I actually ran across a similar problem while doing some Perl/CGI freelancing. The client hired me to add some functionality to an existing shopping cart CGI that he had already paid for. I don't know who wrote the shopping cart but although it was (on the surface) perfectly functional and suited the client's needs, it was really, really ugly on the backend. (No CGI.pm, hand-rolled templating functions a la HTML::Template, you get the idea.) Although prices for items were stored in a db (a 5,000 row flat-file, natch) the shopping cart deliberately accepted price changes from the HTML form to allow for things like discounts for re-sellers and premier customers and such.

I thought this was amazingly dumb, but it made some of the things I was contracted to do easier (adding "bonus items" from the db for free, for example.) Fixing the security problems would have involved a fairly major re-write of the whole shopping cart (although trust me, adding "use CGI;" would've saved a hell of alot coding) and it was near Christmas and the client didn't have the time for the re-write/re-test cycle for a cart that, like I said, already worked.

So I did what I was hired to do, got paid, and the client was happy. The original program was just so bad there really wasn't anything else to do give the time and money at issue. It felt very wrong, though... we spend so much time making sure that our code is as secure as we can manage that deliberately leaving security holes is, literally, a sin.

But perhaps the bigger sinners are those that write this crap to begin with. My clients were small businessmen, not coders. When they hire someone to do a job they don't have the means to do a third-party review of the code they just bought; they're just taking the programmer's word that what they bought is secure. The client (in my case) got ripped off by the original coders long before they almost certainly got ripped off by people taking advantage of the security hole.

sigh

Gary Blackburn
Trained Killer

In reply to Re: Electronic Pricetag Alteration by Trimbach
in thread Electronic Pricetag Alteration by jcwren

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.