STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Reducing Business Risk using Perl a very short course by Randal L. Schwartz Stonehenge Consulting Services Version 1.2.1 (5/13/99)[S] Copyright ©1999 by Randal L. Schwartz, Stonehenge Consulting Services, Inc. Page 1 of 1 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Table of Contents Introduction 2 Use CGI.pm’s function imports, not object interface . 21 What this course is about . 3 Reduce duplicated code . 22 Keep global variable usage to a minimum. 23 Part One: Keep global variable usage to a minimum (cont’d). 24 using Perl instead of other things 4 Warnings . 25 What is Perl? . 5 Multiple writers must be coordinated . 26 Who uses Perl?. 6 Use Socket.pm, not sys/socket.ph . 27 Purpose of Perl. 7 Use IO::Socket::INET, not roll-your-own socket stuff . 28 Availability . 8 Use LWP and Net::*, not roll-your-own standard protocol stuff . 29 Support. 9 Always check return values . 30 Books . 10 Don’t leave dead children lying about. 31 Basic concepts . 11 Another anti-zombie solution—the “double fork” . 32 Some brief explained examples . 12 Document your code . 33 Perl as Glue . 13 Use debugging code, controlled by a global variable . 34 Optimized for “90% text, 10% something else” . 14 See perlstyle for additional ideas . 35 Perl supports “programming in the large” . 15 Taint checks . 36 Good books and courses available. 16 Inputs that are tainted. 37 Tainting is sticky . 38 Part Two: Actions that are dangerous. 39 use Perl correctly 17 Other dangerous actions. 40 Y2K . 18 No need for shells to launch children . 41 The only Perl is “Perl version 5” . 19 Coding to avoid the shell . 42 Use CGI.pm (not cgi-lib.pl). 20 Coding to avoid forking. 43 Page 1 of 2 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM CGI Security—Hidden fields. 44 Don't put sensitive data in the GET URL . 45 Don’t count on REFERER. 46 Don't presume anything about the execution environment . 47 The HTTP “Username” . 48 Don’t use /bin/mail or /bin/mailx to send mail . 49 Use a valid return address when sending mail. 50 Writing to STDERR. 51 Failures should never reveal internal information . 52 Throw away bad books . 53 Get good support for advanced technology . 54 Conclusion 55 Questions and answers. 56 Page 2 of 2 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Reducing Business Risk using Perl a very short course by Randal L. Schwartz Stonehenge Consulting Services Version 1.2.1 (5/14/99)[S] Copyright ©1999 by Randal L. Schwartz, Stonehenge Consulting Services, Inc. Page 1 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Introduction Page 2 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM What this course is about • “Reducing Business Risk Using Perl” • 1. In order to reduce the risk and uncertainty around your security issues • 2. In order to achieve your business objectives • 3. In order to increase the certainty that your employees will be productive • Question—Do I mean “Use Perl instead of other things” or “Use Perl correctly”? • Answer—Yes! • First half will cover “Why Perl” • Second half will cover “How Perl” • Who are you? Engineers and Engineering Managers that are using (or considering using) Perl for system administration, toolsmithing, web applications, end-user applications, or quality assurance. • What will you get? More educated about motivations for using Perl, as well as the risks of not using Perl effectively. Page 3 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Part One: using Perl instead of other things Page 4 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM What is Perl? • Invented and still owned by Larry Wall (author of rn and patch) • Larry is trained as a linguist, not a computer scientist—understands how people process information • First release, 1987 (older than the Web!) • Available under a zero-cost license • Has been embedded or bundled with commercial products (again, no cost) • Source code is available • Originated in Unix, but ported to many architectures • In particular, the Windows NT/95/98 port has been extended to access nearly all OS functions • And the Mac version likewise • Large user community, estimated at 2 million, with 200 new programmers per day • Not tied to a particular vendor’s idea of “this year’s best scripting language” Page 5 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Who uses Perl? • Stonehenge client list includes: ADP, Allen Bradley (Rockwell Automation), Allied-Signal, American Online, Arco (Anchorage), Boeing (and Boeing Computing Services), Cisco Systems, Cray Research, Dow Chemical, Dynamic Web Enterprises, Genentech, Hewlett-Packard (Corvallis, Cupertino), Intel (Hillsboro, Folsom), Intelsat, Interactive Systems, Lehman Bros., MIPS, Matthew-Bender, Mentor Graphics (UK), Morgan Stanley, Motorola (Austin, Chicago, Phoenix, Fort Worth), NASA/Ames, NASA/JPL (the first real home of Perl :-), Network Equipment Technologies, Nokia, Octel, Pyramid, Qualcomm, Rational Software Corp, SCT Corporation, Shell Systems International, Silicon Graphics, Silicon Systems (Orange County, Santa Cruz), State Farm Insurance, Texaco, Union Bank of Switzerland, United States Army, University of Buffalo (staff), Washington Post "dot Com" (Digital Ink),World Bank • Other notables: Yahoo, Altavista, Dejanews, Filepile, Internet Movie Database, etc etc Page 6 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Purpose of Perl • Data slogging, process management, generic tool box for Unix (“duct-tape of the Internet”1) • Fills the gap between C/Java/C++ programming (usually hard and ugly, but fast and unlimited) and shell programming (slow, hard, ugly, and limited)—Perl is easy, kind of ugly, mostly fast, and nearly unlimited • Very High Level Language (code is more dense, therefore faster to code, shorter to debug) • Amazingly much more portable than any C/C++/Java program or shell program • Not a complete replacement for C2 but durn near close • Not for writing distributed proprietary code • Good for one-offs, and long and extensive hacking, and even prototyping eventual C/C++/Java programs • Many features designed to make large programs easy 1. Hassan Schroeder of Sun Microsystems, as quoted in http://www.webdeveloper.com/spring96/duke.html 2. “I use C myself, occasionally”—Larry Wall Page 7 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Availability • Everywhere (like Elvis sightings) • Released under the GNU Copyleft, or Larry’s Artistic License, whichever you like • Source code, and lots more, at any Comprehensive Perl Archive Network (CPAN) site • Nearest CPAN site can be located via http://www.perl.com/CPAN/ • Also on a few CD-ROMs • And O’Reilly Perl Resource Kit (for Unix and Win32 systems) • Also included with many vendors’ systems • Distribution is self-configuring for nearly anything that calls itself Unix and has a C compiler • Non-UNIX binaries available via CPAN—Acorn, Amiga, AOS, AS400, Atari, BeOS, LynxOS, Mac, MPE, MS-DOS, Netware, MVS, OS/2, Plan9, QNX,VOS, VMS, Win32 • Larry has promised that Perl will always be open-source (free!) Page 8 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Support • Well, you get complete source—that’s a start... • Extensive on-line documentation (1200+ typeset pages) • Commercial support—PerlSupport.com (http://www.perlsupport.com) and others • Volunteers on the Internet—post questions to comp.lang.perl.misc • Local “Perl Monger” User Groups (http://www.pm.org) • Perl-5-Porters (P5P) provide bugtracking, and nearly immediate bugfixing (via the included perlbug bug reporting program) Page 9 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Books • Programming Perl, Second Edition (a Nutshell handbook from O’Reilly and Associates) by Larry Wall, Tom Christiansen, and Randal L. Schwartz, ISBN 1-56592-149-6 • Learning Perl, Second Edition (another Nutshell book) by Randal L. Schwartz and Tom Christiansen (foreword by Larry Wall), ISBN 1-56592-284-0 • Learning Perl on Win32 Systems (another Nutshell book) by Randal L. Schwartz, Tom Christiansen, and Erik Olson, ISBN 1-56592-324-3 • Effective Perl Programming (from Addison-Weseley) by Joseph Hall with Randal L. Schwartz, ISBN 0-201-41975-0 (details on www.effectiveperl.com) • The Perl Cookbook (Nutshell again) by Tom Christiansen and Nathan Torkington, ISBN 1-56592-243-3 • Other books available: 100+ titles (new ones every month!) Page 10 of 56 STONEHENGE CONSULTING SERVICES 4470 SW Hall Suite 107 Beaverton, OR 97005 (503) 777-0095 TM Basic concepts • Program is a text file, edited with ordinary text editor, made executable like a shell script • Whitespace is generally insignificant (like a C program) • Comments are pound-sign to end of line • “main” program consists of all statements not within subroutines • Syntax is C-like, with everything else thrown in (most statements are expression followed by semicolon) • Variables spring into existence on assignment—no declaration required • Entire source is compiled into internal representation, then interpreted from there