[McGlockenshire]

This article is pretty much spot on. I lived through this era and experienced the downfall of perl web applications first hand.

My employer produced an amazingly popular perl-based web application, using flat files for data storage because so few shared hosts had DBI and DBD::mysql installed. It's some gloriously horrible code. They did a ground-up rewrite and then hired me to maintain it, right as PHP was becoming popular.

They refused to do a PHP version until it was too late. Someone else translated our code into PHP, then rewrote it a few times before releasing it. Over just a year or two, our marketshare plummeted, and now the UBB is a distant memory. We couldn't deliver a competing product.

Even if perl hadn't lost the deployability battle, the perl 6 fiasco was what let python and company eat away at the mindshare that wasn't concerned with just web applications.

[richardbrevig]

I remember the days of the UBB. Flat file databases, what memories. I also recall UBB getting hacked because the data separator was a pipe bar and the code didn't check for that on input. SQL injection before SQL. Maybe I dreamt that. Either way, I remember my time with flat file databases.

[McGlockenshire]

Yup, that was pretty bad. The resulting filtering ended up causing a lot of trouble for folks not using Windows-1252 or something in the ISO-8859 family, as it'd replace pipes in post bodies with the HTML numeric entity for the pipe in that charset. A similar incident is one of the things that got me hired - I was the only one to actually pick up a phone and call their office and talk to tech support about the sheer size of the possible bug.

The most fun security bug the previous major version had was a side effect of file naming. In order to prevent users from just downloading data files, every data file was given the .cgi extension and was always saved as 0777 because shared hosting sucks and nobody ever used suexec like they should.

The file format for user records is the login name on the first line, and the plaintext password on the second, email on the third. Someone figured out that #, ! and / weren't filtered in usernames. See where this is going yet? If the directory containing member records was available inside the document root, someone could perform trivial remote command execution.

The second most fun was people discovering XSS before it was called XSS. With some creative quoting, you could inject javascript into the markup.

I'm just thankful nobody figured out CSRF, I'd have hated to figure out how to deal with that way back then...

[nostrademons]

Man, I remember UBB. I worked in a dot-com run exclusively by teenagers in 2000, and UBB was the go-to solution for forums. I also remember spending a day writing a Perl CGI script to do polls, since the idea of SaaS or outsourcing widgets on your website was in the far future, and everyone knew that you had to have all the source code for your site in cgi-bin.

Those were the days.

[lsiebert]

Weirdly, I updated a perl based web application that used flat files for data storage (a web crawler and search engine) to modern perl not too long ago I hadn't realized that flat file storage was created as a way to get around DB installation.

[pdknsk]

I immediately knew it was Ultimate Bulletin Board when I read the first sentence of the second paragraph.