[cgiapp] [Fwd: Re: ValidateRM not PP]
P Kishor
punkish at eidesis.org
Sun Jan 25 20:45:59 EST 2009
On Sun, Jan 25, 2009 at 7:40 PM, Ron Savage <ron at savage.net.au> wrote:
> Hi Folks
>
>> > Fortunately I am neither advocating nor desiring a pure-Perl form
>> > validation module, but I don't understand the resistance to this. The
>> > poor bloke is saying -- "look, I have folks who want to utilize my
>> > scripts in situations where they cannot compile modules... what do I
>> > do? Give them something or give them nothing?" I am surprised that
>> > there is so much vehemence against this. I don't believe Lyle is
>> > saying that a pure-Perl alternative is better or even as good as the
>> > compiled modules... all he wants is an alternative, which, while most
>> > likely unsuitable for more than the simple cases, is likely a pretty
>> > good fit for those simple cases.
>> >
>>
>> I heartily agree :)
>
> So do I...
>
> I'm delighted this thread has gotten various ideas spelled out.
>
> To be more specific, I'm not against things when:
> o The advantages are clear
> o The disadvantages are understood
>
> Many things in like, and in programming, are compromises.
>
> What worried me about the regexp approach is that the disadvantages may
> have been under-estimated.
>
> Without even thinking about it, I'm instantly convinced too many special
> cases would arise to mitigate (lessen, enfeeble) the effectiveness of
> such an approach /where any reasonable alternative was available/.
>
> The problem is not a 'pure Perl' version 'v' an XS version. That's an
> installation issue, not a quality or design issue. In other words, lack
> of a compiler is a constraint to be worked abround.
>
> The problems are:
>
> o A web page can be saved, edited to delete the JS validation, and
> submitted with malicious data (i.e. corrupt intent), which means
> server-side is the only place security/data protection issues can be
> implemented. The client side work, as explained, is for
> user-convenience, i.e. nice-to-have.
>
> o Partial error checking (e.g using a regexp) means end-user pain when
> things go wrong, as they inevitablly will, and support-staff hassles,
> including trying the educate the end-user, amongst other things.
>
> o Since server-side validation must be done anyway, for any
> self-respecting claim to a quality package, don't spend time on a
> partial, client-side, solution.
>
> So, weigh up the constaints, programmer time available, priorities, etc,
> and go for it!
>
Very nicely put. This whole post makes a lot of sense, and should be
kept in mind when designing an application.
--
Puneet Kishor http://www.punkish.org/
Nelson Institute for Environmental Studies http://www.nelson.wisc.edu/
Open Source Geospatial Foundation (OSGeo) http://www.osgeo.org/
More information about the cgiapp
mailing list