Loading ...
Sorry, an error occurred while loading the content.
 

Re: [PBML] Explore Perl by an example

Expand Messages
  • Dieter Werner
    LOL No Randal - I m not very proud about this script ... because it is just a rewrite of the well knowned EveryAuction http://www.everysoft.com but I
    Message 1 of 17 , Mar 22, 2004
      LOL

      No Randal - I'm not 'very proud' about this script ...
      because it is just a rewrite of the well knowned 'EveryAuction'
      http://www.everysoft.com
      but I thought that a script like this could be a starting point for
      beginners!

      Newbies don't start programming perl by using packages and/or objects.
      I'm very sure that the use of packages and/or objects is 'overcoded'
      in case of a simple program like this.

      As for the 'eval' ...
      show me one case on which 'arbitrary code' could be executed on the
      server.

      In short, Randal
      writing a bad criticism about a program you are very fast (and very
      brutal); maybe you are too fast (and too brutal)?
      You should keep in mind that you are a member of a 'Perl-Beginners-
      Group'!!

      No hard feelings, please, but I think your contribution was a bit to
      much 'overdressed'.

      Greetings from Germany
      Dieter Werner


      --- In perl-beginner@yahoogroups.com, merlyn@s... wrote:
      > >>>>> "Dieter" == Dieter Werner <hdw@i...> writes:
      >
      > Dieter> Hi folks,
      > Dieter> I did a Perl-Script just as an example for beginners.
      > Dieter> It's a an auction script and you can download it from
      > Dieter> http://www.hotscripts.com/Detailed/29187.html
      >
      > While you're probably very proud about this script, and have spent
      > countless hours fine tuning it, let me say initially that I was
      > shocked back into the mid-90's as I was glancing through the
      > distribution.
      >
      > Folks, this is a single 5000-line script with:
      >
      > - no use of packages
      > - no use of objects
      > - no reuse of available modules from the CPAN
      > - the most important of which is: no "use CGI" on a CGI script!
      > - apparently duplicated or repeititious code
      > - lots of global variables (hiding a lot of hash elements in one
      global)
      > - local instead of my
      > - setting its own srand() instead of relying on modern perl to do
      that
      > - a few scary "eval string" forms that look like they might be
      coaxed
      > into being a huge security hole, running arbitrary code on the
      server
      > - very little use of references
      >
      > In short, Dieter, you're about 10 years behind the curve. I was
      > hoping we'd gotten rid of most of the bad code with Matt Wright
      > himself pointed at nms-cgi.sf.net to replace his
      > awful-but-well-publicized code.
      >
      > To the rest of you, please don't use this code.
      >
      > To dieter: before attempting a 5000-line script, please be sure
      you've
      > both read and *understood* my two tutorial books:
      >
      > Learning Perl
      > Learning Perl Objects References and Modules
      >
      > And stop learning Perl by staring at code from the mid-90s. :)
      >
      > --
      > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503
      777 0095
      > <merlyn@s...> <URL:http://www.stonehenge.com/merlyn/>
      > Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
      > See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
      training!
    • Charles K. Clarkson
      ... Why do I do what? Be specific or comment under the relevant passage. ... You proposed a CGI script from which new perl programmers should take as an
      Message 2 of 17 , Mar 22, 2004
        Dieter Werner <hdw@...> wrote:
        :
        : Charles - why do you do that?

        Why do I do what? Be specific or comment under the
        relevant passage.


        : Am I a member of a insulting-group?

        You proposed a CGI script from which new perl programmers
        should take as an example of (we assume) good perl programming.
        Yet the code has this example of very poor perl programming.

        sub get_form_data {
        my ($data, @data);
        local $_;

        (lc $ENV{'REQUEST_METHOD'} eq 'post' and !$ENV{'QUERY_STRING'})
        ? do {
        binmode STDIN;
        read STDIN, $data, $ENV{'CONTENT_LENGTH'};

        $data =~ /Content-Disposition/i && do {
        $form{'error'} = get_data(\$data);
        undef $data;
        };
        }
        : $ENV{'QUERY_STRING'} && ($data = $ENV{'QUERY_STRING'});

        $data && do {
        foreach (split /\&/o, $data) {
        s/%([0-9a-fA-F]{2})/pack("c",hex($1))/ge;
        s/[\r\n]//og;
        @data= split /\=/o, $_, 2;
        $data[1] =~ s/\+/ /og;
        $form{$data[0]} = $data[1];
        @data = ();
        }
        };

        $form{'action'} = 'nodata' unless exists $form{'action'};
        $form{'lang'} = $config{'lang'} unless exists $form{'lang'};
        translate($form{'lang'});
        }

        Randal has every right to dissuade new programmers from using
        this code as a basis for good programming. In fact, as Perl role
        model, it is probably his duty to do so. I applaud him for swiftly
        including a condemnation of your script.

        That you believe this is acceptable, shows you had no business
        posting this as an example to new perl coders. You should have
        asked for a code review prior posting the code. No one is insulting
        you, Dieter, but your code is *not* a good example for beginners.



