Loading ...
Sorry, an error occurred while loading the content.

RE: [PBML] About TFmail

Expand Messages
  • Charles K. Clarkson
    ... You seem to be confusing simple with well written. TFMail is complex, but it is well written. It is also open-source. If you find a better way to do
    Message 1 of 2 , Jun 14, 2004
    View Source
    • 0 Attachment
      Alphonse Langueduc <kjhseka@...> wrote:

      : I downloaded TFmail and read it. I find it's difficult
      : to understand and maintain, I would better need
      : something simpler, but secure. Perhaps I do not need
      : such complexity.

      You seem to be confusing simple with well written.
      TFMail is complex, but it is well written. It is also
      open-source. If you find a better way to do something
      you can submit a patch and get feedback on your way.


      Simpler scripts are not necessarily better scripts.
      For example, your simple script doesn't do taint
      checking. This feature is built-in to perl and you have
      left it off. Taint-checking in perl CGI scripts is
      mandatory.


      : My form only asks for :
      :
      : A full name
      : An email address
      : A subject
      : A body message
      :
      : The only thing I really need is preventing spammers to
      : use the email field to attach information to the email
      : headers. I think that a simple function with some
      : regular expressions would solve the problem.

      You should have explained this requirement when you
      asked the question. You came to the list with a problem
      and I offered a solution based on both my experience with
      programming perl CGI applications and my experience
      answering questions like yours. If you wish to place
      limitations on the advice you receive, you need to
      specify those limitations.

      Do you know that your form processing routine is
      secure. I don't know. It is very simple, but I don't
      *know* there are no bugs in there. Your script doesn't
      handle multiple values of parameters. Does it handle
      semi-colons in urls Here's a form processor that I can
      absolutely *know* is secure and very well tested:

      use CGI;
      my $q = CGI->new();

      I can now obtain any parameter from a form that I
      want. I can be assured that this will work on any
      platform perl runs on. I know it has been test untold
      times and patched long before I even started learning
      perl. The code base is HUGE. And I use it in every perl
      CGI script I write. Draw your own conclusions.

      And the problems with your simple script don't
      stop there. Only very brave people implement sendmail
      without a module. Have you tested the spamming method
      you mentioned (with a list of your own email addresses)
      on the body section of the form?


      : 800+ lines of code are really necessary just for that?

      Not for just that, no. But you have not demonstrated
      skills to write a program that would be smaller and still
      be secure. You might, in time, acquire those skills, but
      the learning curve to configure TFMail is shorter than
      that of writing advanced custom cgi perl scripts.


      : Furthermore, a simpler script is more easy to maintain
      : and modify.

      A well written script is easy to maintain and modify.
      Well written scripts tend to be more complex, though I
      have maintained some very poorly written, very complex
      scripts.


      : I periodically need to change the forms and the processing
      : needs. And finally deal with a simpler script is better to
      : learn writing better scripts.

      And TFMail already has that processing in it. One program,
      many uses. TFMail is not the end all of FormMail scripts. Your
      original post indicated you needed an immediate solution to an
      insecure script. Since I trust the people at NMS, I looked for
      a program that they had which would perform what you needed.

      I will probably never use TFMail for my own site, but then
      I wouldn't email information from a form to myself. I'd create
      an XML document in RSS format and periodically check it with
      an RSS reader. TIMTOWTDI.


      HTH,

      Charles K. Clarkson
      --
      Mobile Homes Specialist
      254 968-8328
    Your message has been successfully submitted and would be delivered to recipients shortly.