Why would these morons use information like that in the form?

Put very simply, because they don't know any better. Take a quick look at what a simple query on google turns up or a slightly different one.

Many of the highest hits are places that aren't well respected in these parts or involve people with similar local reputations. I'm not saying they're bad people (I'm sure they love their SO's/kids/cats/dogs/what-have-you), but that they've managed to gain a bit of celebrity by posting bad code.

Look at the books on the subject. MW has a cookbook containing a shopping cart that doesn't taint. This isn't a problem with good books (like O'Reilly's, Damian Conway's, and so on), but how well received are those outside of the Unix/Hacker/Good Programmer mindset? This particular problem is endemic to the cut-rate publishers willing to teach you nothing in 24 hours, days, or whatever (save perhaps that few experiences cannot be learned from a book. Experiences like, "I just wasted my money on this crap?")

I mean absolutely no offense to those who busted their tails writing the best books they knew how. Hell, I'm still trying to learn enough to understand the best ones (Wolf and Panther come to mind) myself. But, the simple fact of the matter is that the best ones require a bit more knowledge, tenacity and/or grit than the harried corporate peon can afford.

This is a crying shame. Surely there's a good writer in the PM community that remember what it's like to learn a new paradigm? Certainly there's someone with the patience to figure out how to explain to the average VB user why it's a bad idea to store any real data in the form? Granted, the Rat book specifically discusses this, but it's the only book I've read to date that provides a very clear example of the process and the hack itself. (Well, okay, KM's recent title has touched on it briefly in the parts I've finished.)

Surely, someone is willing to acknowledge that in spite of its technical weaknesses when compared to other operating systems, the majority of corporate programmers (interprete that term as loosely as you must) are running Windows desktops? (I'm not trying to ignite an OS war; I'm just looking at the market at large.) If you can co-opt these folks, you'll reinvigorate the industry.

What I really find surprising is that we're so surprised that big name e-commerce sites get ripped by really stupid design decisions. Think about it, what is your opinion of the average corporate CGI "scriptor" or the average "enterprise" web development committee? How many times have you seen projects of this nature get dropped into the laps of the completely clueless and/or unqualified. (/me raises his hand.)

It's either "Oh, get the graphics artists on Corporate Communications on it; they'll figure it out." _Or_ "Well, the project has been in the works for two years now and we need to get it finished. The original developer left; you know CGI, right?"

I'm not trying to say these folks are stupid...I am trying to say that they use the tools at their disposal, mainly the search engines. Boom, they find a free script, see instructions on how to install it, it works and boom...they're ready to separate the online masses from their shekels. (</sarcasm>, just in case you weren't reading carefully.)

We know better, of course. They've dropped shields, reduced impulse, continue to broadcast "please board us" across all subspace frequencies.

Again, not because they're stupid, but because they don't know any better. "They'll learn," we say. Yes, sure. But at what cost?

Furthermore, what if we could have prevented it?

This, quite frankly, is why I continue to argue for patience and courtesy for initiates and newbies alike, for we cannot accurately predict the trolls from the truely innocent until we have more data points than a single post or two. Certain ones are obvious, of course, but I believe there's a risk we'll cross the line.

If we, who know better, aren't willing to teach these folks how to protect their sites, jobs, and wallets from the depredations of real world evil, someone else will...at their expense.

"It's just life," we say, wondering at in amazement at the cluelessness we see. To which I say again: "What if we could have prevented it?" What if it was your best buddy from school or your parent/guardian/favorite adult? What if it was your spouse/SO/closest friend in the world?

I believe that knowledge brings responsibility. If you're going to help, then you must be willing to actively and patiently combat the anti-information that's in the channel.

Here's a challenge for some wise CGI/Perl master: Write a series of basic, freely available scripts to rival and shame the top sites in those queries I mentioned. Do the job well enough to knock MSA out of the top spot on the search engines. Show how shamefully and poorly his "solutions" are written.

As a bonus, here's a profit motive: GPL the source and sell support and customization. Do it right and I think you'll make far more than M$FT in their heyday.

Perhaps I'll be able to do that myself...in a few years, when I feel I can actually call myself a Perl adept. In the mean time, there's a wide open market for those of you who already know what you're doing. Change only happens when real people take action.

--f

I thought this was amazingly dumb, but it made some of the things I was contracted to do easier (adding "bonus items" from the db for free, for example.) Fixing the security problems would have involved a fairly major re-write of the whole shopping cart (although trust me, adding "use CGI;" would've saved a hell of alot coding) and it was near Christmas and the client didn't have the time for the re-write/re-test cycle for a cart that, like I said, already worked.

So I did what I was hired to do, got paid, and the client was happy. The original program was just so bad there really wasn't anything else to do give the time and money at issue. It felt very wrong, though... we spend so much time making sure that our code is as secure as we can manage that deliberately leaving security holes is, literally, a sin.

