WebRef   Sitemap · Experts · Tools · Services · Newsletters · About

home / programming / perl / comments / v.902 / 2

[previous]

Simple Comments

Developer News Microsoft Shows Off Silverlight 4, IE9 Plans Metasploit Expands Vulnerability Test Framework HyperCard Reborn?

Simple Subroutine Sharing via the Comments.pm Module

Two main scripts are provided in our Simple Comments system: the publically accessible script that actually displays approved comments on Web pages, and the administrator script that allows for the approval of those comments as well as the review and editing of already approved comments. The public script should be deployed in a common area of your cgi-bin (or executable script directory) and the administrator script must be deployed in a password protected area of your cgi-bin (or executable script directory). For best security of the admin script, we recommend deploying it on a password protected SSL server, if possible.

Since both of these scripts need many of the same capabilities, we also include a library module--Comments.pm--which is used by both scripts and includes multiple subroutines that can be accessed by both. Designing the system in this manner allows us to avoid replicating functionality between the two scripts; if we need, for example, to change the user-submitted data scrubbing routines we can do so in Comments.pm once instead of having to replicate the change in both of the individual scripts (as well as any other scripts we may use to extend the system later). You can find out more about the use of subroutines to reuse Perl code in our earlier primer on the topic; and you can also learn more about the creation of user defined modules in our Perl Module Primer.

A couple notes on our module creation and usage bears examination here. If you compare our actual Comments.pm module to the recommendations we make in our module primer, you'll find a discrepancy: we use a common module name (Comments.pm) instead of attempting to use a unique name for all modules (or a Local name) The reason is that it's highly doubtful our module will have any use outside of our Simple Comments system (its subroutines are specific to the actual needs of the comment scripts), so we thought it would be more helpful to design the module such that it can be delivered with and installed alongside the comment scripts themselves with a minimum amount of fuss (as opposed to forcing the installing of the module in a central directory). Of course, we always recommend that you check with your system administrator before installing any new software, and if this conflicts with your policy you're welcome to make the appropriate naming adjustments.

We use an %EXPORT_TAGS entry to allow for the simple importation of module symbols without forcing them upon the client scripts. For now we've taken the admittedly lazy approach of simply specifying a single tag entry (all) that encapsulates all of the exportable subroutines; i.e., to use all the exportable subroutines from Comments.pm in a script you would just:

use Comments qw(:all);

If you do end up using Comments.pm in your own scripts and prefer not to import everything, you can always do something like this:

use lib qw(/www/yourserver/comments/lib);
use Comments qw(trim to_entities);

Simple Security via Tainting

Each of the scripts in our Simple Comments system is Taint-mode enabled; meaning that it will automatically enforce certain checks on user input if that input can have an influence outside of our Perl scripts (see our earlier Taint Mode Primer for more details). If you're running the scripts in a mod_perl environment, be sure to enable Taint mode in your Apache configuration files.

Because taint mode is enabled, all of our input is also tainted; and several of the values need to be cleansed before they can be used. Actually, we've found that configuration values themselves are not tainted when returned from XML::Simple; but for consistency we check and untaint these as necessary, anyway. And all of our CGI input is tainted, of course.

The checks we enforce on the configuration file include those for the server pathnames and URL identifications for the scripts. Specifically, server pathnames must be absolute (beginning with a slash) and cannot include any relative directory designations. The URL path to the admin and public comment scripts must also be designated from the document root (with a leading slash, or with an explicit http/https domain name).

In addition to those specific checks on pathnames, all of the configuration variables are checked for potentially dangerous shell metacharacters (our current list is ][&;`'\"|*?~<>^(){}$\n\r). These characters, if found, are stripped before the string will be used. If this is a problem in your particular implementation, you'll need to adjust the untaint function in Comments.pm.