        Charles K. Clarkson
        --
        Mobile Homes Specialist
        254 968-8328
      • merlyn@stonehenge.com
        ... Dieter No Randal - I m not very proud about this script ... Dieter because it is just a rewrite of the well knowned EveryAuction Dieter
        Message 3 of 17 , Mar 22, 2004
          >>>>> "Dieter" == Dieter Werner <hdw@...> writes:

          Dieter> No Randal - I'm not 'very proud' about this script ...
          Dieter> because it is just a rewrite of the well knowned 'EveryAuction'
          Dieter> http://www.everysoft.com

          Even more a reason to give it a timely death. Almost everything
          written in the mid-90's during the dot-com boom and Perl4 heyday is
          worthless these days. Stopping trying to breathe life into a dead
          horse.

          Dieter> but I thought that a script like this could be a starting point for
          Dieter> beginners!

          No, it's not a good example.

          Dieter> Newbies don't start programming perl by using packages and/or objects.

          Newbies shouldn't start by writing 5000 line scripts either. Newbies
          *often* start with my "Learning Perl" book, which only glances on
          Packages and Objects, and instead focusses on what you need to know
          for 1-100 line scripts. For scripts greater than 100 lines, "Learning
          Perl Objects References and Modules" does indeed introduce Packages
          (in the first chapter) and Objects (in the fifth or sixth chapter).

          Dieter> I'm very sure that the use of packages and/or objects is 'overcoded'
          Dieter> in case of a simple program like this.

          Absolutely disagree here. You have no testing code either, and I
          forgot to mention that. It's crazy in this day-and-age to write 5000
          lines of code without having something that tests the subroutines and
          modules and object interfaces. How would any ever *maintain* that
          code?

          Dieter> As for the 'eval' ...
          Dieter> show me one case on which 'arbitrary code' could be executed on the
          Dieter> server.

          Why would there be *any* eval-string in this program? Sure,
          eval-block for catch-throw exception handling. But *every* appearance
          of eval-string is suspect. I threw away the code, so I can't point
          out the specific places, but it's stuff like this:

          eval $data_taken_from_a_form_field

          that is INCREDIBLY suspect. Even if the form data is provided from a
          pop-up menu or a hidden field, it can still be altered client-side,
          making it imperative to check that data before it gets used. I saw
          none of that.

          Just grep through that program, noting every use of eval that is not
          immediately followed by an open brace. EVERY ONE OF THOSE is an
          eval-string. Even *one* in this program would be too many.

          Please, there is lots of literature on Perl CGI security. Don't make
          me retype it all here. In fact, you have a responsibility as someone
          providing examples to newbies to have *already* *studied* such
          literature. Again, I think you're falling short here.

          Even worse, suppose a server got 0wn3d by running your code. Do you
          have enough lawyers to defend yourself in court? Are you prepared to
          do so? In fact, now that I've pointed out the potential security hole
          to you, you can no longer claim neglect. You are now liable for
          knowingly providing bad code. I suggest you remove your program
          immediately to prevent further tort exposure, especially since our
          correspondence here is a matter of public record now.

          Dieter> In short, Randal
          Dieter> writing a bad criticism about a program you are very fast (and very
          Dieter> brutal); maybe you are too fast (and too brutal)?
          Dieter> You should keep in mind that you are a member of a 'Perl-Beginners-
          Dieter> Group'!!

          Not according to the other respondants. I do believe you are in the
          minority here, not that being in the majority matters to me at all.

          Dieter> No hard feelings, please, but I think your contribution was a bit to
          Dieter> much 'overdressed'.

          No hard feelings either, but I think you should stay away from
          providing bad examples for beginners. Apparently, you are unable to
          self-censor. And by your followup, it's clear that you think you know
          more than you actually do, which also scares me a bit.

          --
          Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
          <merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
          Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
          See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
        • Fortuno, Adam
          Dieter, As a beginner, I appreciate you re point: # Newbies don t start programming perl by using packages and/or objects. # I m very sure that the use of
          Message 4 of 17 , Mar 22, 2004
            Dieter,

            As a beginner, I appreciate you're point:

            # Newbies don't start programming perl by using packages and/or objects.
            # I'm very sure that the use of packages and/or objects is 'overcoded'
            # in case of a simple program like this

            In spoken English, most children don't use proper grammar, but it doesn't
            mean we give our children books written in improper English. New users
            especially need to be exposed to good coding practices, which (as Randal and
            Charles noted) are lacking in the script you suggested.

            Randal was horribly brutal! Give a thought to what you did. You came to a
            new user forum and said, "Hey! Here is this code I wrote. Go ahead and use
            it." Problem is it's in poor form. Perhaps if you want to do this again
            supply the code and ask for feedback.

            As a beginner, I always think twice before providing a suggestion because of
            a note where Randal put his foot in my a$$. The lesson learned is if you're
            going to give bad advice don't give it. If you're going to promote poor
            code, don't promote it.

            Regards,
            Adam

            -----Original Message-----
            From: Dieter Werner [mailto:hdw@...]
            Sent: Monday, March 22, 2004 12:40 PM
            To: perl-beginner@yahoogroups.com
            Subject: Re: [PBML] Explore Perl by an example


            LOL

            No Randal - I'm not 'very proud' about this script ...
            because it is just a rewrite of the well knowned 'EveryAuction'
            http://www.everysoft.com
            but I thought that a script like this could be a starting point for
            beginners!

            Newbies don't start programming perl by using packages and/or objects.
            I'm very sure that the use of packages and/or objects is 'overcoded'
            in case of a simple program like this.

            As for the 'eval' ...
            show me one case on which 'arbitrary code' could be executed on the
            server.

