My fellow monks:

I spoke with some of you this morning in the CB concerning the following matter. I was looking through a linux website and came across an article on a perl script. So I followed the link and looked at the code. What I found was poorly written at best lacking things. It uses global variables, no does not 'use strict', no use of does not use -w, etc...

I then looked at a CGI script at the same site written by the same person and it was even worse. There was no taint checking even though it is receiving input, no -w, no 'use strict', global variables, and he sent fatals to the browser. He uses CGI.pm but hand rolls most of his HTML. (Which is okay but if your gonna use it, use it to it's fullest!) I contacted the man via email telling him how he should change things for the better (trying to stress the security related items). I sent him a link to PerlMonks as well as Ovid's wonderful CGI Course. He replied saying that, yes he should follow most of my suggestions but it would have to wait for the next version when he migrates it to mod_perl. He did not, however, mention the poor security of his scripts. (see updates below)

I am not an expert perl programmer. I am not a security professional. I haven't even had the time to fully go through all of the code yet. I felt that I should make the author aware of the mistakes and that I should show him a cleaner way of producing HTML in CGI scripts.

Did I do the right thing? I think so.

Did I take it too far by telling him to use CGI.pm to it's fullest? Maybe... it is primarily a personal preference.

Now that he has told me that he does not want to fix his code until he is ready,
That is not what I meant...
Now that he has told me that the update will have to wait until he releases the mod_perl version, what should I do?
Have I done enough by letting him know?
Or should I post his URL as a warning to others?
(He posted a message to the web page saying that it does not do taint checking.)

Updated*6:
I sent a follow up message about the security issues and received a reply: "I will indeed look at that more closely. If you find any holes, do let me know."
To which I replied, "Would you like some experts to look at it? If so, then I'll post your URL at PerlMonks. Many of the perl gurus frequent the site."
Here is the URL he replied with: Programming Methods
So the cat is out of the bag now... FutureSQL is the CGI script in question. I just noticed that there are demos available. SSL demo or Normal demo

peterbrown, you will get your ++ tomorrow :) It was a bit misworded but I have been trying to clarify it. I have also been making updates as the day progressed based on our conversations. Had I waited until after work to post, this would have been much clearer from the start.
I am glad to see you made it here!<br (strikethroughs and bold text above was editted during the updates)

---

---

Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!

Titles consisting of a single word are discouraged, and in most cases are disallowed outright.

Read Where should I post X? if you're not absolutely sure you're posting in the right place.

Please read these before you post! —

• How do I compose an effective node title?
• How do I post a question effectively?
• Markup in the Monastery

Posts may use any of the Perl Monks Approved HTML tags:

a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr

You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)

	For:		Use:
	&		&
	<		&lt;
	>		&gt;
	[		&#91;
	]		&#93;

Link using PerlMonks shortcuts! What shortcuts can I use for linking?

See Writeup Formatting Tips and other pages linked from there for more info.