[PLUG] Preventing Probes Like This

Eric Wilhelm scratchcomputing at gmail.com
Mon Aug 25 19:13:32 UTC 2008 

# from Rich Shepard
# on Monday 25 August 2008 10:29:

>On Mon, 25 Aug 2008, Bill Thoen wrote:
>> I don't want  to make a boring little html read-only web page. I'd
>> like to use my server to its fullest potential and not be
>> intimidated by the predators out there.
>
>   Allow me to suggest that you look at established frameworks for web
> sites that are based on scripting languages other than PHP. We're
> using Ruby on Rails for one service, and I know there are a bunch of
> Python-based frameworks with a lot of support and experience.

The question for Bill is whether he's looking for a web framework or a 
templating language.  The Catalyst framework is very mature, and built 
on top of secure code.

  http://www.catalystframework.org/

You can make a security hole with any programming language that has I/O, 
but Perl gives you a lot more tools for sanitizing user input, as well 
as syntax which allows you to treat a parameter as atomic rather than 
needing to meta-escape it (e.g. open, system, etc.)

Typically, if you're trying to change from php to any sort of framework, 
you'll find that things are done rather differently.  These tools tend 
to start with a config file (not just some code in a file which happens 
to be named "config"), a database, schema, and some templates.  
The "but I just want to ..." entry point isn't as easy to find as it is 
with php, but most of the developers have learned that any non-trivial 
application grows to the point where it needs these things -- which 
means that if you didn't start with them you end up with a buggy, 
ad-hoc reimplementation of them anyway.

If a framework is a lot to dive into and you're not trying to "engineer 
an application", maybe CGI::Simple is a good place to start.  
HTML::Mason gives you the template+language notion that php has, but 
that creates the same sort of mess that php does if you just set off on 
the path of creating a template with some embedded code.

--Eric
-- 
So malloc calls a timeout and starts rummaging around the free chain,
sorting things out, and merging adjacent small free blocks into larger
blocks. This takes 3 1/2 days.
--Joel Spolsky
---------------------------------------------------
    http://scratchcomputing.com
---------------------------------------------------

More information about the PLUG mailing list