Beefy Boxes and Bandwidth Generously Provided by pair Networks
more useful options
 
PerlMonks  

Matt's Script Archive Strikes Again!

by coolmichael (Deacon)
on Jul 04, 2001 at 04:08 UTC ( [id://93731]=perlmeditation: print w/replies, xml ) Need Help??

First, some background.

I am the manager of one of the departments for our students' society. I run the used bookstore. It's doing quite well, thanks in part to the helpful answers I've recieved here. Our inventory of used books is online, searchable, and gets updated every day at the click of a button. Without this site I wouldn't have been able to make that happen.

My department is part of a larger division with five other businesses. That division is one of three. There's the business division, the administration division, and the political division.

The web designer that we'd been negotiating with told me that to put our database online would cost around $7,500 for just the web design and cgi scripting. After the resounding NO from the political decision (which controls large expenditures like that) I went looking for alternatives. I found this site. With linux, perl and a lot of help and time, I began to feel comfortable writing the simple cgi. I showed it to my boss, who was entirely shocked. I got three extra weeks vacation time out of it.

Now, the really interesting part...

About six months ago, the political division and the administration division decided that the web site for the entire students society needed overhauling. I agreed with them. It was ugly, and had been thrown together over about three years. They paid the same people $15,000 to redesign it. It's colourful and pretty now. It's searchable.

Today, as I was searching for some information on it, what did I find?

Search Script written by Matt Wright and can be found at Matt's Script Archive

I almost fell off my chair when I saw that. They paid a rediculous amount of money for the website, just to get buggy, shoddy, stuff. I now feel like I'm the online computer savy person in this building, and that thought frightens me.

Why is it that professionals are using Matt's scripts? Are they really as terribly written as I've read here? After reading through the code, I wonder... no warnings... no cgi.pm... no taint checking... parses the query string itself... does most of the stuff ovid says you shouldn't do...

I'm glad I've now got my own server. I'm really happy that my script is working really well. It's on my server, sitting in my office, and has nothing to do with the rest of the building.

Replies are listed 'Best First'.
Re: Matt's Script Archive Strikes Again!
by Zaxo (Archbishop) on Jul 04, 2001 at 06:57 UTC

    Professionals will minimize effort and maximize profit. It's a matter of integrity and good sense that they also deliver value to the customer.

    Matt's Archive scripts excel in some ways:

    1. They are free as in beer.
    2. They are trivial to install -- no modules, no dependencies.
    3. They are easy to use, just paste in the form supplied.
    4. They cover a good range of jobs designers want done.
    5. They usually work as expected.

    The theme here is that web designers get what they want, not what they need.

    Professional web designers generally don't know programming or security, and their eyes glaze if you mention those subjects. Those accustomed to using matt scripts may fear liability if they ever learn about the horrors that can happen. In that case they may close their eyes, plug their fingers in their ears, and sing like Ethel Merman till you leave.

    There's No Business Like Show Business</em

    After Compline,
    Zaxo

    Update-- cosmetic corrections

      They are free as in beer.

      And like cheap beer, they are bland, offer no flavor to speak of, and pass through your system and are (hopefully) quickly ejected.

      They are trivial to install -- no modules, no dependencies.

      And the security they provide is just as trivial. Be careful what you wish for, you may get it.

      They are easy to use, just paste in the form supplied.

      Just sign here and your soul, I mean, job, I mean server is ours. Also, don't forget to place this convenient "Hack Me" sign between your shoulder blades.

      They cover a good range of jobs designers want done.

      So does a raw silk blanket, but that doesn't mean you can't see everything there is to expose.

      They usually work as expected.

      No, they work as invested. If you go for the quick and dirty solution, you should expect to see some stains in your access logs. There *are* secure alternatives available, if you're willing to invest some education, some <local currency units>, and some time into learning better ways to do things. Sure, MW's free...but so is advice. People worth listening to are rare. Ignore their advice at your peril.

      --f

        I agree with most of what you say about Matt's scripts. I've been hacking Perl for less than two months, and they give me shudders just the same.

        But your secure alternatives link game me pause. I actually bought that book (Writing CGI Applications with Perl, by Kevin Meltzer and Brent Michalski), and I wouldn't recommend it to anyone.