            In short, Randal
            writing a bad criticism about a program you are very fast (and very
            brutal); maybe you are too fast (and too brutal)?
            You should keep in mind that you are a member of a 'Perl-Beginners-
            Group'!!

            No hard feelings, please, but I think your contribution was a bit to
            much 'overdressed'.

            Greetings from Germany
            Dieter Werner


            --- In perl-beginner@yahoogroups.com, merlyn@s... wrote:
            > >>>>> "Dieter" == Dieter Werner <hdw@i...> writes:
            >
            > Dieter> Hi folks,
            > Dieter> I did a Perl-Script just as an example for beginners.
            > Dieter> It's a an auction script and you can download it from
            > Dieter> http://www.hotscripts.com/Detailed/29187.html
            >
            > While you're probably very proud about this script, and have spent
            > countless hours fine tuning it, let me say initially that I was
            > shocked back into the mid-90's as I was glancing through the
            > distribution.
            >
            > Folks, this is a single 5000-line script with:
            >
            > - no use of packages
            > - no use of objects
            > - no reuse of available modules from the CPAN
            > - the most important of which is: no "use CGI" on a CGI script!
            > - apparently duplicated or repeititious code
            > - lots of global variables (hiding a lot of hash elements in one
            global)
            > - local instead of my
            > - setting its own srand() instead of relying on modern perl to do
            that
            > - a few scary "eval string" forms that look like they might be
            coaxed
            > into being a huge security hole, running arbitrary code on the
            server
            > - very little use of references
            >
            > In short, Dieter, you're about 10 years behind the curve. I was
            > hoping we'd gotten rid of most of the bad code with Matt Wright
            > himself pointed at nms-cgi.sf.net to replace his
            > awful-but-well-publicized code.
            >
            > To the rest of you, please don't use this code.
            >
            > To dieter: before attempting a 5000-line script, please be sure
            you've
            > both read and *understood* my two tutorial books:
            >
            > Learning Perl
            > Learning Perl Objects References and Modules
            >
            > And stop learning Perl by staring at code from the mid-90s. :)
            >
            > --
            > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503
            777 0095
            > <merlyn@s...> <URL:http://www.stonehenge.com/merlyn/>
            > Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
            > See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
            training!



            Unsubscribing info is here:
            http://help.yahoo.com/help/us/groups/groups-32.html
            Yahoo! Groups Links
          • franki
            Yup, The first thing I learned from being on this list... If a script won t run with use strict; on.. then you should fix it. second thing, if a CGI script
            Message 5 of 17 , Mar 22, 2004
              Yup,

              The first thing I learned from being on this list...

              If a script won't run with 'use strict;' on..
              then you should fix it.

              second thing, if a CGI script is on the net.. and it can't use taint mode,
              then you should fix it. (in fact I make any perl script I use, CGI or
              otherwise run
              in taint mode.)

              third thing.. never trust anything provided by a user.. anything at all..

              forth thing, if it cant run with "warnings" and "diagnostics" turned on
              without filling up your error log.
              then you should fix it, or not show anyone. :-)

              I owe this list heaps, its the reason my servers don't have a bunch of
              users on them that I've never heard of.
              I was already paranoid, this list just gave me a couple more reasons as
              to "why".

              rgds

              Franki




              merlyn@... wrote:

              >>>>>>"Dieter" == Dieter Werner <hdw@...> writes:
              >
              >
              > Dieter> No Randal - I'm not 'very proud' about this script ...
              > Dieter> because it is just a rewrite of the well knowned 'EveryAuction'
              > Dieter> http://www.everysoft.com
              >
              > Even more a reason to give it a timely death. Almost everything
              > written in the mid-90's during the dot-com boom and Perl4 heyday is
              > worthless these days. Stopping trying to breathe life into a dead
              > horse.
              >
              > Dieter> but I thought that a script like this could be a starting point for
              > Dieter> beginners!
              >
              > No, it's not a good example.
              >
              > Dieter> Newbies don't start programming perl by using packages and/or objects.
              >
              > Newbies shouldn't start by writing 5000 line scripts either. Newbies
              > *often* start with my "Learning Perl" book, which only glances on
              > Packages and Objects, and instead focusses on what you need to know
              > for 1-100 line scripts. For scripts greater than 100 lines, "Learning
              > Perl Objects References and Modules" does indeed introduce Packages
              > (in the first chapter) and Objects (in the fifth or sixth chapter).
              >
              > Dieter> I'm very sure that the use of packages and/or objects is 'overcoded'
              > Dieter> in case of a simple program like this.
              >
              > Absolutely disagree here. You have no testing code either, and I
              > forgot to mention that. It's crazy in this day-and-age to write 5000
              > lines of code without having something that tests the subroutines and
              > modules and object interfaces. How would any ever *maintain* that
              > code?
              >
              > Dieter> As for the 'eval' ...
              > Dieter> show me one case on which 'arbitrary code' could be executed on the
              > Dieter> server.
              >
              > Why would there be *any* eval-string in this program? Sure,
              > eval-block for catch-throw exception handling. But *every* appearance
              > of eval-string is suspect. I threw away the code, so I can't point
              > out the specific places, but it's stuff like this:
              >
              > eval $data_taken_from_a_form_field
              >
              > that is INCREDIBLY suspect. Even if the form data is provided from a
              > pop-up menu or a hidden field, it can still be altered client-side,
              > making it imperative to check that data before it gets used. I saw
              > none of that.
              >
              > Just grep through that program, noting every use of eval that is not
              > immediately followed by an open brace. EVERY ONE OF THOSE is an
              > eval-string. Even *one* in this program would be too many.
              >
              > Please, there is lots of literature on Perl CGI security. Don't make
              > me retype it all here. In fact, you have a responsibility as someone
              > providing examples to newbies to have *already* *studied* such
              > literature. Again, I think you're falling short here.
              >
              > Even worse, suppose a server got 0wn3d by running your code. Do you
              > have enough lawyers to defend yourself in court? Are you prepared to
              > do so? In fact, now that I've pointed out the potential security hole
              > to you, you can no longer claim neglect. You are now liable for
              > knowingly providing bad code. I suggest you remove your program
              > immediately to prevent further tort exposure, especially since our
              > correspondence here is a matter of public record now.
              >
              > Dieter> In short, Randal
              > Dieter> writing a bad criticism about a program you are very fast (and very
              > Dieter> brutal); maybe you are too fast (and too brutal)?
              > Dieter> You should keep in mind that you are a member of a 'Perl-Beginners-
              > Dieter> Group'!!
              >
              > Not according to the other respondants. I do believe you are in the
              > minority here, not that being in the majority matters to me at all.
              >
              > Dieter> No hard feelings, please, but I think your contribution was a bit to
              > Dieter> much 'overdressed'.
              >
              > No hard feelings either, but I think you should stay away from
              > providing bad examples for beginners. Apparently, you are unable to
              > self-censor. And by your followup, it's clear that you think you know
              > more than you actually do, which also scares me a bit.
              >


