1. The difference between WCF and Web Api
Answer: 1WCF is a one-stop framework for .NET platform development. The design and construction of Web Api only consider one thing, that is Http, while the design of WCF mainly considers SOAP and WS-* ; Web APIs are very lightweight and can't compare to WCF in terms of functionality and flexibility. If your service is TCP based, or supports more transport mechanisms, then WCF is a better choice. However, not all platforms support SOAP and WS-*. When the client does not support these protocols, Web Api will be a better choice; WCF is based on the SOAP protocol, the data format is XML, and Web Api is based on RESTful standard, the data format is diverse, which can be XML, JSON, etc. WCF configuration is cumbersome, while Web Api is simple, the code is readable, it is quick to use, the interface is more standard and clear, there is no confusing method names, and some only focus on relatively standard requests, such as get, post, put, delete, etc., and the web api is a URL connection that can run on different platforms, while supporting MVC features like routing, controller, action, filter, model binding, inversion of control (IOC) or dependency injection (DI) ,unit test.
SOAP (SOAP: Simple Object Access Protocol) Simple Object Access Protocol, generally based on XML.
Google, facebook, baidu, Sina or Tencent. The interfaces they open to the outside world are all Http-based Web APIs
2. The difference between MVC and Web Api
Answer: MVC is mainly used to build websites, and WEB Api is mainly used to build http services. Both architectures are modified on the basis of ASP.NET, mainly extending httpModule and httpHandler. MVC extends a powerful routing mechanism and implements message processing and background controller methods such as MvcHandler and ControllerFactory. Selection mechanism, and Web api wrote a set of message processing pipelines independent of ASP.NET on the basis of MVC.
MVC can only run on IIS, Web api can run on WebHost, ConsoleHost or even windows Services.
3. MVC routing configuration
Answer: The basic routing rules are arranged from special to general, the small range is written in the front, the large range is written in the back, multiple routing rules can be registered, the name of the routing cannot be repeated, the routing rules Constraints can be set, i.e. regular expressions.
URl construction:
routes.MapRoute(name:"Default",url:"{controller}/{action}/{id}",defaults:new {controller="home",action="Index",id=UrlParamter.Optional })
Configure these in RouterConfig.cs
4. The life cycle (operating mechanism) of MVC
A: http is a stateless request, and its life cycle starts from the client browser sending the request and ending with the response.
Request → UrlRoutingModule(IHttpModule init) → Route Table → RouteHandler (MvcRouteHandler) → MvcHandler (IHttpHandler) → ProcessRequest → Controller (IController Factory) → Controller.Execute
→ ActionInvoker → ActionMethod → ActionResult → ActionResult.ExecuteResult → reponse
5.Web Api2 http请求生命周期
答:IIS Hosting → Http Request → HttpServer → HttpRequestMessage → HttpRouteDispatcher → HttpControllerDispatcher → Authorization Filters → Action Filters → View
6. Detailed answer of Web Api2 application architecture
: Common applications include the following four categories, PC client program, APP program, website program, and H5 program.
How to confirm that an app can access webapi?
Use AppID to verify the legitimacy of app access to webapi. AppID is an ID mark given by the server.
We can assign an ID to web/app/winform respectively, so as to determine the legitimacy of access and the channel of access.
How to ensure the correctness of the app parameters without being tampered with?
The client uses the AppSecert corresponding to the AppID to sign the parameters (MD5/SHA, etc.)
The server uses the same signature to verify the signature of the client.
How to prevent webapi url from being intercepted, revisited?
When the client accesses the webapi, the timestamp parameter is attached, and the server verifies the timestamp. For example, the access within 10 minutes is valid.
How to authenticate a user when an operation involving a specific user is involved?
You can access webapi using the username and psw parameters. But this way is very insecure.
Using an authorization token is a good solution. When the user logs in successfully, the server generates an authorization code corresponding to the user information.
When accessing, bring the token parameter, and the server queries the validity of the token and the user information corresponding to the token.
7. Differences and connections between MVC, MVP, and MVVM architectural patterns
MVC is a relatively intuitive architectural pattern, user operation -> View (responsible for receiving user input operations) -> Controller (business logic processing) -> Model (data persistence) ->View (feed back the result to View). MVP is to replace the Controller in MVC with Presenter. The purpose is to completely cut off the connection between View and Model. Presenter acts as a bridge to completely isolate the communication between View and Model. If MVP is a further improvement of MVC, then MVVM is a complete change in thinking. It takes the idea of "two-way binding of data model data" as the core, so there is no connection between the View and the Model, and the interaction is carried out through the ViewModel, and the interaction between the Model and the ViewModel is two-way, so the change of the view's data will be At the same time, modify the data source, and the changes in the data source data will be reflected on the View immediately. Typical applications in this regard include .NET's WPF, js framework Knockout, AngularJS, etc.
