in reply to Re: CGI recipient Option
in thread CGI recipient Option

Care to explain?

Replies are listed 'Best First'.
Re^3: CGI recipient Option
by ikegami (Patriarch) on Sep 01, 2004 at 16:22 UTC

    When it comes to security, it does not pay to reinvent the wheel.

    From the FAQ:

    But there are perfectly good programs already out there, why bother?

    Actually, there aren't really.

    Most CGI programs that are available for free download really aren't very good at all. Most of them seem to be written by people with very little knowledge of Perl.

    Many of the developers on nms have been very active in the Perl community for years. They know Perl and CGI programming very well.

    The problems with most other CGI programs, fall into three categories:

  • The programs are insecure. Putting a CGI program on your web site is very risky. It means that you are allowing anyone to run a program on your web server. Unless these programs have been written very carefully, you may be allowing unscrupulous people (known as crackers) to gain access to more information than you intend. Eventually the crackers may be able to take control of your web server.

  • Perl makes it very easy to write secure programs. Unfortunately, most CGI program authors don't seem to know this.

  • The programs are buggy. Many of the other programs have had no kind of code review. This means that they often still have bugs in which can cause problems on your web site. You may be the first person to discover this bug. The support you get from the authors of these programs can be very patchy. I have never received a reply from Matt Wright when I've reported a bug in his scripts.

  • The nms project has a large number of developers, therefore each line of code has been seen by many people. The chances of bugs is much reduced. Additionally, we have a dedicated mailing list to deal with support issues.

  • The programs are badly written. Whilst many people simply install these programs and never look at the code, others will read CGI program code as a way to learn to write their own CGI programs. We therefore feel it is important that our scripts reflect the best Perl coding practices. Others don't share our views and many people have learned very bad coding habits from reading Matt Wright's code.

[reply]
Re^3: CGI recipient Option
by gellyfish (Monsignor) on Sep 01, 2004 at 16:24 UTC

    In the first place this code allows someone to place arbitrary headers into the email that is sent - it would be trivial for it to exploited as an anonymous method for sending spam.

    /J\

[reply]

In Section Seekers of Perl Wisdom