in reply to The joys of bad code
# =================================================================== # # Program: # # 1. Parse the input. # 2. Build the query string. # 3. Get the results. # 4. Display the results. # # ===================================================================
Never mind that this describes almost every single program in existance. (Minus the CGI-specific points like "building the query string".)
# invoke grep directly, avoid sub-shell (ala realtors script) open(HITS, "-|") || exec('grep','-i',"$key","$MEMBER_TABLE") || di +e "could not spawn grep";
Yup, that's right. He calls out to grep to search a flat-file. Never mind that Perl's regular expression engine could do the same thing in the same ammount of lines. Sometimes he'll even check that the results from grep match against a Perl regex, just be really sure. Naturally, he does not sanitize $ENV{PATH}. At least he checks the return value of open.
I don't know who this "realtor" guy is. The snippets above where done by a guy who left long before I started working here, but apparently he didn't know Perl at all and cobbled his CGIs together from various online sources (cargo-culter of the highest order).
"There is no shame in being self-taught, only in not trying to learn in the first place." -- Atrus, Myst: The Book of D'ni.
|
|---|