Book Reviews

The following book reviews are the copyright of their respective authors and no part should be reproduced without the express permission of the author. Publishers and Authors of the books reviewed may reproduce the whole or extracts of a review for their book. To request copyright permission please email webmaster@birmingham.pm.org.

All the reviews herein are the opinions of the reviewer and are not necessarily the views of Birmingham Perl Mongers and its members. If you feel a review or comment has been made in error, please contact webmaster@birmingham.pm.org to rectify the situation.

Perl Books

Static Link: http://birmingham.pm.org/reviews/12

 
Modern Perl Programming
Title:Modern Perl Programming
Author(s):Michael Saltzman
ISBN:0-13008-9656
Publisher:Prentice Hall
Reviewer:Jon Allen

The title of this book got me thinking. What is 'Modern Perl Programming' anyway? While I'm sure that everyone will have their own views on this, I would consider the following to be the 'top three' statements of best practice:

  • All programs should 'use strict' and 'use warnings'. And in development code only, 'use diagnostics' as well. These three statements will pick up so many common mistakes and typos that using them would hopefully go without saying.
  • Make extensive use of the CPAN. By using tried and tested code not only will the overall development time be reduced, but there will be less chance of making errors.
  • Be very aware of security issues. Use taint mode to force user input to be checked. This in particular should apply to web applications, servers, and CGI scripts.

The first few chapters cover the core functions of the language - variable types, control flow statements, I/O functions, etc. However within an hour or two of reading, I noticed an inaccuracy concerning the logical operators (!, &&, and ||). Quoting from the book, <blockquote> "You may also use the English words 'not', 'and', and 'or' as respective synonyms for the above operators." </blockquote>

Now this statement is just wrong. The English word 'or', is not a synonym for the Perl operator '||'. It still performs the 'logical or' operation, but has a lower precedence than '||'. Consider this example, which tries to exit if a specified file cannot be opened:

<blockquote><code> open FH,'filename' || die; </code></blockquote>

Assuming that 'filename' does not exist, the 'die' function will never be reached. Why? Because due to the '||' operator having a higher precedence than the comma operator, it is the filename itself which will be tested, not the result of the 'open'. In effect we have written this:

<blockquote><code> open FH,('filename' || die); </code></blockquote>

The alternative 'or' operator has a lower precedence than the comma, so the code

<blockquote><code> open FH,'filename' or die; </code></blockquote>

is evaluated as

<blockquote><code> open (FH,'filename') or die; </code></blockquote>

which will correctly exit if the file cannot be opened.

Subtle issues like this are easy mistakes for Perl newcomers to make, but I would expect an experienced programmer to be aware of them. The error is repeated in the operator precedence table given on page 50 of 'Modern Perl'. For the record, an accurate precedence table can be found in the current editions of 'Programming Perl' or the 'Perl 5 Pocket Reference' (both published by O'Reilly).

And then we come to the obligatory CGI chapter. What is the 'modern' way to run a web application with Perl, I wonder? AxKit? Template Toolkit? Custom mod_perl handlers? Well whatever it is, it certainly isn't this:

<blockquote><code> $data = $ENV{QUERY_STRING}; </code></blockquote>

or this:

<blockquote><code> read(STDIN, $data, $ENV{CONTENT_LENGTH}; </code></blockquote>

That's right - instead of simply using the CGI module, Saltzman's first example directly parses the input stream from the browser. Of course there is historical and educational value in showing how the CGI protocol works, and what processes are used 'behind the scenes' by CGI.pm to parse the input stream, but is that the focus of this book?

Continuing with the example code, after the CGI parameters have been parsed, Saltzman writes:

<blockquote><code> $result = eval $input{expression}; </code></blockquote>

So what we have now is a script which accepts any Perl expression (such as 'rm -rf /') and executes it, with no input checking. Taint mode would have prevented this, but as with 'use strict' and 'use warnings', it was not used.

The next example does use the CGI module, but only calls CGI::ReadParse. This function was provided in CGI.pm to maintain compatibility with the old (Perl 4) cgi-lib.pl library, so should not be used in new code. The book fails to mention the object-oriented interface to CGI.pm, any of the HTML generating facilities, or even the param() function.

One part of 'Modern Perl' which I did find most interesting was the chapter on creating GUIs with the Tk.pm module. Perl is traditionally considered to be a language for command line or CGI scripts, so it is nice to see Windows applications being developed with a full graphical interface. Database integration with the DBI and DBD::x modules is introduced, which later builds into a complete Windows database client. However if you've looked at the cover of 'Modern Perl' and seen that it promises "... detailed examples applicable to Oracle and Sybase", then you may be a little disappointed as all of the examples actually use MySQL, Now I've got nothing against MySQL, it's a good product and I use it myself. But from experience, there can be more to using Oracle than just changing the DBI->connect string, especially when the server is on a different physical machine to the one running the script. It would have been nice to see some real-world examples of building DBD::Oracle if this is being used as a selling point for the book.

The final chapter concerns debugging. It is here (at last) that we find out about 'use strict', 'use warnings', and 'use diagnostics'. I disagree with the implication that these pragmas should only be used after things have gone wrong - it will be more beneficial to get into the habit of always using them. Prevention of bugs, or at least trapping them earlier, is always better than trying to identify problems after a complete program has been written.

So unfortunately, I find myself unable to recommend 'Modern Perl'. While technical errors can be corrected in an errata, the general content cannot. I am not convinced that the author understands the Perl language at the level needed to write a book about it.

If you are looking for an introduction to Perl (or if you've used Perl 4 and want to get up to speed on what's new), buy 'Core Perl' (also published by Prentice Hall) instead. While I was not entirely happy with the CGI examples (security issues again), 'Core Perl' makes a much better job at conveying modern programming practices, and it is written with an obvious passion for the language - something that 'Modern Perl' sadly lacks.