(Ovid) Re: Code review on script site

This sounds great. A few minor points, though. (I hope they don't sound too nitpicky)

Uses tainting when working with server files (-3 for opening file based on tainted form input)
Actually, I would check this based upon the needs of a script. For example, many people use form data to build SQL. It's trivial to munge form data to wipe out a poorly-designed database, so that would also merit a -3. However, if they're just taking data and spitting back to a Web page, that might not be so bad (assuming that it's a one time page and not something that would open up cross-site scripting holes).
Uses CGI.pm for html
Ignoring the issue of templates, I can see some people making a case for HERE documents. I don't like 'em, but would you going to take points off of some of KM's scripts from his book that use HERE docs? :) I'd take points off if they use multiple prints instead of a HERE doc.
Uses CGI.pm for form parsing
What about CGI::Lite? If the author has a reasonable alternative, I wouldn't ding them for not using CGI.pm. Of course, I'd probably take a buzz-saw to their code if they hand-roll it since these are invariably broken.

Here's a personal pet peeve: failure to check return value of functions. Not all functions, mind you. When was the last time you saw someone check the return value of print? However, forgetting to check the return value of an open or a flock could be disastrous.

I would also be concerned about how someone opens files. If they don't flock when they should, or if they don't flock correctly and risk a race condition, that would be a concern.

I'll post an update if I think of anything else off of the top of my head.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Comment on (Ovid) Re: Code review on script site

Replies are listed 'Best First'.
Re: (Ovid) Re: Code review on script site by Jazz (Curate) on Nov 24, 2001 at 06:20 UTC
Ovid, not nitpicky at all. Excellent clarifications. I would think that the HERE docs and "\"escape syndrome\"" should be a separate point? Do you agree? Thanks :) Jasmine Update: Updated list is now being maintained in the root node.	[reply]
Re:x3 Code review on script site by grinder (Bishop) on Nov 25, 2001 at 01:36 UTC
If they are scripts, I would +1 if the comments include examples of standard ways one would expect to call the script (command lines and sample output). This is really helpful in picking up a script. I can put my money where my mouth is. I have uploaded a couple of script to the Code Catacombs which do just that. I won't link to them directly, but search for `pinger` and `nugid` for a couple of examples. `<update date="2001-11-26">` Here's a thing that is a definite no-no worth a -1: "gratuitous use of `&` when calling a subroutine" (e.g. `&func($x,$y)`) except if `@_` is to be passed to the called routine... which is hardly ever the case. I find this to be pretty cargo-cultish, not to mention noisy.`</update>` -- `g r i n d e r`	[reply] [d/l]

g r i n d e r

`g r i n d e r`