But perhaps the bigger sinners are those that write this crap to begin with. My clients were small businessmen, not coders. When they hire someone to do a job they don't have the means to do a third-party review of the code they just bought; they're just taking the programmer's word that what they bought is secure. The client (in my case) got ripped off by the original coders long before they almost certainly got ripped off by people taking advantage of the security hole.

sigh

Gary Blackburn
Trained Killer

my $passedprice=$query->param('price');
charge_credit_card($realprice+abs($realprice-$passedprice));
[download]

Seriously though these are important things to worry about when money or xp are involved.

vroom | Tim Vroom | vroom@cs.hope.edu

I'll just note that voting on something you already voted on takes a vote away from you but doesn't affect the node.

        - tye (but my friends call me "Tye")

In that digest I have been reading the work of some of the greatest security experts of the information age as they discuss and warn us on the the issues of quality in software and systems design for well over 10 years now (the first issue was in 1985). The older I get, the more it seems that absolutely friggin' everything that can go wrong was known beforehand and a workaround was available!

Sure people are stupid and make mistakes, but it is the structure of the whole project (in the case of a systems design for instance) that allows such mistakes to slip though and get into production, after which point it is in everyones' best interest to proclaim that it couldn't have been forseen, lest they end up taking some responsibility. That's it responsibility, the single most threatening thing in the modern world, a force so overwhelming that it threatens to drive civilization right into the ground as everyone flees its grasp.

Either mistakes like this price-changing loophole literally don't matter (which indicates something else very wrong with the way things work) or people had better start paying more attention before something really bad happens. Demand quality of your work and that of those around you!

Geez, I'm starting to sound like crazyinsomniac, I'd better quit here.

crazypedant!

--
I'd like to be able to assign to an luser

When I used to be a hoodlum, me and my "buddies" would need paint for our vandalism-related acts. We would go to Home Depot, and non-chalantly change the bar code stickers from, say, a brush, to a 5 gallon bucket of paint. We would also take advantage of special deals that were indicated by colored stickers or marks on products by bringing in a sharpie and making a mark on a given product. I guess it's a meme, not strictly a computer issue.

Overall, fraud is estimated to occur in 11 percent of all online transactions, said Paul Fichtman, president and CEO of the Internet Fraud Council.

Incidentally, for those who are wondering why I haven't updated the course in a while, I'm stuck in Amsterdam for a bit and not using Perl. I hope to be able to return to Perl (and the course) in about two months or so.

Cheers,
Ovid

Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.

Programmers who write code that is faulty and know its faulty shouldn't be programming. they should strive to make a good program, and if they dont know enough about security to cover a large amount of bugs, they shouldnt be writing programs where security is needed. they should take enough pride in their code to do a good job, regardless of any impending deadlines. good code is good code, and thats what we need.

"Mr. Zoothornrollo, hit that long lunar note, and let it float."

Plese excuse that outburst but i'm going to get myself a $1.60 laptop.(What the fukc hell!?!?)

Ok, ok ok, i'm sorry, i just can't beleive that degree of stupidity. Can the programmer be sued?

I recently wrote that type of app(javascript 'n' html and such- Mickey Mouse stuff;-) for a class(no cgi backend, next class) and i had price embedded in the html and stuff, but it was only there so I wouldn't need to query the database for a pricecheck of a windowshopper.

Before the customer actually made a purchase(clicked yes), i would validate all the prices from the database. The only item passed to the server would be the id or isbn or whatever you're selling(or however you're naming your products).

instant update: Can the guy cheating the idiots be sued?(Alls hes doing is saying, "hey this cost $2")

 
___crazyinsomniac_______________________________________
Disclaimer: Don't blame. It came from inside the void
perl -e "$q=$_;map({chr unpack qq;H*;,$_}split(q;;,q*H*));print;$q/$q;"

I have no doubt that the vendor's high priced lawyers (without whom the laptop would cost a lot less than $1600 but that's another rant) would argue that you are CHEATING (bad, bad you!). However, I wonder (not being a lawyer myself) whether editing the page and submitting it back would constitute a counter-offer (no, I won't pay $1600 for that fetid heap of prehistoric puke, how about $1.60?), which the vendor's server can either accept or reject. If it accepts the offer, what is wrong? Is the server not acting as a legal agent of the vendor? If not, what business does it have selling anything at any price?

If you ask me, vendors (or anyone) who lose out because they were too cheap or stupid to do things right are simply getting what they asked for.

--
I'd like to be able to assign to an luser

just my $.02

QA isn't sysadmins. Sysadmins aren't QA. Sysadmins aren't all programmers. Sysadmins have other stuff to be doing. Back off on the blame parade.

(Not to mention, we're probably talking Windows here for a significant portion of this stupidity, and Windows admins are even less likely to be programmers, in my small experience. Not to mention, we're probably also talking about groups which don't have the time/resources to do serious QA. Not to mention, even if the sysadmin can program (most likely perl), the programmers might not write in the same language (here, they do tcl).)