Idiotic Perl

London.pm 24 Jan 2001

Idiotic Perl

OrThe Crappy Hacker Picture Show


What this talk isn't about

● Writing bad Perl(although we may see the occasional example of that)

● Writing stupid Perl programs or modules(london.pm already has quite enough stupid Perl modules)


What this talk is about

● The large numbers of people who use Perl, but aren't part of what we would consider "the Perl Community".– Who they are– What they are doing with Perl– What kind of Perl they are writing– Why they aren't in the Perl community– What the Perl community can do to help them


Who they are

● We'll call them “scriptkiddies”– People who have have built web sites using

HTML– Want to add "interactive stuff" to their web sites.– Told that Perl is what you use to do this so they

try to learn Perl.– And (in most cases) fail


The Script Kiddy's Assumption

● Most of the problems that scriptkiddies have are because they believe the following:– Web is easy– Perl is web– Perl is easy


Learning Perl

● To find out more about Perl they will take one of three routes:– Ask a friend– Look on the web– Buy a book


Ask a friend

● Everyone knows someone who “knows about stuff”

● But how do you know if they really know what they are talking about

● May well be a “oneeyed king”


OneEyed Kings

● “In the kingdom of the blind, the one-eyed man is king”

● Outside of the main Perl community there are many smaller Perl communities

● Each has its own set of local “experts”● Not really be experts at all, but know more

than anyone else in the community● Noone challenges them so their authority

grows


Look on the web

● But 90% of everything on the web is crap● This is particularly true of Perl code on the

web● Searching for “CGI scripts” in most search

engines gets Matt's Script Archive as the first match

● Also, there are a lot of oneeyed kings out there on the web


Buy a book

● Most Perl books are rubbish● In particular, most beginners Perl books are

rubbish● Script kiddies won't buy Learning Perl or

Elements of Programming with Perl

– They look too complex– They don't cover CGI

● Therefore the bad books sell well


More about books

● Script kiddies buy books that reinforce the script kiddies assumption

● This has two major effects– They learn bad Perl– They learn nothing about the Perl community

and therefore have little chance of ever seeing better Perl


Dave's standard Perl book rant

● Bad books get great reviews on Amazon● Script kiddies read the book and within hours

they think they have learned some Perl● They don't know that they have learned

some really dangerous Perl● Therefore most reviews on Amazon should

be ignored


Typical bad advice

● No w or use strict● No CGI.pm● No taint mode● No modules● Broken CGI parser


Broken CGI Parser

● read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});

@pairs = split(/&/, $buffer);

foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair);

$value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C",hex($1))/eg;

$FORM{$name} = $value;}


Broken CGI Parser Problems

● Doesn't handle– GET requests– File uploads– Multivalued parameters

● Any of those restrictions may be fine for a particular program

● The problem comes when the same code is reused in other programs


More bad advice

● No checks on open calls– open(FILE, 'file.dat');

– But it worked from the command line!

● No locking of files● Or using magic numbers in flock calls● Or unlocking before closing

– flock(FILE, LOCK_UN);close FILE;


More bad code

● $match = '0';foreach $used_value (@used_values) { if ($value eq $used_value) { $match = '1'; last; }}if ($match == '0') { # do something}

● From wwwadmin.pl by Matt Wright


Recognising bad code

● This is usually obvious, but here are some traits that bad programs often share– No use strict or -w– No use of modules (standard or CPAN)– Most variables are global– No use of references or complex data structures


Why help script kiddies?

● Bad code damages Perl's reputation● Getting more people into the core Perl

community is good● They are often grateful (not always!)


Helping script kiddies

● Go to where they congregate– http://www.cgi101.com/discuss/group.cgi?1

– http://www.cookwood.com/cgibin/lcastro/perlbbs.pl

● Correct them gently– They aren't used to RTFM

● Point them at good places for information– http://learn.perl.org– http://perlmonks.org


Finding script kiddies

● Script kiddies don't just live out there on the web

● Are there any within your company– Can you run training courses– Or code reviews– Or just point them at useful information


Getting closer to the root problem

● Go to their sources of information– Books– Web sites– Mailing lists

● Offer to tech review books● Point out alternative sources of information


Better role models

● nms is a set of dropin replacements for Matt Wright's scripts

● Code uses best Perl programming practices● More secure, better supported● Not written by oneeyed kings● http://nmscgi.sourceforge.net/● Please evangelise


Conclusions

● The majority of people writing Perl are writing bad Perl

● This adversely effects Perl's image● We should help them in order to help

ourselves● It doesn't take much effort to make a

difference

Idiotic Perl

Technology

Transcript of Idiotic Perl