bbs problem

Discussion in 'Perl Misc' started by Robin, Jan 20, 2004.

  1. Robin

    Robin Guest

    Thanks for this and thanks for the email, I'll actually get that code fixed
    so its less of a security loop....

    Robin, Jan 22, 2004
    1. Advertisements

  2. Robin

    Joe Smith Guest

    Bad idea.

    Good idea.
    Why would you want to avoid

    Oh, I see:
    Post - Welcome to the Perl 4 Beginners BBS

    The world does *NOT* need any more Perl 4 Beginners.

    Perl 5 came out at the end of 1994. That's almost
    ten years! Come on, Robin, get with the program!
    Learn to use perl 5. Your life will be better for it.
    Joe Smith, Jan 22, 2004
    1. Advertisements

  3. Robin

    Joe Smith Guest

    Your main problem is that you can't use CGI and 'lib.cgi' in the
    same program. The CGI module does everything that lib.cgi used
    to do, the function calls and variable names have changed.
    Joe Smith, Jan 22, 2004
  4. Robin

    Robin Guest

    It was supposed to say perl4beginners-I do use perl 5 if you really have to
    know. I wanted to use my library because I still dunno how to work,
    but I'm learning it.
    Robin, Jan 22, 2004
  5. Robin

    Robin Guest

    huh, it seemed to work using both of them...
    I guess I'll just use cgi for the beta...peace,
    Robin, Jan 22, 2004
  6. Robin

    Uri Guttman Guest

    R> It was supposed to say perl4beginners-I do use perl 5 if you really
    R> have to know. I wanted to use my library because I still dunno how
    R> to work, but I'm learning it.

    that is pathetic. your lib is HARDER to use than has to
    be one of the easiest to use modules in existance given the complexity
    of what goes on behind the curtain.

    please take up some other hobby. programming is not for you. do you
    realize how much you don't know and at the rate you seem to absorb stuff
    you might be able to code on your own in 30 years.

    Uri Guttman, Jan 22, 2004
  7. Robin> It was supposed to say perl4beginners-I do use perl 5 if you
    Robin> really have to know. I wanted to use my library because I still
    Robin> dunno how to work, but I'm learning it.

    Really? How tough is it to learn this:

    use CGI qw(param);

    my $name = param('name'); # get param field named 'name'
    my @options = param('options'); # get multi-field (all values)

    That's *it*. That's all you need to know about and you can
    throw away *everything* you've seen from the Perl4 days. Really. You
    can. You can do it. You don't have to use any of the other shortcut
    things, or sticky fields, or anything else. Just please please please
    use to read the params in a portable, safe fashion.

    print "Just another Perl hacker,"
    Randal L. Schwartz, Jan 22, 2004
  8. Robin

    Robin Guest

    yeah well... maybe if you didn't post at all you'd be coding on your own...


    Robin, Jan 22, 2004
  9. Robin

    Uri Guttman Guest

    R> yeah well... maybe if you didn't post at all you'd be coding on your own...

    i code plenty as it is. i also read and think plenty too. that is the
    difference between my work and the scribbling you do. you have
    reinvented many wheels and they come out very square.

    Uri Guttman, Jan 22, 2004
  10. Robin

    Robin Guest

    please take up some other hobby.
    Yeah well, I read a lot of non-tech stuff and some tech, but probably not as
    much as you...I think, else how would I write code at all even if I my code
    sucks, don't mean to be overtly defensive... peace,
    Robin, Jan 23, 2004
  11. Robin

    Joe Smith Guest

    You *CANNOT* use both and have competent programming.
    There are many examples of incompetent programming that "appear"
    to work, but are extremely flawed.

    When you actually use, it means a lot more than simply
    putting 'use CGI' in your program. It means using the methods
    and functions that come with that module. In particular, it
    means replacing home-grown routines that print "Content-type:"
    with routines that provide a full and proper set of HTML headers.
    If you were really using CGI, you would not have a call
    to data_cgivars().

    Joe Smith, Jan 26, 2004
  12. It should be noted that very few people choose to use everything that
    comes with the giant CGI module.
    Well, abstracts quite a few trivial things without cause. It
    may be a few more characters to type:

    print "Content-type: text/html\n\n";

    compared to:

    print $query->header;

    but printing the header directly has a pedagogic advantage, since you
    learn what it looks like and are more likely to find out _why_ it's
    printed. Prompting beginners not to do that is ill-advised IMO.
    Okay, on _that_ we can agree. ;-)
    Gunnar Hjalmarsson, Jan 26, 2004
  13. Except that the second one will (at least by default in recent
    versions) follow the good practice recommended by security alert
    CA-2000-02, irrespective of whether the script author is aware of this
    recommendation or not.
    It can, indeed, but only if the candidate is willing to learn why wants the header to be:

    Content-Type: text/html; charset=ISO-8859-1

    (or whatever other character coding is being used).

    And then there's the consideration of what if an NPH script is
    required? Here again, adapts calmly to the situation, whereas
    the hand-knitter needs to explore a fresh area of the CGI spec.
    Ideally, one would do both: learn what's happening under the covers,
    _and_ use at the core of production CGI code.
    Alan J. Flavell, Jan 26, 2004
  14. Okay, it was kind of embarrassing to miss the charset in that example. ;-)

    But is there really security considerations behind's default
    setting of a character set? Isn't the reason rather to simply increase
    the chances that the script generates valid HTML/XHTML?

    The document you refer to addresses security issues in connection with
    generated web content. But by referring to it in connection with a
    discussion whether it's advisable to use for generating HTTP
    headers, I think you make the mistake to give the impression that takes care of all sorts of security issues. Unfortunately, a
    lot of comments in this group about CGI contribute erroneously to that

    Security is a good reason to learn enough to understand what you are
    doing when dealing with CGI, rather than a reason to apply's
    high degree of abstraction.
    Gunnar Hjalmarsson, Jan 26, 2004
  15. My recollection is that it was introduced in response to CA-2000-02,
    although he doesn't say so in so many words in the change log.
    However, Google will find some security-related discussions in Feb.
    2000 about which followed from the alert (and the amended
    Apache version).

    IIRC it was introduced in 2.57 (deceased) and released in 2.58 dated 23-Mar-2000.

    CA-2000-02 is dated 2 Feb 2000. This is no mere co-incidence.

    How many programmers fixed their hand-crafted scripts within that
    space of time?
    It's a complex issue. I'm aware of other places where the use of by default takes care of security-relevant mistakes which users
    regularly make in hand-knitted code.
    If that is so, then I would emphatically like to dispel that
    impression. It does take care of some issues, but by no means does it
    replace many other precautions that need to be taken for secure and
    reliable scripts. Its author, after all, maintains a web security
    FAQ, and that FAQ says much more than simply "use the module, Luke".
    And rightly so.
    Alan J. Flavell, Jan 26, 2004
  16. Yes, it does. I just wish that also those, who frequently prompt
    beginners to use, would say more.
    Gunnar Hjalmarsson, Jan 26, 2004
  17. Robin

    gnari Guest

    beginners aready have enough to worry about.
    as they advance in skills and knowledge, they can study
    the modules they rely the most on, but mainly to be more
    aware of what is going on. only when they have mastered
    the art of reading the perldocs and faqs, should they go on
    to learn to read the HTTP specs.

    gnari, Jan 26, 2004
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.