RE: Re: CGI URL

FWIW, Hans, I agree 100%.  Any treatment of the subject of CGI that does not 
cover the specifics of encoding is at best
flawed and at worst dangerous.  It's like allowing a buffer overflow; seems 
reasonably harmless at first but we've seen
exploit after exploit discovered that takes full (and disastrous) advantage of 
a poorly designed interface.

I appreciate the work you did exploring the text and noting the basic flaws in 
the code.  I think you made your points
clearly and concisely.

Thanks from those of us who recognize that the only thing worse than no 
documentation is bad documentation.  I'd much
rather the quality/thoroughness of Bob Cozzi (whose books are considered by 
many to be the definative guide for RPG and
RPG IV) or Bryan Meyers (his CL book is required reading at the local community 
college).  These texts have stood the
test of time and have educated hundreds of students.

My boss bought the e-RPG book in 2000.  It sits, collecting dust at the far end 
of my bookshelf.  I read the first few
chapters but found the lack of a consistent and authoritative voice distracting 
(basic editing would have helped here).
In contrast, Paul Conte's book on SQL/400 remains perpetually open on my desk. 
Based on your findings, I may move e-RPG
to a location more suitable to it's quality.

dan

-----Original Message-----
From: Hans Boldt [mailto:boldt@ca.ibm.com]
Sent: Thursday, October 03, 2002 9:52 AM


>>> I suppose we just have a difference of opinion, then. I consider
>>> escaping the special HTML characters and the URL encoding of query
>>> strings as part of the "core" of CGI programming, and no treatment
>>> of the subject is complete without discussing these pitfalls.