              --
              rgds


              Frank Hauptle (aka Franki)

              For free scripts, online webmaster tools, HTML, XHTML, Perl & PHP
              tutorials and stuff, visit:
              http://htmlfixit.com Free web developer resources.

              Please sign our petition to encourage notebook manufacturers to offer
              video card upgrades just like desktops.
              http://www.petitiononline.com/inspiron/petition.html
            • merlyn@stonehenge.com
              ... Brad Next time, do one of two things. Ask this list to review your Brad code, or checkout the code-review-ladder mailing list which is Brad dedicated
              Message 6 of 17 , Mar 22, 2004
                >>>>> "Brad" == Brad Lhotsky <brad@...> writes:

                Brad> Next time, do one of two things. Ask this list to review your
                Brad> code, or checkout the code-review-ladder mailing list which is
                Brad> dedicated to this kind of thing.

                Also note that I have stated many times publicly that I am willing to
                give *any* code a once-over before public posting, free of charge,
                time-permitting. That bulleted list would have come back to Dieter in
                private, instead of being associated with his name in a googleable
                sorta way for the rest of his life.

                I encourage both of:

                - posting code for review
                - posting code for beginners to emulate

                Just not at the same time, please. :)

                --
                Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
                <merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
                Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
                See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
              • Brad Lhotsky
                Beginner s may not start by using packages and objects, but that is a very big problem. There is NO reason to encourage people to copy and paste the query
                Message 7 of 17 , Mar 22, 2004
                  Beginner's may not start by using packages and objects, but that is a
                  very big problem. There is NO reason to encourage people to copy and
                  paste the query string/post field code that you've included as part of
                  this script. Additionally, 5000 lines is not a starting point for a
                  beginner.

                  Randal's comments are not overdressed. The whole reason he's on this
                  list is to encourage new perl programmers to do the right thing. The
                  code that you've submitted is insecure, unmaintainable, and sits in
                  direct opposition to the methods Perl's own documentation suggests
                  coding.

                  We want new perl programmer's to feel welcome here, and we do a lot to
                  encourage the proper use of the language. We are insulted that you
                  would submit this on the grounds that it doesn't "use CGI" alone. We've
                  been trying to establish 'use strict;' and 'use CGI;' as a starting
                  point for all beginners and are continually underminded by the
                  propogation of this subroutine that WILL NOT DIE.

                  Again, we're not upset that you coded this. That's fine, you've gotten
                  a lot of feedback about how to fix things. What bothers us is that you
                  submitted this as a beginner's tutorial and someone may actually begin
                  programming using something like this. What's worse, one of us might
                  work with that person now, or be forced to maintain their code at some
                  point in the future. I've had to maintain the perl of some very
                  brilliant people that looked very similar to this, and bottom line, it
                  was a complete nightmare. Please, before you post something as a
                  "beginner's guide to perl" make sure you've atleast read the
                  documentation that's provided with the language and maybe even follow
                  the community or research the mailing list you post to.

                  We'll always be here to help anyone who asks.

                  Next time, do one of two things. Ask this list to review your code, or
                  checkout the code-review-ladder mailing list which is dedicated to this
                  kind of thing.

                  Check out perldoc perl, perldoc perlstyle, perldoc perlvar, perldoc CGI
                  for more interesting things.

