Re: Some advice on another's scripts
by peterbrown (Novice) on Jun 25, 2002 at 19:19 UTC
|
As the author in question (grimace), I feel obligated to respond.
I do want to correct what I perceive to be a misunderstanding of my intent, when Mr. Muskrat states:
"Now that he has told me that he does not want to fix his code until he is ready, what should I do?
Have I done enough by letting him know? Or should I post his URL as a warning to others? "
I don't think I meant "I'm not going to fix it until I'm good and ready and to heck with the consequences." I'm very concerned about the viability of my scripts. If there's a serious and urgent flaw, I want to fix them immediately.
I do, however, have to schedule things, since I have a day job.
I responded to your email immediately, Mr. Muskrat, because I AM concerned. In fact, based on your email, I immediately posted a page at:
http://worldcommunity.com/opensource/programming.methods.html
My goal is to become a better and better programmer. As a working programmer, the last thing I want is to be considered a 'hack'. I profoundly appreciate everyone's advice, and will do my best to improve.
Oh... and in response to a post above about html templates -- FutureSQL is built around an extensive template system, so that the code is separated from the html.
Thanks :-)
Peter F. Brown
| [reply] |
|
| [reply] |
•Re: Some advice on another's scripts
by merlyn (Sage) on Jun 25, 2002 at 17:23 UTC
|
Or should I post his URL as a warning to others?
If the code is published on the web, it is subject
to peer review.
I'd say publish the URL, but ethically, you should let
him respond to your criticism, and update your comment if the referenced material changes favorably.
-- Randal L. Schwartz, Perl hacker
| [reply] |
Re: Some advice on another's scripts
by vladb (Vicar) on Jun 25, 2002 at 17:25 UTC
|
I think you did a conscious thing by pointing the guy to the wrongs he has done. For the most part, I wouldn't bother doing the same thing if I were in your shoes. So, I would command your courage and selflessness.
In addition to the points of improvement you've suggested, I'd also go as far as saying to use a templating system instead of simply writing HTML inside your script. There's a lot of wonderful tools out there. samtregar's HTML::Template is one of them.
I would like to also respectfully disagree with your "use CGI.pm to it's fullest" statement, though. Just how do you go and measure that? In most of my scripts, I use CGI to retrieve parameters sent to the script, process cookies, file uploads and so forth. However, I don't particularly favor CGI's html producing features. Certainly, this probably stems from the fact that I'm big on templates. ;-).
_____________________
# Under Construction
| [reply] [d/l] |
|
I'd really love to see a "Perl Style and Security Coding Guide" (hopefully with a better name) that covered all of these things.
For myself, I have written a lot of garbage scripts that exist out there on the net right now without -w, use strict, taint, etc. I didn't know better when I was starting to lean Perl because there were no resources (especially no single resource) that covered these. The books I learned from never even touched on tainting, or if they did no "Why this is important" info was given.
Kickstart
| [reply] |
|
I'd have to agree with Kickstarts's comment 100%. I too have coded several Perl scripts that get the job done, but not necessarily in the best way. After having hung out on PM.org, I've picked up things like -w and use strict, but I feel there is much more to learn before my code is to be considered "well written". I learned Perl from several different books and am still continuing along the path of Perl wisdom. It would be great to have a tutorial on proper Perl style, security issues, modules etc. I know I'd reference it at least once a day! Monks?
| [reply] |
|
| [reply] |
|
|
|
Re: Some advice on another's scripts
by insensate (Hermit) on Jun 25, 2002 at 17:28 UTC
|
You've done enough. Unsolicited critisim of any code is a very delicate subject. What the author decides to do with your justifiable concerns is a function of his or her integrity as a publisher. There is a whole lot of bad code floating around on the net and it is fortunate when someone such as yourself is observant and concerned enough to take the iniative to draw attention to the present dangers. You should sleep well tonight knowing that you've done all you can and should. If this author fails to publish an addendum I will be greatly discouraged by his or her lack of care for the audience. -Jason | [reply] |
Re: Some advice on another's scripts
by ignatz (Vicar) on Jun 25, 2002 at 21:44 UTC
|
I would agree that those who posts code online are subject to peer review. This standard also applies to writers of critiques. I'm wondering how I would feel if I read a review of a book and the reviewer admitted to just skimming it and not being an expert on the subject at hand.
