comment on

Perl Monks,

With some trepidation I present my first attempt at a Perl CGI application. The goal is very simple: let people add their email addresses to our launch announcement list. It works, and there aren't any bugs that I'm aware of.

I'd very much appreciate any and all feedback, on coding, style, Perlishness, security, speed, or anything else. LART me if you must, but at least tell me why first. Following are some notes and questions about the script. It's 190 lines, so it's below the read more line (I hope).

Some paths and other sensitive stuff have been replaced with 'xxxxx'. Much of the HTML text was also removed for brevity; only form actions remain.
Of the options available for HTML generation, I looked at three: Template Toolkit, CGI.pm, and "here" documents. I chose the latter. I'll learn Template Toolkit when I have a larger project. CGI.pm HTML-generation is impressive, but I've been writing HTML in my sleep for 5 years. Here documents are a short, simple, fast and easy-to-edit way to get what I need. Please disagree if you want, but at least know that I considered some alternatives.
The email address parser is not meant to be a total implementation of RFC 822, or a validator, just a safety net for typos and control characters. If someone has a better way of doing this, please suggest it.
I've used e.g. my($email) = @_; instead of my $email = $_[0];. The former seems more Perlish (to my limited experience); at least it's less typing.
I don't know if the way I'm querying the database for email duplicates is the most efficient, and any suggestions would be appreciated.
It's on a shared server, so I'm running the script under cgiwrap so it has my user permissions to the MySQL .my.cnf file (0600).
Right now there's no protection against someone trying to bomb the server with random valid-looking email addresses. A potential way around this is denying additions from the same IP address within a certain amount of time, but a determined cracker could certainly spoof this. I can't think of a better way, and I'm not sure if it's worth it. Opinions?
I know the DBI error handling could be better, but "die" is nice for debugging. Perhaps I'll friendlyize this for production.
OT: It's my understanding from the MySQL docs that an INSERT into only one table doesn't need any locking. Please correct me if I'm wrong.

Thanks for your time.

#!/usr/bin/perl -wT
use strict;
use warnings;
use diagnostics;

use DBI;
use CGI qw(:param);
use CGI::Carp qw(fatalsToBrowser); # will be removed for production

$|++;
$CGI::POST_MAX = 512;

# ##################################################################
sub main {
  my($action,
     $email,
     $name,
     $warning_msg) = check_params(param('action'),
                                  param('email'),
                                  param('name'));
  my $script_loc = 'xxxxx';
  write_header($script_loc); # HTML header, removed for brevity
  if ($action eq 'default') {
    write_default($script_loc);
  } elsif ($action eq 'confirm') {
    write_confirm($script_loc,
                  $email,
                  $name);
  } elsif ($action eq 'commit') {
    write_commit($email,
                 $name);
  } elsif ($action eq 'warning') {
    write_warning($script_loc,
                  $email,
                  $name,
                  $warning_msg);
  }
  write_footer(); # HTML footer, removed for brevity
}

# ##################################################################
sub check_params {
  my($action,
     $email,
     $name) = @_;
  my $warning_msg = '';

  if ($action eq 'Sign up') {
    $action = 'confirm';
  } elsif ($action eq 'Confirm signup') {
    $action = 'commit';
  }

  unless ($action =~ /^confirm|commit|warning$/) {
    return('default');
  } else {
    $email = "\L$email";
    if ($email =~ s/[^\w\-@\.\+]//gm) {
      $action = 'warning';
      $warning_msg .= 'illegal characters removed';
    }

    unless ($email =~ /^.+?@.+?\..+?/) {
      $action = 'warning';
      $warning_msg .= 'wrong form';
    }

    unless ($action eq 'warning') {
      if (duplicate_email($email)) {
        $action = 'warning';
        $warning_msg .= 'duplicate email';
      }
    }

    if ($name =~ s/[^\w \-]//g) {
      $action = 'warning';
      $warning_msg .= 'illegal characters removed';
    }

    return($action,
           $email,
           $name,
           $warning_msg);
  }
}

# ##################################################################
sub write_default {
  my($script_loc) = @_;

  print <<DEFAULT;
    <FORM ACTION="$script_loc" METHOD="post">
    <INPUT TYPE="submit" NAME="action" VALUE="Sign up"></FORM>
DEFAULT
}

# ##################################################################
sub write_confirm {
  my($script_loc,
     $email,
     $name) = @_;

  print <<CONFIRM;
    <FORM ACTION="$script_loc" METHOD="post">
    <INPUT TYPE="submit" NAME="action" VALUE="Confirm signup"></FORM>

    # to make changes ...
    <FORM ACTION="$script_loc" METHOD="post">
    <INPUT TYPE="submit"NAME="action" VALUE="Sign up"></FORM>
CONFIRM
}

# ##################################################################
sub write_warning {
  my($script_loc,
     $email,
     $name,
     $warning_msg) = @_;

  print <<WARNING;
    <FORM ACTION="$script_loc" METHOD="post">
    $warning_msg
    <INPUT TYPE="submit" NAME="action" VALUE="Sign up"></FORM>
WARNING
}

# ##################################################################
sub write_commit {
  my($email,
     $name) = @_;

  my $dbh = database_connect();
  my $origin = $ENV{'REMOTE_ADDR'};
  my $time = get_time();

  my $query = qq(INSERT INTO announce VALUES ('$email','$name','$origi
+n','$time'));
  my $sth = $dbh->prepare($query) || die 'Query failed to prepare: ' .
+ DBI->errstr;
  $sth->execute || die 'Query failed to prepare: ' . DBI->errstr;
  $dbh->disconnect;

  if ($name) { $name = " $name"; }

  print <<COMMIT;
    <P>You've just been signed up$name; thank you!</P>
COMMIT
}

# ##################################################################
sub duplicate_email {
  my($email) = @_;

  if ($email =~ /\@xxxxx$/) { # our domain ;)
    return 1;
  } else {
    my $dbh = database_connect();
    my $query = qq(SELECT email FROM announce WHERE email = '$email');
    my $sth = $dbh->prepare($query) || die 'Query failed to prepare: '
+ . DBI->errstr;
    $sth->execute || die 'Query failed to prepare: ' . DBI->errstr;
    my @rows = $sth->fetchrow_array;
    $dbh->disconnect;
    return @rows;
  }
}

# ##################################################################
sub get_time {
  my ($sec,
      $min,
      $hour,
      $mday,
      $mon,
      $year) = gmtime(time());
  $year += 1900;
  $mday += 1;
  $mon += 1;
  return("$year-$mon-$mday $hour:$min:$sec");
}

# ##################################################################
sub database_connect {
  my $dbh = DBI->connect("DBI:mysql:xxxxx;mysql_read_default_file=/usr
+/home/xxxxx/.my.cnf","","");
  unless (defined($dbh)) {
    die "Database error (connecting): " . DBI->errstr . "\n";
  }
  return $dbh;
}

# ##################################################################
main();
[download]

In reply to First Perl CGI app; desirous of peer review. by legLess

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		`&`
	<		`<`
	>		`>`
	[		`[`
	]		`]`

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.