Another more subtle gotcha in regards to Taint mode is the fact that the "." (dot) directory is removed from the @INC path; which means our provided Comments.pm module must be referenced via a pathname provided via a use lib statement. i.e., we cannot simply place the Comments.pm file in the same directory as the script that calls it because it would not be found after Taint mode removes the dot directory. (Also, we want to place the two scripts in two different places on the server, anyway.)

Other Comments on Simple Comments

In no particular order, here are some other observations on the use and implementation of Simple Comments:

• By default, the system allows you to include comments individually for any specific page of a site, including, for example, page 3 of a 4 page article. If you want to list all the comments for an article on all of the pages of the article (i.e., allow users to post comments on any article page but then display the comments posted on all the article pages), then you could specify the article_key directly within the call to display the comments; i.e.:

  <!--#include virtual="/cgi-bin/comments.pl?article_key=/dir/article/index.html&$QUERY_STRING" -->

  Don't get too crazy with specifying article keys, however. In this initial release of Simple Comments, the article_key must still point to an existing, valid page of the site; or the Simple Comments script will complain loudly. We might loosen that up in future versions, if there's enough interest.

• The system as designed supports the display of comments on static HTML pages--i.e., pages that actually exist as documents on your server--not dynamic pages (such as php, jsp, etc.). If your static pages routinely receive query parameters (thispage.html?something) then the multiple comments option of the comment system may not work; since it passes (and relies on) its own query strings to the pages. In this case, you may wish to set the comments_per_page configuration variable to a very high number and then leave the query string off the comments implementation on each page; i.e.,

  <!--#include virtual="/cgi-bin/comments.pl" -->

  All of the comments for each page will then appear on the first display of the page.

To Do List

The Simple Comments system has left a lot of room for enhancements. Should there be enough interest in the script, some of the enhancements we may consider for implementation at a later time include (but are not limited to):

• Database storage of comments
• Comment sorting options
• Support for article keys other than existing filenames; providing the ability to handcraft article keys as needed in each particular system
• Support for multiple administrators; perhaps where each administrator is responsible for the moderation of specific sections of a site (similar to bulletin board moderation)
• Support for built-in authentication in the admin script, so Apache authentication isn't a strict requirement
• Expanded IP blocking (range, regexp, mask, etc.) support
• Cookie support, allowing end-users to define their own comment display options

Of course, with the addition of these types of features our "Simple Comments" script becomes less and less simple, but we'll do our best to keep the script as easy to use--yet as flexible as needed--as possible.

Conclusion

We hope that you enjoy the Simple Comments scripts and that they're useful to you from either a functional standpoint on your own Web server or as a teaching tool in your own Perl education. If you have suggestions for future improvements to the system, please feel free to contact me.

User Comments Submit | Register | Login

8. Dan Ragle Admin 08/31/2006 04:13PM

I'm working on a new version of this script that will add a few new features and squash a few bugs in the initial .902 release, but we just came across a bug that I wanted to let you know about immediately. The bug would--in some cases--cause comments to look... well... really bad. The comments would have additional entity escaping that was not intended by the user (nor, for that matter, by the administrator); i.e., you would have a lot of extra 's and the like dotted around the comment that you didn't intend. The problem occurs if you have both the XML::SAX parser and the XML::Parser module installed on your system. To fix it, just add this line to Comments.pm: $XML::Simple::PREFERRED_PARSER = 'XML::Parser'; right after the $default_config_file setting, which will force XML::Simple to use XML::Parser, instead of XML::SAX. In the mean time, keep watching this space for an updated release of the script, which we hope to have available in the next few weeks!

7. Robert 08/11/2006 11:16PM

I have wanted to get into this type of coding for sometime. You did a great job. Thnk you.

6. Dan Ragle Admin 07/17/2006 09:03AM

Yes, links are allowed; provided they are the most basic, unadorned links (i.e., a simple <a href="http://blah blah blah">) AND they are specified with the http, https, or ftp protocol (only absolute URLs are allowed). Anything more (embedded script, styling, targeting, etc.) and the link is automatically converted to a literal representation. For example: http://javascript.com http://internetnews.com

5. William Shier 07/16/2006 03:48AM

Do you allow html code that may redirect to another site <a href="www.competitor.com">like this.</a>

4. Old Man 07/14/2006 12:22PM

Very Good - may have to give it a go!