Parroting "use strict" and "-w" without backing it up is not a valuable critique. How would CGI.pm fare under that standard? TMTOWTDI. If you are going to attack someone else's work, take the time to show the specific reasons behind your comments.
Did you do the right thing by bringing your concerns to the attention of the author? By all means. Did you do the right thing by turning your concerns into an cursory unsolicited public critique of someone else's code? I'm not so sure.
()-()
\"/
`
| [reply] |
|
ignatz,
I couldn't show specifics without exposing the code which may have exposed who the author was. I was trying to make it an anonymous post. I did not give the url or so much as the name of the script until I told to post the url to peterbrown's write up on his programming practices. This post started as a question. That question was answered. I updated the info as it was made available to me.
| [reply] |
Re: Some advice on another's scripts
by Marza (Vicar) on Jun 25, 2002 at 17:54 UTC
|
You done good. The fact you publish something opens you to critisim. Most writers already know that. A good one will evaluate what you say and either change or offer an argument back.
I once contacted an author for training book on IIS about several mistakes. Some he felt where justified and others he thought were simply my opinion. So there is no harm in pointing something out.
If the author gets pissed then he won't be writing long.
Heck I bet even Merlyn gets contacted on stuff he published.
| [reply] |
|
What better way to learn than hearing some little(or big) pointers from your peers!
Seriously, don't worry about it! Have you ever been in a simmilar situation, where you got a bit of a code review? Sure, it is a humbling experience, but at the same time, you feel great to know that someone out there wants to help? Isn't that the beauty of the open source community??(other than sharing with others of course)
IMHO, you did this guy a favor, and like Marza said, if he gets pissed then he won't be writing long.
--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--
perl -e '$a="3567"; $b=hex($a); printf("%2X\n",$a);'
--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--~~--
| [reply] |
Re: Some advice on another's scripts
by Anonymous Monk on Jun 26, 2002 at 00:10 UTC
|
Be careful with handing out advice that you aren't damned sure of.
For instance telling him to use CGI.pm's html generating methods is crap. Search for "separation of content and presentation" some time. (Templating as well.) While handrolled HTML is bad, at least it is easier to move between that and editing complex HTML using standard web design tools than it is to have to mentally translate everything to and from Perl calls just to see what changed.
Just because CGI is supposed to be a good module, and it offers those functions, doesn't mean that it is a good idea to use those functions for anything other than toy examples! | [reply] |
Re: Some advice on another's scripts
by Mr. Muskrat (Canon) on Jun 26, 2002 at 13:18 UTC
|
This started out as a question and ended up a circus of sorts. Not at all how I wanted it to end.
peterbrown, I apologize for bringing this up here. Had I waited until I made it home yesterday, this probably would not have been posted.
And I really will read through your code thoroughly starting this evening like I said I would.
| [reply] |
|
Dear Mr. Muskrat,
I appreciate and accept your kind apology, and
also the remarks of Brother Frankus and others.
I'm truly appreciative of advice and eager to learn more.
As perhaps many programmers are, I'm self-taught by trying
to inhale book after book and examine other's code. I would
be really nuts to think there's nothing more to learn.
In fact, as I mentioned in my initial email to you, the
points you raised were excellent -- I plan to integrate
most of them in a substantial rewrite of FutureSQL that will
make FutureSQL compatible with mod_perl.
As you mentioned, security really is a gigantic concern. I
would indeed appreciate feedback about any security holes
in my scripts. I also have been looking for feedback about
the session id security method that I created in
FutureSQL, using a hand-roled XOR method. See
Security Text for details.
My biggest worry about this posting has been that I make my living
(supposedly :-) as a programmer. I try to really do my best
to serve my clients with code that works and doesn't break, and is
hopefully robust. So far, my clients have given me pretty good
marks, as one could see from their quotes at:
Programming Information.
In other words, my reputation (if I have one :-) is important to me,
and having esteemed programmers such as the Perl Monks conclude that
I was a careless and/or unconcerned programmer would be a dreadful thing,
in my opinion.
Thank you once again for your technical recommendations!
Best regards,
Peter
| [reply] |
|
| [reply] |