                  On Mon, Mar 22, 2004 at 05:40:10PM -0000, Dieter Werner wrote:

                  > LOL
                  >
                  > No Randal - I'm not 'very proud' about this script ...
                  > because it is just a rewrite of the well knowned 'EveryAuction'
                  > http://www.everysoft.com
                  > but I thought that a script like this could be a starting point for
                  > beginners!
                  >
                  > Newbies don't start programming perl by using packages and/or objects.
                  > I'm very sure that the use of packages and/or objects is 'overcoded'
                  > in case of a simple program like this.
                  >
                  > As for the 'eval' ...
                  > show me one case on which 'arbitrary code' could be executed on the
                  > server.
                  >
                  > In short, Randal
                  > writing a bad criticism about a program you are very fast (and very
                  > brutal); maybe you are too fast (and too brutal)?
                  > You should keep in mind that you are a member of a 'Perl-Beginners-
                  > Group'!!
                  >
                  > No hard feelings, please, but I think your contribution was a bit to
                  > much 'overdressed'.
                  >
                  > Greetings from Germany
                  > Dieter Werner
                  >
                  >
                  > --- In perl-beginner@yahoogroups.com, merlyn@s... wrote:
                  > > >>>>> "Dieter" == Dieter Werner <hdw@i...> writes:
                  > >
                  > > Dieter> Hi folks,
                  > > Dieter> I did a Perl-Script just as an example for beginners.
                  > > Dieter> It's a an auction script and you can download it from
                  > > Dieter> http://www.hotscripts.com/Detailed/29187.html
                  > >
                  > > While you're probably very proud about this script, and have spent
                  > > countless hours fine tuning it, let me say initially that I was
                  > > shocked back into the mid-90's as I was glancing through the
                  > > distribution.
                  > >
                  > > Folks, this is a single 5000-line script with:
                  > >
                  > > - no use of packages
                  > > - no use of objects
                  > > - no reuse of available modules from the CPAN
                  > > - the most important of which is: no "use CGI" on a CGI script!
                  > > - apparently duplicated or repeititious code
                  > > - lots of global variables (hiding a lot of hash elements in one
                  > global)
                  > > - local instead of my
                  > > - setting its own srand() instead of relying on modern perl to do
                  > that
                  > > - a few scary "eval string" forms that look like they might be
                  > coaxed
                  > > into being a huge security hole, running arbitrary code on the
                  > server
                  > > - very little use of references
                  > >
                  > > In short, Dieter, you're about 10 years behind the curve. I was
                  > > hoping we'd gotten rid of most of the bad code with Matt Wright
                  > > himself pointed at nms-cgi.sf.net to replace his
                  > > awful-but-well-publicized code.
                  > >
                  > > To the rest of you, please don't use this code.
                  > >
                  > > To dieter: before attempting a 5000-line script, please be sure
                  > you've
                  > > both read and *understood* my two tutorial books:
                  > >
                  > > Learning Perl
                  > > Learning Perl Objects References and Modules
                  > >
                  > > And stop learning Perl by staring at code from the mid-90s. :)
                  > >
                  > > --
                  > > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503
                  > 777 0095
                  > > <merlyn@s...> <URL:http://www.stonehenge.com/merlyn/>
                  > > Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
                  > > See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
                  > training!
                  >
                  >
                  >
                  > Unsubscribing info is here: http://help.yahoo.com/help/us/groups/groups-32.html
                  > Yahoo! Groups Links
                  >
                  >
                  >
                  >
                  >

                  --
                  Brad Lhotsky <brad@...>
                • Paul Archer
                  ... At the risk of asking an RTFM question, here, is there a good tutorial for writing testing code out there? And at what point (complexity and/or number of
                  Message 8 of 17 , Mar 22, 2004
                    11:05am, merlyn@... wrote:

                    > Absolutely disagree here. You have no testing code either, and I
                    > forgot to mention that. It's crazy in this day-and-age to write 5000
                    > lines of code without having something that tests the subroutines and
                    > modules and object interfaces. How would any ever *maintain* that
                    > code?
                    >
                    At the risk of asking an RTFM question, here, is there a good tutorial for
                    writing testing code out there?
                    And at what point (complexity and/or number of lines) is it generally worth
                    it to write the test code?

                    TIA,

                    Paul



                    ---------------------------
                    404 Error - Item Not Found
                    <haiku>
                    You step in the stream,
                    but the water has moved on.
                    That page is not here.
                    </haiku>
                    ---------------------------
                  • merlyn@stonehenge.com
                    ... Paul At the risk of asking an RTFM question, here, is there a good tutorial for Paul writing testing code out there? Google for Test::More tutorial and
                    Message 9 of 17 , Mar 22, 2004
                      >>>>> "Paul" == Paul Archer <tigger@...> writes:

                      Paul> At the risk of asking an RTFM question, here, is there a good tutorial for
                      Paul> writing testing code out there?

                      Google for

                      Test::More tutorial

                      and you'll find plenty of links. Also "perldoc Test::Tutorial" for
                      your on-disk version of the core.

                      Paul> And at what point (complexity and/or number of lines) is it
                      Paul> generally worth it to write the test code?

                      Generally, as soon as you start modularizing... creating groups of
                      related subroutines and perhaps objects. That's probably good to do
                      at about 200-300 lines, or else you'll go batty trying to "debug" any
                      change.

                      --
                      Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095
                      <merlyn@...> <URL:http://www.stonehenge.com/merlyn/>
                      Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
                      See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training!
                    • Dieter Werner
                      Dear Randal L. Schwartz, this is no longer a joke now! Either you haven t read the script(s) or you are not honest. First of all ... I m not a newbie (although
                      Message 10 of 17 , Mar 22, 2004
                        Dear Randal L. Schwartz,

                        this is no longer a joke now!
                        Either you haven't read the script(s) or you are not honest.

