A call for help from fellow Monks!

An earlier post of mine, Online CGI Resources, generated a bit of interest but, unfortunately, did not answer my question of whether or not there was a good online tutorial for CGI with Perl. I've finally come to the conclusion that if I want such a course I'll need to write it myself. Not only do I think the course would make an interesting project for me, but it will teach me a lot about Perl and be a great addition to a résumé.

Needless to say, I won't be able to crank something like this out overnight. I want to take the time to set this up correctly and get insight from fellow Monks on how to approach this. Here are some of my ideas in no particular order:

Being an editor instead of an author.

I realize that other monks may desire to contribute to something like this (that's a hint, folks). Perhaps other monks would volunteer to write or peer review the work. I'd be doing more project management than writing, but I like this idea because I feel that a good CGI/Perl course is more important than my personally getting credit for writing it.

Addressing security first.

I'm sick and tired of leafing through CGI books and seeing security being treated as a footnote. It needs to be dealt with thoroughly. Since the assumption is that most students going through the tutorial are going to be new to CGI, they will probably be new to security issues also.

Part of the problem here is that even works that cover security issues tend not to show what they are protecting against. Though I am loathe to hand newbies a bunch of exploits, if they are really determined to learn them, they're going to learn them. Might as well show them up front what some of the dangers are so they have more than just a "don't forget to taint check" admonishment. If the student isn't shown the dangers of SSI or pipes in input fields, how do they know to guard against them?

Host the tutorial on Perlmonks.

While I certainly don't know how vroom would feel about that, such a tutorial would address a whole slew of questions that many newbies ask. Wouldn't it be nice to say to some Anonymous Monk "Go see chapter 6 of the Perlmonks' CGI course"?

The tutorial would not be aimed at complete novices.

The tutorial should assume some basic knowledge of both Perl and HTML on the part of the student. While the student may not necessarily understand what a hash slice is, the student should at least know what a hash is. If the tutorial is also teaching Perl, it's going to be five times as long.

The tutorial uses -w, strict, and CGI.pm.

These are my biggest complaints (after security) regarding online CGI courses. Do I even need to explain them?

Exercises and sample answers at the end of every chapter.

One of the things I liked about the Camel book is the exercises at the end of every chapter. I have always preferred books that offer this as it allows me good, bite-sized problems that allow me to test my new-found knowledge without being so difficult or large as to intimidate me.

Suggestions and offers of assistance welcome!

little_mistress suggested the following to me: after showing the basics, have a chapter entitled "Don't run these scripts." This chapter would demonstrate many of the common problems with CGI on the Web and how to exploit those problems. A later chapter would be the aforementioned scripts cleaned up. Another approach would be every chapter having a bad script and a good script demonstrating some of the code shown in that chapter.

That was a great suggestion and I would love to have more. The Perl community could really use something like this but I'd need a fair amount of help and advice. Let me know what you think!

Cheers,
Ovid

Comment on A call for help from fellow Monks!

Replies are listed 'Best First'.
RE: A call for help from fellow Monks! by royalanjr (Chaplain) on Aug 07, 2000 at 23:59 UTC
Sounds like a great idea Ovid! I agree that security should be discussed in depth, but I do not think it would be near the "front" of the tutorial. To understand the implications of security, it would seem you need a good grasp of CGI as a whole. shrugs Perhaps I am wrong in the placement, but certainly put security in there! Roy Alan	[reply]
(Ovid) RE(2): A call for help from fellow Monks! by Ovid (Cardinal) on Aug 08, 2000 at 00:10 UTC
You have an excellent point about needing to understand CGI to understand security, but that's only part of the problem. A common exploit is using someone's dangerous script to mail the cracker a copy of the /etc/passwd file (and why weren't they using shadow passwords in the first place? But that's another issue). That's an OS and programming issue and not necessarily a CGI vulnerability. An understanding of race conditions, OS vulnerabilities and the "cracker mindset" should also be dealt with and these are not necessarily CGI issues. I am rather conflicted as to the placement of the security section, but at the very least, a brief overview of security should be near the start of the tutorial with an explanation of why it is so important. Then, have security "checkpoints" throughout the tutorial to show possible exploits. It's too serious of an issue to not deal with up front. Cheers, Ovid	[reply]
RE: (Ovid) RE(2): A call for help from fellow Monks! by royalanjr (Chaplain) on Aug 08, 2000 at 00:15 UTC
Security "checkpoints"; I like that grin I see your point, weaving security throughout the tutorial would strengthen it; rather than just a single spot. Roy Alan	[reply]
RE: A call for help from fellow Monks! by ivory (Pilgrim) on Aug 08, 2000 at 01:48 UTC
I like this idea a lot! I agree that exercises and sample answers are really important. One thought: For each new concept, could you do an overview before getting into the specifics? That really helps sometimes. Ivory	[reply]