8.反射的简单介绍
C#中反射的概念:在运行的时候发现对象的相关信息。根据这些信息可以动态的执行对象的方法以及获取对象的属性所储存的值。
那么EF实体框架,就是反射的应用之一。
9.EF介绍
EntityFramework是ADO.NET中的一套支持开发面向数据的软件应用程序的技术,是微软的一个ORM框架。
有Dapper.NET、NHeberneit、EF、IBatis.Net和SubSonic等
优点:
1.简洁的Linq to Sql语句大大提高了开发人员的效率,不要再写复杂的sql语句;
2.不再需要再管应用程序如何去连接数据库;
3.传统的表驱动方式创建EDM,然后通过EDM生成模型和数据层代
DataBase First、Model First、CodeFirst
10.MVC2,MVC3,MVC4和MVC5的不同
答:MVC3需要.net framework4.0,可以指定视图引擎,WebForm,Razor等。
MVC4 多了Web api,asp.net4.5,MVC5 多了Web Api2.0 asp.net4.5.1
11.javascript中闭包
如果一个函数访问了它的外部变量,那么它就是一个闭包。通过访问外部变量,一个闭包可以维持(keep alive)这些变量
var add = (function () {
var counter = 0;
return function () {return counter += 1;}
})();
或者
var add = function () {
var counter = 0;
return function () {return counter += 1;}
};
var add1=add()
12.SQL的执行顺序
答:from → on → join → where → group by → with → having → select → distinct → order by → top
13.SQL性能优化
答:1)尽量避免模糊查询(like),解决办法,把检索条件修改为下拉框,根据下拉框直接查询数据;根据条件查询出一个临时表数据,再和临时表数据进行复杂关联。2)索引问题,避免对索引字段进行运算,像<>,!=,not,is null,is not null,避免索引字段使用函数,索引字段不要用空值表示。3)update,select复杂语句,多级嵌套的时候,尽量修改为拆成几步,生成一些临时数据,再进行操作。4)update同一张表的时候多次执行,修改为一次执行(update ATable set name = (select name from BTable where id =ATable .id))。5)用union all代替union,union会将各查询的记录作对比。6)在where语句中,尽量避免对索引字段济宁计算。7)where中应该避免使用having,in,not in,or。可以使用exist代替(select * from ATable where exists(select * from BTable where BTable.id=ATable.id))。8)索引的时候,数字类型就是数字类型,时间类型就是时间类型,不要用字符串表示数字类型或者时间类型,否则索引回无效。9)不用动不动就select * ,很傻的好不好。10)排序的时候,避免使用耗费资源的操作,如:distinct、union、minus、itersect,order by的SQL语句或启动SQL引擎,耗费资源的排序(SORT)功能,distinct需要执行一次排序,其他的都需要执行两次排序。11)慎重用临时表可以极大地提高效率。(drop table #temp;create table #temp(id int,name nvarchar(50)))
14.事务的特性
1)原子性(要么全成功,要么全失败);2)一致性(加加减减保持一致);3)隔离性(多个事务之间的并发操作,事务之间相互隔离,互不影响);4)持久性(事务一旦提交将是永久性的)
15.事务的隔离级别
1)read uncommitted(未提交读,脏读),相当于nolock;2)read committed(已提交读,默认级别);3)repeatable read(可以重复读),相当于(hold lock);4)seriable(可序列化);5)snapshot(快照);6)read comminted snapshot(已提交读隔离)
read uncommitted → read committed → repeatable read → seriable 隔离级别越来越高,读操作的请求锁定就越严格,锁的市价越长久,所以隔离级别越高,一致性就越高,同时性能也影响很大。
16.sql server中存储过程和函数
1)CREATE FUNCTION Sales.ufn_SalesByStore (@storeid int)
RETURNS TABLE
AS
RETURN
(
SELECT P.ProductID, P.Name, SUM(SD.LineTotal) AS 'Total'
FROM Production.Product AS P
JOIN Sales.SalesOrderDetail AS SD ON SD.ProductID = P.ProductID
JOIN Sales.SalesOrderHeader AS SH ON SH.SalesOrderID = SD.SalesOrderID
JOIN Sales.Customer AS C ON SH.CustomerID = C.CustomerID
