Idiotic Perl
-
Upload
dave-cross -
Category
Technology
-
view
2.038 -
download
2
description
Transcript of Idiotic Perl
London.pm 24 Jan 2001
Idiotic Perl
OrThe Crappy Hacker Picture Show
London.pm 24 Jan 2001
What this talk isn't about
● Writing bad Perl(although we may see the occasional example of that)
● Writing stupid Perl programs or modules(london.pm already has quite enough stupid Perl modules)
London.pm 24 Jan 2001
What this talk is about
● The large numbers of people who use Perl, but aren't part of what we would consider "the Perl Community".– Who they are– What they are doing with Perl– What kind of Perl they are writing– Why they aren't in the Perl community– What the Perl community can do to help them
London.pm 24 Jan 2001
Who they are
● We'll call them “scriptkiddies”– People who have have built web sites using
HTML– Want to add "interactive stuff" to their web sites.– Told that Perl is what you use to do this so they
try to learn Perl.– And (in most cases) fail
London.pm 24 Jan 2001
The Script Kiddy's Assumption
● Most of the problems that scriptkiddies have are because they believe the following:– Web is easy– Perl is web– Perl is easy
London.pm 24 Jan 2001
Learning Perl
● To find out more about Perl they will take one of three routes:– Ask a friend– Look on the web– Buy a book
London.pm 24 Jan 2001
Ask a friend
● Everyone knows someone who “knows about stuff”
● But how do you know if they really know what they are talking about
● May well be a “oneeyed king”
London.pm 24 Jan 2001
OneEyed Kings
● “In the kingdom of the blind, the one-eyed man is king”
● Outside of the main Perl community there are many smaller Perl communities
● Each has its own set of local “experts”● Not really be experts at all, but know more
than anyone else in the community● Noone challenges them so their authority
grows
London.pm 24 Jan 2001
Look on the web
● But 90% of everything on the web is crap● This is particularly true of Perl code on the
web● Searching for “CGI scripts” in most search
engines gets Matt's Script Archive as the first match
● Also, there are a lot of oneeyed kings out there on the web
London.pm 24 Jan 2001
Buy a book
● Most Perl books are rubbish● In particular, most beginners Perl books are
rubbish● Script kiddies won't buy Learning Perl or
Elements of Programming with Perl
– They look too complex– They don't cover CGI
● Therefore the bad books sell well
London.pm 24 Jan 2001
More about books
● Script kiddies buy books that reinforce the script kiddies assumption
● This has two major effects– They learn bad Perl– They learn nothing about the Perl community
and therefore have little chance of ever seeing better Perl
London.pm 24 Jan 2001
Dave's standard Perl book rant
● Bad books get great reviews on Amazon● Script kiddies read the book and within hours
they think they have learned some Perl● They don't know that they have learned
some really dangerous Perl● Therefore most reviews on Amazon should
be ignored
London.pm 24 Jan 2001
Typical bad advice
● No w or use strict● No CGI.pm● No taint mode● No modules● Broken CGI parser
London.pm 24 Jan 2001
Broken CGI Parser
● read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;
$FORM{$name} = $value;}
London.pm 24 Jan 2001
Broken CGI Parser Problems
● Doesn't handle– GET requests– File uploads– Multivalued parameters
● Any of those restrictions may be fine for a particular program
● The problem comes when the same code is reused in other programs
London.pm 24 Jan 2001
More bad advice
● No checks on open calls– open(FILE, 'file.dat');
– But it worked from the command line!
● No locking of files● Or using magic numbers in flock calls● Or unlocking before closing
– flock(FILE, LOCK_UN);close FILE;
London.pm 24 Jan 2001
More bad code
● $match = '0';foreach $used_value (@used_values) { if ($value eq $used_value) { $match = '1'; last; }}if ($match == '0') { # do something}
● From wwwadmin.pl by Matt Wright
London.pm 24 Jan 2001
Recognising bad code
● This is usually obvious, but here are some traits that bad programs often share– No use strict or -w– No use of modules (standard or CPAN)– Most variables are global– No use of references or complex data structures
London.pm 24 Jan 2001
Why help script kiddies?
● Bad code damages Perl's reputation● Getting more people into the core Perl
community is good● They are often grateful (not always!)
London.pm 24 Jan 2001
Helping script kiddies
● Go to where they congregate– http://www.cgi101.com/discuss/group.cgi?1
– http://www.cookwood.com/cgibin/lcastro/perlbbs.pl
● Correct them gently– They aren't used to RTFM
● Point them at good places for information– http://learn.perl.org– http://perlmonks.org
London.pm 24 Jan 2001
Finding script kiddies
● Script kiddies don't just live out there on the web
● Are there any within your company– Can you run training courses– Or code reviews– Or just point them at useful information
London.pm 24 Jan 2001
Getting closer to the root problem
● Go to their sources of information– Books– Web sites– Mailing lists
● Offer to tech review books● Point out alternative sources of information
London.pm 24 Jan 2001
Better role models
● nms is a set of dropin replacements for Matt Wright's scripts
● Code uses best Perl programming practices● More secure, better supported● Not written by oneeyed kings● http://nmscgi.sourceforge.net/● Please evangelise
London.pm 24 Jan 2001
Conclusions
● The majority of people writing Perl are writing bad Perl
● This adversely effects Perl's image● We should help them in order to help
ourselves● It doesn't take much effort to make a
difference