        Now, I'm not trying to trash Kevin or Brent, both of whom I'm sure know far more about Perl than I do, but I thought the book was weak. Points:

        • It looks like a nice thick book, but it's very padded; this verges on dishonesty, IMHO. The font is huge (12 to 14 points), there's a lot of padding (most code samples listed twice, 40 pages of appendix material that could have been 8 URLs), the margins are huge, and there's an awful lot of repetition (the 10 lines justifying -wT are repeated nearly every time it's used in a program).
        • Some chapters belong better in a Perl book ("Tied Variables").
        • Some inclusions/exclusions and focus choices are very odd. There's a very detailed chapter for Mason, but no mention of templates (literally - not even in the index).
        • Their style is very choppy. They'll present a couple lines of code, then a paragraph talking about it, repeat. It's very difficult to get a cohesive view of the program this way - it's spoon-fed to you rather than presented whole.
        • The cover's odd. What are we supposed to call it, "The Spiky Ball book?" ;)
        In short, the book is much more vocational than educational. Need to hack up some code fast? This book will help. If you really want to learn CGI, to know why and how it works, to have a broader grounding in the technologies used with it, and to build a firm foundation for future self-teaching, then IMHO nothing beats the Mouse book (CGI Programming with perl, an O'Reilly book). I bet that the Mouse book squeezes twice as much content into 450 pages as Spiky Ball does in 525.
        --
        man with no legs, inc.
          A reply falls below the community's threshold of quality. You may see it by logging in.
      They usually work as expected.

      Not even that, I'm afraid. I grabbed the form mailer a while ago, because I needed one fast and I thought I could just patch the major security holes. As it turns out, I have nearly completely rewritten it, because it wasn't even SMTP compliant, and many newish servers won't accept non-compliant SMTP clients. (My server won't)

      Worse though, I had some web designer hand me a script that required CGI-LIB. I hadn't even heard of cgi-lib until I looked it up. It had it's time, but it's time to bury it and move on.

      ____________________
      Jeremy
      I didn't believe in evil until I dated it.

        Assuming you think its worth it (PHBs usually mean it isn't ;) ). Then it may be worth deciding whether they broke the copyright on the search script. After all, if the job was to make the site searchable and they didn't change it then they charged 15K to install a CGI script. Nice work if you can get it!
      Web designers don't have to be programmers just like architects don't have to be carpenters. They just have to know good ones. In this case, the design firm probably lacked programming staff yet needed a no-cost mindless way to implement search.

      Maybe the firm said "Well, we recommend Verity but it will be another $20,000 to implement". To which the client replied "No way!"

      With the popularity of Matt Wright scripts, it's a shame he doesn't update the scripts. As the Archive is his business, you'd think he'd feel some responsibility in that regard.

      His website says "I always have lots of stuff in the works, but most of it only gets about halfway finished before I get bored and give up. That's the way I work. :)"

      That says a lot.

Re: Matt's Script Archive Strikes Again!
by fmogavero (Monk) on Jul 05, 2001 at 17:10 UTC
    You have fallen victim to business. Business is about making money. If it was not about making money it would not be called business. Your business division is in charge of making money. How do they make money? By supplying the cheapest product/service and charging the highest price. If they didn't do that they wouldn't be a business.

    The web designers that you ran across probably gave you the same product that they gave their other customers. They delivered the cheapest product for maximum profit. Their product works. That's all that matters to them. That's what they charge for.

    Unfortunately it is people like your web designers that give the rest of the programming community a bad name. Management always wants cheap programmers with cheap solutions. Most programmers know that to write an effective program you have to think of everything that can possibly go wrong. Lord knows I've sat staring at the ceiling or typing in every concievable "illegal" argument trying to find flaws with my programs. This takes time and business does not want to spend time unless it maximizes earning potential. Then it doesn't want to spend any more time than it has to.

    If your business division wants a good solid product they will have to invest time and money. If they don't want to invest time and money then they'll get what they pay for.

    I hope that this incident has not made you bitter against people who offer IT solutions. I think there are more of us with integrity than there are interested in serving the almighty dollar.

Re: Matt's Script Archive Strikes Again!
by Anonymous Monk on Jul 05, 2001 at 00:47 UTC
    The answer to your question would have to depend on exactly what the design company quoted.

    In our designs, in order to save a customer money, we use Matt's Formmail program. Yes, I could write my own, but why reinvent the wheel. Matt's programs allow for an inexpensive way of adding function and capability to a website without overburdening the client's budget.

    We've built several custom systems for people, and people have paid a good amount of money for such custom work. However if we can offer the client an off the shelf solution which saves the client money, then that is our first choice.

    I'm not trying to excuse what these folks did or did not do. I'm merely offering you an opinion from the trenches.

    - Bob

      formmail is hideously flawed and should never be used. it relies on checking the the HTTP_REFERER for all of its "security". this is trivially spoofed. i'd seriously recommend finding another script that lets you specify the recipient email address in a config file somewhere on the server. or, if you have an extra half-hour, you could write your own (you'd only have to do it once, then you could reuse it for all your clients).

      anders pearson

      As I say here, I don't think you're wrong for not wanting to reinvent the wheel; I just think you're using the wrong wheel. :)

      Check out (my program == bias) STAMP.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlmeditation [id://93731]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others browsing the Monastery: (5)
As of 2024-03-28 17:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found