WHERE C.StoreID = @storeid
GROUP BY P.ProductID, P.Name
);
GO
SELECT * FROM Sales.ufn_SalesByStore (602);
2)存储过程
CREATE PROCEDURE HumanResources.uspGetEmployees
@LastName nvarchar(50),
@FirstName nvarchar(50)
AS
SET NOCOUNT ON;
SELECT FirstName, LastName, JobTitle, Department
FROM HumanResources.vEmployeeDepartment
WHERE FirstName = @FirstName AND LastName = @LastName;
GO
EXEC HumanResources.uspGetEmployees @LastName = N'Ackerman', @FirstName = N'Pilar';
17.Sqlserver中常用函数
1)concat连接函数;2)length返回字符串的长度;3)lower转换成小写;4)upper;5)ltrim删除左边的自负互传
6)substr截取字符串;7)replace替换字符串;8)
聚合函数、配置函数、转换函数、加密函数、游标函数、日期和时间函数、数学函数、元数据函数、排名函数、行集函数、安全函数、字符串函数、系统函数、文本和图像函数等。9)sum、coun、max、min、avg
18.常用的SQL
1)常用的单词,create(创建)、drop(删除),适用于(database、table、view、index)
2)修改列,alter table tablename add column col type
3)基本sql语句
3.1)选择:select * from talename where 范围
3.2)插入:insert into tablename(col1,col2) values("col1","col2")
3.3) 删除:delete from tablename where 范围
3.4)更新:update tablename set col1="col1",col2="col2"
19.Web常见的安全漏洞
1)安全攻击
1.1)SQL,HTML,JS,OS命令注入
1.2)XSS(CSS)跨站脚本攻击,利用站内信任用户,在WEB页面插入恶意script代码
1.3)CSRF跨站请求伪造
1.4)目录便利漏洞
1.5)参数篡改
1.6)会话劫持
2)防止攻击的措施总结
2.1)对用户输入的数据进行全面安全检查或过滤,尤其注意检查是否包含SQL或XSS特殊符号。(服务器和客户端都需要验证)
2.2)不要使用管理员权限的数据库连接,不要动态拼接sql
2.3)机密信息加密,不能使用明文
2.4)每个页面加载时,对用户进行合法性验证
2.5)登陆后session中的敏感信息进行加密,避免在永久cookie中存储敏感信息,重要的cookie信息标记为http only
2.6)发送敏感信息时使用SSL,POST方式。尽量使用新型web http安全协议
2.7)不要直接抛出异常的详细信息给用户,异常返回友好的页面,防止用户看到敏感信息
2.8)在服务器与网络的接口处设置防火墙,用于阻断外界用户对服务器的扫描和探测
2.9)限制网站后台访问权限,如:禁止公网IP访问后台,禁止服务员使用弱口令
2.10)限制敏感页面或目录的访问权限
2.11)项目发布前使用漏洞扫描软件,如IBM appScan,UnisWebScanner
20.Cookie和session
由于HTTP是无状态的协议,所以服务器端用记住用户登录的状态,就需要某种机制来识别具体的用户,这个机制就是session
服务器如何识别特定的用户,这个时候cookie就产生了,每次http请求的时候,客户端都会发送相应的cookie信息到服务器,
第一次创建session的时候,服务器会在http协议中告诉客户,需要在cookie里面记录一个sessionid,以后每次请求把这个
会话id发送服务器,服务器就知道是谁了。
session是服务器端保存的一个数据结果,用来跟踪用户状态,这个数据可以保存在集群、数据库、文件中
cookie是客户端保存用户信息的一种机制,用来记录用户的一些信息,也是实现session的一种方式
21.http常用协议状态
200:请求被正常处理 204:请求被受理但没有资源可以返回
206:请求一部分 301:永久性重定向
400:请求报文语法有误,服务器无法识别 401:请求需要认证
403:请求的对应资源禁止被访问 404:服务器无法找到对应资源
500:服务内内部错误 503:服务器正忙
22.web跨域解决办法
在JavaScript中,有一种很重要的安全性限制,被称为“Same-Origin Policy”(同源策略), 即JavaScript只能访问与包含他的文档在统一域名下的内容。
跨域处理方法:
1)JSONP
原理:js脚本,css样式文件,图片,这三种是与页面本身不同源的,JSONP就是利用script中src属性没有限制达到跨域
请求的:动态添加一个<script>标签来实现。当然这些都是get请求
2)CORS策略
需要服务器对CORS的支持,设置Access-Control-Allow-Origin来进行。
3)document.domain+iframe的设置
主域名相同的条件下才鞥进行
4)HTML5的postMessage
在IE中使用
5)使用window.name来进行跨域