                        First of all ...
                        I'm not a newbie (although you called me so) and so I'm very able
                        to 'write' and to 'maintain' a script of just 5,000 lines; each
                        subroutine is a function, therefore it is very easy to test.
                        I'm a programmer since about 30 years now (coding Perl since 1996)
                        Yes - you are right; I didn't read your books - but some books
                        written by Larry Wall, Tom Christiansen, Lincoln D. Stein, Mike
                        Schilli (and so on) are the base of my Perl knowledge (be sure: the
                        content of the books has been understood by me).

                        The 'eval-functions' you mentioned ...
                        doesn't use any FORM data; each kind of INPUT is created by the
                        script and so the $data_taken_from_form_field are nothing else
                        as 'internal' values.
                        The Client-User cannot launch his own data and cannot manipulate the
                        created data; on the other hand: either the 'eval' ist just a
                        container for an 'require' or it is just a container for
                        an 'Comparison of conditions' - so the code is very safe.
                        Either you prove that your statement about this is right or you have
                        to take it back (and declare an official excuse); otherwise you
                        should have enough lawyers to defend yourself in court.

                        As for your followup ...
                        it's clear that you think you can draw-down the code of everyone -
                        just because you are the Guru Randal; that's what also scares me a
                        bit.
                        Maybe you should try to 'read' and to 'understand' what you read
                        (yes, 5,000 lines are a long way of understanding - but you did it in
                        46 minutes !!Congratulations!!).

                        Greetings from Germany
                        Dieter Werner

                        --- In perl-beginner@yahoogroups.com, merlyn@s... wrote:
                        > >>>>> "Dieter" == Dieter Werner <hdw@i...> writes:
                        >
                        > Dieter> No Randal - I'm not 'very proud' about this script ...
                        > Dieter> because it is just a rewrite of the well
                        knowned 'EveryAuction'
                        > Dieter> http://www.everysoft.com
                        >
                        > Even more a reason to give it a timely death. Almost everything
                        > written in the mid-90's during the dot-com boom and Perl4 heyday is
                        > worthless these days. Stopping trying to breathe life into a dead
                        > horse.
                        >
                        > Dieter> but I thought that a script like this could be a starting
                        point for
                        > Dieter> beginners!
                        >
                        > No, it's not a good example.
                        >
                        > Dieter> Newbies don't start programming perl by using packages
                        and/or objects.
                        >
                        > Newbies shouldn't start by writing 5000 line scripts either.
                        Newbies
                        > *often* start with my "Learning Perl" book, which only glances on
                        > Packages and Objects, and instead focusses on what you need to know
                        > for 1-100 line scripts. For scripts greater than 100
                        lines, "Learning
                        > Perl Objects References and Modules" does indeed introduce Packages
                        > (in the first chapter) and Objects (in the fifth or sixth chapter).
                        >
                        > Dieter> I'm very sure that the use of packages and/or objects
                        is 'overcoded'
                        > Dieter> in case of a simple program like this.
                        >
                        > Absolutely disagree here. You have no testing code either, and I
                        > forgot to mention that. It's crazy in this day-and-age to write
                        5000
                        > lines of code without having something that tests the subroutines
                        and
                        > modules and object interfaces. How would any ever *maintain* that
                        > code?
                        >
                        > Dieter> As for the 'eval' ...
                        > Dieter> show me one case on which 'arbitrary code' could be
                        executed on the
                        > Dieter> server.
                        >
                        > Why would there be *any* eval-string in this program? Sure,
                        > eval-block for catch-throw exception handling. But *every*
                        appearance
                        > of eval-string is suspect. I threw away the code, so I can't point
                        > out the specific places, but it's stuff like this:
                        >
                        > eval $data_taken_from_a_form_field
                        >
                        > that is INCREDIBLY suspect. Even if the form data is provided from
                        a
                        > pop-up menu or a hidden field, it can still be altered client-side,
                        > making it imperative to check that data before it gets used. I saw
                        > none of that.
                        >
                        > Just grep through that program, noting every use of eval that is not
                        > immediately followed by an open brace. EVERY ONE OF THOSE is an
                        > eval-string. Even *one* in this program would be too many.
                        >
                        > Please, there is lots of literature on Perl CGI security. Don't
                        make
                        > me retype it all here. In fact, you have a responsibility as
                        someone
                        > providing examples to newbies to have *already* *studied* such
                        > literature. Again, I think you're falling short here.
                        >
                        > Even worse, suppose a server got 0wn3d by running your code. Do you
                        > have enough lawyers to defend yourself in court? Are you prepared
                        to
                        > do so? In fact, now that I've pointed out the potential security
                        hole
                        > to you, you can no longer claim neglect. You are now liable for
                        > knowingly providing bad code. I suggest you remove your program
                        > immediately to prevent further tort exposure, especially since our
                        > correspondence here is a matter of public record now.
                        >
                        > Dieter> In short, Randal
                        > Dieter> writing a bad criticism about a program you are very fast
                        (and very
                        > Dieter> brutal); maybe you are too fast (and too brutal)?
                        > Dieter> You should keep in mind that you are a member of a 'Perl-
                        Beginners-
                        > Dieter> Group'!!
                        >
                        > Not according to the other respondants. I do believe you are in the
                        > minority here, not that being in the majority matters to me at all.
                        >
                        > Dieter> No hard feelings, please, but I think your contribution was
                        a bit to
                        > Dieter> much 'overdressed'.
                        >
                        > No hard feelings either, but I think you should stay away from
                        > providing bad examples for beginners. Apparently, you are unable to
                        > self-censor. And by your followup, it's clear that you think you
                        know
                        > more than you actually do, which also scares me a bit.
                        >
                        > --
                        > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503
                        777 0095
                        > <merlyn@s...> <URL:http://www.stonehenge.com/merlyn/>
                        > Perl/Unix/security consulting, Technical writing, Comedy, etc. etc.
                        > See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl
                        training!
                      • Dieter Werner
                        You are very right in a lot of things, but nobody will bring me to the use of this monster cgi.pm when I have to maintain a big number of clients (at the
                        Message 11 of 17 , Mar 22, 2004
                          You are very right in a lot of things, but nobody will bring me to
                          the use of this 'monster' cgi.pm when I have to maintain a big number
                          of clients (at the same time) and to take care of the CPU resources.

