When designing interfaces for Web applications, you should consider a few things to make the application friendlier to the user. For example, consider the form in Figure 6-1. Not very pretty, is it? Nothing is aligned, and it can even be hard to tell what fields go with what descriptions.
Figure 6-1: Poorly formatted HTML form
Let's use tables to clean up the interface a little. Take a look at Figure 6-2. It is the same form, except in a table format. Isn't that much better? By using tables, we were able to make the form much nicer to view. Determining what fields go with what descriptions is also easier.
Figure 6-2: Table-formatted HTML form
This form has a bit more information than we really need for a phonebook application. The extra elements are presented to give you some familiarity with them. The HTML for this form is included on this book's Web site. Give this form a look, and play with the fields and buttons on it.
Figure 6-3 shows the actual form that we will use as our interface for inputting new records into this version of the Web phonebook application.
Figure 6-3: Web phonebook screen
The following are a few pointers to keep in mind when considering the design of your interface:
Keep the HTML forms as clean and uncluttered as possible.
Gather only the necessary information.
Align fields so they are not scattered all over the form.
Try to keep the form on a single screen. (Don't make the user scroll.)
Security is extremely important, especially when you are dealing with the Web. There are entire books on security and Web programming. There is no way we can cover all aspects of security in Web programming in this small section. Luckily, however, there is an excellent feature of Perl that helps you make your Web programs much more secure. Taint mode is a switch in Perl that makes Perl treat all data that comes from an external source as tainted. When a variable is tainted, it cannot be used for any sort of system call. The programmer can untaint a variable by filtering it through a regular expression. By tainting variables, you cannot inadvertently execute extra shell commands from malicious user input.
To turn taint mode on, you pass the -T flag on the first line of the program.
The preceding line of code tells the system where to find Perl and turns taint mode on.
1: my $var1 = shift; # Tainted 2: my $var2 = "Brent "; # Not tainted 3: my $var3 = $var2 . $var1; # Tainted 4: $var3 =~ /^([\w ]+)$/ or die "Not Cleaned!"; # Clean the variable... 5: $var3 = $1; # Now $var3 is untainted.
Line 1 $var1 is tainted because the data comes from an external source-the command line.
Line 2 is not tainted because the variable comes from inside of the program; no external data has touched this variable.
Line 3 is tainted because it has been concatenated with the first variable, which is tainted.
Line 4 runs the $var3 variable through a regular expression. This regular expression allows only word characters (alphanumerics plus the underscore) or a space. There can be any number of valid characters because we use a + in the regular expression. Because we begin the regular expression with a ^ and end it with a $, there can be no illegal data in the string. If there is any unwanted data, the regular expression will not match anything, and $1 will be empty. This line calls the die function to terminate the program if the match failed.
On line 5, we set $var3 to $1. $1 is the data that matches inside of the parentheses on line 4. If none of the data were a match, $var3 would now contain no data.
Let's say that we have a program named taint.pl with the preceding code. Let's run it like this:
If $var3 is then printed out, it will contain "Brent Michalski". If, however, we run the program like this:
$var3 will not match anything on the regular expression in line 4, so $var3 is now blank.
The following tips are useful when dealing with security on your Web site:
Use taint always.
Do not trust any data that does not originate in the program; this includes environment variables. (Taint won't let you anyhow if you have it on.)
Validate all input for length, and see if it is valid data.
Taint checking and untainting variables can be quite confusing. The perlsec Perl document has some good information on taint. Writing CGI Applications with Perl (Addison Wesley, 2001) also has an entire chapter dedicated to security and all of the examples in that book use the -T flag. To see the perlsec document, type perldoc perlsec from a prompt.
Perl CGI programs, without using speed-enhancing tools or methods, are not going to handle large loads and won't be lightening fast. That's ok; nothing truly is without some other tools.
Many corporations, even large financial ones, seem to think that if you want to have enterprise-class applications, you must have enterprise-class prices to handle the load. This is simply not true; many extremely busy sites-such as http:// slashdot.org-routinely get millions of hits per day. Many of these sites use only Perl and open-source software. Yet if you ask the administrators, they are very happy with performance and the price is definitely right. Also, notice that many of these sites require a very low number of programmers to maintain the site compared with enterprise-class solutions, which typically require teams of developers for maintenance.
You have options if you want to speed Perl up on the Web-server side, but the de facto standard is mod_perl. mod_perl embeds the Perl interpreter into the Apache Web server, which eliminates the startup time of the interpreter. mod_perl can also cache subroutines for further speed enhancements.
Then there are add-ons to mod_perl to make site design even simpler. HTML::Mason is an excellent tool for creating Web sites and allows you to embed Perl right into HTML documents. eperl is another good tool; it also lets you embed Perl into the HTML. Embperl is yet another tool that allows you to embed Perl in the HTML document. All of these offer significant speed enhancements over just plain Perl programs running as CGI programs. Table 6-1 lists the URLs where these tools are available.
mod_perl (and much much more)