest a Memorable Sentence

Single words are poor passwords because they are easy to guess and encourage (or at least, don't discourage) the reuse of passwords. Instead, suggest to your users that they create a sentence. Sentences will almost always be longer than any single word. The sentence should be connected to your company or the service or product your company provides. That makes the password easy to remember. Imagine if your Netflix password was "Julia Roberts is the bomb!" That's going to be easy to remember because your brain associates film actresses with films. Spaces can be problematic as the user can accidentally type more than one. However, even if they run the words together, it's still long and memorable. An ideal system would account for spaces allowing one space between words but no spaces at the beginning or end of the sentence.

7. Don't Call Them Passwords

Password implies a single word. But you now know that a sentence is far better. Instead, call it a "Personal Identification Phrase". That will encourage the user to create a series of words. In fact, if you support the use of spaces, you could have a three or four word minimum for the user's PIP.

8. Don't Store the User's Password

One reason a hacker will attempt to break into a system is to gain access to user information. They don't want just one user's password, they want all of them. We know that users use the same passwords with multiple systems, even though we warn against this. Should a hacker break in, you don't want to be providing all of your users passwords to the hacker. There's a couple of things you can do to secure your user's passwords:

First, don't store the user's password at all. Instead, store a hash of the user's password. Hashing is basically one-way encryption. When the user enters their password to log in, you simply create a hash of it and compare it to the hashed version you have stored. If they match, you know that the user entered the same password they entered when they set up their password without storing the password itself.

Second, you need to use a strong hashing function. MD5 is no longer enough. You could use SHA256 but there's one that's even better: PBKDF2. The advantage of PBKDF2 is that it's designed to be slow. In fact, it's about 1000 times slower than SHA256. Hackers take those 10,000 common passwords and hash them then so they can compare them to the hashed passwords they got when they broke in to your system. If you use PBKDF2, it's going to take them 1000 times longer. Real Studio users will be happy to hear that PBKDF2 will be available in Real Studio 2012 R2 due before the end of the year.

Third, do more than just hashing their password, generate a unique number that is added to the password before you hash it. This unique number is called a "salt" and can be stored with the user's account. What does this accomplish? As I mentioned earlier, hackers will have a predefined list of hashed passwords and will compare this list against your user's hashed password. If you add a salt, even if the hacker can see the salt for each user, they will have to re-hash those 10,000 common passwords for every user in your database since each user has a unique salt. That makes the amount of work the hacker has to do far greater. In fact, if you have 100,000 users, the hackers job is 100,000 times harder.

Ideally, you should use a cryptographically-secure random number generator. A typical random function (such as the one built-in to Real Studio) will produce well-documented patterns. We are looking into providing a cryptographically-secure random number generator in a future release of Real Studio. Each time the user changes their password, generate a new, random salt.

Last but not least, don't even store their hashed password with their user account. Instead, store their hashed password-salt combination in a separate table that is not in any way linked to their user account. When the user attempts to log in, simply take what they enter, add their salt, hash it, then query your password database table for that value. If you find it, they have entered a valid password. Should a hacker break in, the only way to determine which passwords go with which users would be to guess each users password correctly, which is unlikely.

To make life even more difficult for the hacker, generate several bogus hashes in this table for each valid one you add. That just makes their job many times more difficult. Here's a more detailed article about this last point.

9. Don't Provide the User with a List of Pre-Defined Security Questions

When setting up an account, many systems ask you to choose a security question they will ask you if you forget your password. The problem with this is that the questions tend to be asking about information that is not that difficult to discover online. They tend to use the same questions as other systems as well making the answers even less secure. Instead, let the user provide the question as well as the answer and encourage them to come up with a question that is unlikely to ever be asked of them or would arouse their suspicion if it were asked.

10. Want to Change Your Password? Sign-in Again

Users will sometimes login to a system then forget to logout. Of course your system should automatically log the user out after several minutes of inactivity. However, someone else nearby could go to the computer when the user is away and change their password and email address (if you allow the user to change these themselves) effectively locking the user out of the system. Instead, when the user wishes to change their email address or password, require that they login again so you are sure they are authorized to do so.

Implementing these 10 suggestions will make your systems far more secure and will reduce the chance you'll be the target of bad press if someone breaks into your system and steals your user data.

Monday, November 26, 2012

Speeding up TextArea modifications under Cocoa

When doing a lot of manipulation to a TextArea's contents under Cocoa, performance can suffer due to the underlying NSTextView doing work on layout and glyph selection. This can be sped up by telling the text view that you're going to begin editing. You can do this by using a few Cocoa Declares.

The Declare statements are relatively simple:

Declare Function documentView Lib "AppKit" Selector "documentView" ( obj As Integer ) As Integer
Declare Function textStorage Lib "AppKit" Selector "textStorage" ( obj As Integer ) As Integer
Declare Sub beginEditing Lib "AppKit" Selector "beginEditing" ( obj As Integer )
Declare Sub endEditing Lib "AppKit" Selector "endEditing" ( obj As Integer )

These Declares give you access to methods for enabling "batch-editing mode" for the underlying NSTextView.

First you want to get the text storage for the document, which is a two-step process. In the first step, you take the TextArea's Handle property (an NSScrollView instance) and ask for its document view:

Dim docView As Integer
docView = documentView(MyTextArea.Handle)

Now you get the NSTextStorage for the NSTextView:

Dim storage As Integer
storage = textStorage(docView)

With the text storage, you can now enable batch-editing mode by calling beginEditing:


Now you can make your significant changes to the TextArea:

For i As Integer = 0 To 5000
  MyTextArea.AppendText("Lorem ipsum dolor sit amet. ")

And when you are finished disable batch-editing mode:


So how much does this improve performance? In my tests, the For loop by itself takes about 4.3 seconds to complete. Using batch-edit mode with these Declares drops it to 0.02 seconds. That's almost instantaneous!