                          Please, nevermore write publically that my code is insecure - or just
                          prove it!

                          There is a demo running at
                          http://www.everyscript.de/eAuction.html
                          everybody is allowed to hack this program in order to prove how
                          insecure it is!

                          The script I posted wasn't thought as an example of common Perl
                          scripting.
                          But the code is containing a lot of solutions a beginner maybe could
                          use as an example (I thought).

                          Sorry for the trouble I caused - I will step into the background now.

                          Greetings
                          Dieter Werner


                          --- In perl-beginner@yahoogroups.com, Brad Lhotsky <brad@d...> wrote:
                          > Beginner's may not start by using packages and objects, but that is
                          a
                          > very big problem. There is NO reason to encourage people to copy
                          and
                          > paste the query string/post field code that you've included as part
                          of
                          > this script. Additionally, 5000 lines is not a starting point for a
                          > beginner.
                          >
                          > Randal's comments are not overdressed. The whole reason he's on
                          this
                          > list is to encourage new perl programmers to do the right thing.
                          The
                          > code that you've submitted is insecure, unmaintainable, and sits in
                          > direct opposition to the methods Perl's own documentation suggests
                          > coding.
                          >
                          > We want new perl programmer's to feel welcome here, and we do a lot
                          to
                          > encourage the proper use of the language. We are insulted that you
                          > would submit this on the grounds that it doesn't "use CGI" alone.
                          We've
                          > been trying to establish 'use strict;' and 'use CGI;' as a starting
                          > point for all beginners and are continually underminded by the
                          > propogation of this subroutine that WILL NOT DIE.
                          >
                          > Again, we're not upset that you coded this. That's fine, you've
                          gotten
                          > a lot of feedback about how to fix things. What bothers us is that
                          you
                          > submitted this as a beginner's tutorial and someone may actually
                          begin
                          > programming using something like this. What's worse, one of us
                          might
                          > work with that person now, or be forced to maintain their code at
                          some
                          > point in the future. I've had to maintain the perl of some very
                          > brilliant people that looked very similar to this, and bottom line,
                          it
                          > was a complete nightmare. Please, before you post something as a
                          > "beginner's guide to perl" make sure you've atleast read the
                          > documentation that's provided with the language and maybe even
                          follow
                          > the community or research the mailing list you post to.
                          >
                          > We'll always be here to help anyone who asks.
                          >
                          > Next time, do one of two things. Ask this list to review your
                          code, or
                          > checkout the code-review-ladder mailing list which is dedicated to
                          this
                          > kind of thing.
                          >
                          > Check out perldoc perl, perldoc perlstyle, perldoc perlvar, perldoc
                          CGI
                          > for more interesting things.
                          >
                          > On Mon, Mar 22, 2004 at 05:40:10PM -0000, Dieter Werner wrote:
                          >
                          > > LOL
                          > >
                          > > No Randal - I'm not 'very proud' about this script ...
                          > > because it is just a rewrite of the well knowned 'EveryAuction'
                          > > http://www.everysoft.com
                          > > but I thought that a script like this could be a starting point
                          for
                          > > beginners!
                          > >
                          > > Newbies don't start programming perl by using packages and/or
                          objects.
                          > > I'm very sure that the use of packages and/or objects
                          is 'overcoded'
                          > > in case of a simple program like this.
                          > >
                          > > As for the 'eval' ...
                          > > show me one case on which 'arbitrary code' could be executed on
                          the
                          > > server.
                          > >
                          > > In short, Randal
                          > > writing a bad criticism about a program you are very fast (and
                          very
                          > > brutal); maybe you are too fast (and too brutal)?
                          > > You should keep in mind that you are a member of a 'Perl-
                          Beginners-
                          > > Group'!!
                          > >
                          > > No hard feelings, please, but I think your contribution was a bit
                          to
                          > > much 'overdressed'.
                          > >
                          > > Greetings from Germany
                          > > Dieter Werner
                          > >
                          > >
                          > > --- In perl-beginner@yahoogroups.com, merlyn@s... wrote:
                          > > > >>>>> "Dieter" == Dieter Werner <hdw@i...> writes:
                          > > >
                          > > > Dieter> Hi folks,
                          > > > Dieter> I did a Perl-Script just as an example for beginners.
                          > > > Dieter> It's a an auction script and you can download it from
                          > > > Dieter> http://www.hotscripts.com/Detailed/29187.html
                          > > >
                          > > > While you're probably very proud about this script, and have
                          spent
                          > > > countless hours fine tuning it, let me say initially that I was
                          > > > shocked back into the mid-90's as I was glancing through the
                          > > > distribution.
                          > > >
                          > > > Folks, this is a single 5000-line script with:
                          > > >
                          > > > - no use of packages
                          > > > - no use of objects
                          > > > - no reuse of available modules from the CPAN
                          > > > - the most important of which is: no "use CGI" on a CGI script!
                          > > > - apparently duplicated or repeititious code
                          > > > - lots of global variables (hiding a lot of hash elements in
                          one
                          > > global)
                          > > > - local instead of my
                          > > > - setting its own srand() instead of relying on modern perl to
                          do
                          > > that
                          > > > - a few scary "eval string" forms that look like they might be
                          > > coaxed
                          > > > into being a huge security hole, running arbitrary code on
                          the
                          > > server
                          > > > - very little use of references
                          > > >
                          > > > In short, Dieter, you're about 10 years behind the curve. I was
                          > > > hoping we'd gotten rid of most of the bad code with Matt Wright
                          > > > himself pointed at nms-cgi.sf.net to replace his
                          > > > awful-but-well-publicized code.
                          > > >
                          > > > To the rest of you, please don't use this code.
                          > > >
                          > > > To dieter: before attempting a 5000-line script, please be sure
                          > > you've
                          > > > both read and *understood* my two tutorial books:
                          > > >
                          > > > Learning Perl
                          > > > Learning Perl Objects References and Modules
                          > > >
                          > > > And stop learning Perl by staring at code from the mid-90s. :)
                          > > >
                          > > > --
                          > > > Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1
                          503
                          > > 777 0095
                          > > > <merlyn@s...> <URL:http://www.stonehenge.com/merlyn/>
                          > > > Perl/Unix/security consulting, Technical writing, Comedy, etc.
                          etc.
                          > > > See PerlTraining.Stonehenge.com for onsite and open-enrollment
                          Perl
                          > > training!
                          > >
                          > >
                          > >
                          > > Unsubscribing info is here:
                          http://help.yahoo.com/help/us/groups/groups-32.html
                          > > Yahoo! Groups Links
                          > >
                          > >
                          > >
                          > >
                          > >
                          >
                          > --
                          > Brad Lhotsky <brad@d...>
                        • Jenda Krynicky
                          From: Dieter Werner ... CGI.pm is not as big memory hog as it may seem. Most of the code is not compiled if not used. If you still think
                          Message 12 of 17 , Mar 23, 2004
                            From: "Dieter Werner" <hdw@...>
                            > You are very right in a lot of things, but nobody will bring me to the
                            > use of this 'monster' cgi.pm when I have to maintain a big number of
                            > clients (at the same time) and to take care of the CPU resources.