3. Sally 07/13/2006 10:58PM

Soo... I guess this is what the whole script will produce? :) Nice one then. I'll give it a try in a short moment. Thank You.

2. Andrew 07/12/2006 10:45PM

Pretty nice tutorial, will give it a try.

1. Dan Ragle Admin 06/28/2006 02:12PM

Remember: Comments can include basic links, bold text, italicized text, and <PRE> blocks. You must include an E-mail address; although in this implementation of Simple Comments we've elected to not actually display it anywhere (we do keep it with the comment, however). If you supply a valid URL (optional), your name will be displayed as a link to that URL. Have fun!

Please review our Comment Submission Policy before submitting comments to our site. Your name:  Your E-mail: * Your URL: * Your Subject: (Maximum characters allowed: 200) Your comment: (Maximum characters allowed: 5000) CAPTCHA Verification Please enter the code displayed to the right in the box below: Hear it!    * = optional field

home / programming / perl / comments / v.902 / 2

[previous]

Search:

WebMediaBrands Corporate Info

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | Shopping | E-mail Offers | Freelance Jobs

Solutions

Whitepapers and eBooks

Microsoft Articles: Visual Studio 2010 Adobe Article: Adobe Helps PHP Developers Create Rich Internet Applications Microsoft Whitepaper: How Windows Server 2008 R2 Helps Optimize IT and Save You Money Adobe Article: Java Developers Finding a Home at Adobe Flex IBM Articles: A Smarter Business Needs Smarter Technology Intel Xeon Processor Increases Server Efficiency and Capabilities Intel Tech Brief: Automated Energy Efficiency for the Intelligent Enterprise Oracle Whitepapers - Innovation for IT Leaders Avaya Article: Communication-Enabled Mashups--Empowering Both Business Owners and IT

Internet.com eBook: IT Manager's Guide to Social Networking Internet.com eBook: Get Ready for Windows 7 Microsoft Article: Expression Web 3--New Features for PHP Developers Whitepapers: Manage Your Business Infrastracture with IBM Whitepaper: Maximize Your Storage Investment with HP Internet.com eBook: Becoming a Better Project Manager Microsoft Article: Stress Free and Efficient Designer/Developer Collaboration MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies Video: Microsoft Partner Program Benefits Video: Windows Azure Debugging Tips SAP BusinessObjects Webcast: Unlock the Power of Reporting with Crystal Reports

IBM Webcast: Speed Business Innovation with Reduced Cost and Risk Video: Deploy Applications on Windows Azure MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Download: Microsoft Visual Studio 2010 Beta 2 Downloads & Free Trials: Microsoft's New Efficiency Resource Center Get the Windows 7 SDK

Free Trial: Red Gate SQL Backup Pro 6 Iron Speed Designer Application Generator MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Internet.com Hot List: Get the Inside Scoop on the Hottest IT and Developer Products All About Botnets

MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES

The latest from WebReference.com Browse > Site Contents - - - - - Experts * 3D Animation * Design * DHTML * Graphics * HTML * JavaScript * Perl * XML - - - - - Web Resources * Authoring * Design * Internet * Multimedia * Programming * Promotion - - - - - Services * Interviews * Newsletters * Reviews * Search * Tools Rolling Out Your Own HTML Application Version Control · HTML 5: Client-side Storage · Working with Ajax Server Extensions Sitemap · Experts · Tools · Services · Email a Colleague · Contact FREE Newsletters >   The latest from internet.com Wi-Fi Product Watch, November 2009 · Chip Market Recovering From '08 Collapse · Low-Cost Tools to Kickstart Your New Business

Created: June 20, 2006
Revised: September 13, 2006

URL: http://webreference.com/programming/perl/comments/v.902/2.html