If you find you are going to use these Declare often, you might want to add them to a module as Extension methods so that you can call them more easily, which I'll leave as an exercise for the reader.

Tuesday, November 20, 2012

A Possible Issue Running Console Apps from Real Studio

On OS X 10.8.2 you may run into an OS X bug in how Apple Events are handled.

When you try to run a console application in debug mode using Real Studio on OS X, the IDE sends an Apple Event targeting Terminal to run your debug app inside a terminal window. On 10.8.2 there is a system process that mediates the sending of Apple Events to other processes (such as Terminal).

Unfortunately, sometimes this system process gets "stuck" such that the IDE never gets a reply that the console application was launched. This means you may have to Force Quit the IDE.

Sadly it's unpredictable as to when or if this process will do this.

If you do a Google search for "10.8.2 appleeventsd" you will find this bug in OS X mentioned in a number of places.

You can read about it on a few blogs that have noted this issue: A workaround for AESSendMessage hanging on OS X 10.8.2

This bug has already been sent to Apple:

It's also being discussed on the relevant Apple Developer Forums (Pay attention to the posts by Eskimo1)

Should this problem occur for you, it appears that killing the appleeventsd daemon using Activity Monitor will fix the issue temporarily.

Hopefully this is something that Apple will be able to address in the next update to OS X 10.8.

Gotcha's when porting Visual Basic Code to Real Studio

The other day we got an interesting and initially puzzling bug report from a user who was porting a fairly large project from Visual Basic to Real Studio. Initially the error message didn't seem to make sense to me or Jason in Tech Support.

Our first step was to make up a simple example project. Once we had managed to trim things down to our example project and we could reproduce the error, it all made perfect sense. 

Our example started with a new desktop project, we put two pushbuttons on the default window: PushButton1 and PushButton2. In the action event of Pushbutton1 we put:


In PushButton2's action event we put:

         msgbox "hello world"

Run the project and you will get an error that says:

   This method requires more parameters than were passed

THis is odd since there's no method anywhere called "PushButton2_Action". However, in our example the error tells you precisely where to look:

Window1.PushButton1.Action, line 1, This method requires more parameters than were passed, PushButton2_Action

In Visual Basic you could call the "action" event of a push button just like any other method; and the name was very predictable. The action event was named:


And it may or may not have had parameters that got passed to it. And if you grab a Visual Basic project and port it Real Studio you may still have this kind of code left over.

So how do you find this kind of left over code in ported VB projects? 

I have to admit that in a big project that is going to be a big job. If you know the old code base, you might hunt for control names followed by a _ . So in our sample you might look for "PushButton2_" and then deal with all the items you find since this syntax is unlikely to be valid in Real Studio. Or you might hunt for the "_Action" or other names that were used in VB to call other controls event handlers.

Now that you've found it, what can you do to fix it?

The easiest thing to do is to move the code in the action event handler that was being invoked into a method that can be called from where ever needed. Can you call the event directly? Let's just say that might work but it's unsupported - so don't do it.

In the end, the compiler correctly identified the error but the error message was easy to misunderstand. So when you DO get an error have a VERY close look.

Oh, and leave the VB habits behind :)

Monday, November 19, 2012

Using Web Edition with Google Powered SItes

We’d like to than Wayne Golding for offering the following blog post on his use of Real Studio Web Edition. Wayne found Real Studio when Microsoft announced the end of VB6.  He started out programming in the 80’s implementing accounting/inventory control systems, then moved on to cutting COBOL code (and fixing millennium bugs) in the 90s.  Later he switched to DRNine11 and used Real Studio primarily to develop tools that run on Windows Servers as Services. Now he uses Real Studio Web Edition in nearly 100% of his projects.


Hi All,

Today I’m going to show you how I use Real Studio Web Applications with my Google Sites powered website.  In the image below you can see a typical contact page.  What’s different is that the contact form is actually a Real Studio Web application running on a server in my datacenter.  In this case it’s a Windows server and the Real Studio Web Edition app is running as a service.

So how do I do this?

Well, first I insert a gadget into my web page, then I select More Gadgets and search for iframe.

 And Select it.

I MUST give the URL content which will be HTTP://<yourdomain>/<yourwebapp>.cgi  and links to your Real Studio Web Application.

If you don’t want scroll bars, then set the width & height to match those specified in your Web Application.

I prefer to provide my own title so I untick the Display title on gadget checkbox.

And that’s it! Simple!

With the form shown, I also send the email to myself using Gmail along with logging the message in a MySQL database.

This is all done from within my WE Application, but could be done from any Real Studio application.

First in my Project.App I create a property:

theMailServer As SMTPSecureSocket

In my Project.App.Open I initialise this object

theMailServer = New SMTPSecureSocket
heMailServer.Address = "

theMailServer.Port = 465

theMailServer.Username = <your gmail username>

theMailServer.Password = "<your gmail password>"

theMailServer.ConnectionType = SMTPSecureSocket.SSLv23

theMailServer.Secure = True

It’s important that this is instantiated in the App object as we’ll be using asynchronous communication.

In the Action event of the submit button I will send the message.

Dim msg As New EmailMessage

msg.AddRecipient “<my address>”

msg.subject = Subject.Text

msg.BodyPlainText = Message.Text

App.theMailServer.AppendMessage msg


You’ll note there is no msg.FromAddress as this is replaced by the Username supplied to when logging in. And that’s it folks – a Real Studio Web Application integrated into Google Sites & emailing via Gmail.