                            CGI.pm is not as big memory hog as it may seem. Most of the code is
                            not compiled if not used. If you still think it's too big try
                            CGI::Lite.

                            > Please, nevermore write publically that my code is insecure - or just
                            > prove it!
                            >
                            > There is a demo running at
                            > http://www.everyscript.de/eAuction.html
                            > everybody is allowed to hack this program in order to prove how
                            > insecure it is!

                            Your app doesn't seem to be in that a great shape anymore.
                            I guess you'll find some files missing.
                            I did not expect that the app will hang then though. All I wanted to
                            do was to delete the data about the items.


                            You are right that the eval""s in your code are safe. (At least I do
                            believe they are.)

                            You forgot to check other things though. Ever tried this?

                            my $filename = "some_file.exe\0"
                            open OUT, "> $filename.txt" or die "can't create: $!\n";

                            Too bad ...

                            Jenda
                            P.S.: Now at last I can call myself a hacker in the media meaning.
                            But you can't say you did not ask for it.
                            ===== Jenda@... === http://Jenda.Krynicky.cz =====
                            When it comes to wine, women and song, wizards are allowed
                            to get drunk and croon as much as they like.
                            -- Terry Pratchett in Sourcery
                          • Jenda Krynicky
                            From: Fortuno, Adam ... I would kind of agree about the code, but I disagree about the advice. How do you know it s bad? And even if
                            Message 13 of 17 , Mar 23, 2004
                              From: "Fortuno, Adam" <fortunoa@...>
                              > As a beginner, I always think twice before providing a suggestion
                              > because of a note where Randal put his foot in my a$$. The lesson
                              > learned is if you're going to give bad advice don't give it. If you're
                              > going to promote poor code, don't promote it.
                              >
                              > Regards,
                              > Adam

                              I would kind of agree about the code, but I disagree about the
                              advice. How do you know it's bad? And even if it is, do you know why?

                              Giving someone a bad advice in private might be bad, but over here if
                              you do give one, someone will surely correct you and (usualy) point
                              out why was it bad. And even those that neither asked nor replied may
                              profit.

                              You just should not be attached to your advice and you should not
                              take it personaly is someone says it was wrong. It was the advice
                              what was bad, not you.

                              Jenda

                              ===== Jenda@... === http://Jenda.Krynicky.cz =====
                              When it comes to wine, women and song, wizards are allowed
                              to get drunk and croon as much as they like.
                              -- Terry Pratchett in Sourcery
                            Your message has been successfully submitted and would be delivered to recipients shortly.