I hate the param method from CGI
Scalar and list content is a nice and advanced feature of perl. Sometimes I think it's a bit too smart for us who use perl.
In our code we have a lot of method calls like this
$obj->foo( name1 => $value, name2 => bar() );
We do a lot of web stuff and often we like to pass the user input to a method like this:
$obj->foo( name1 => $value, name2 => $cgi->param("inputkey") );
This code is bad! It should be
$obj->foo( name1 => $value, name2 => scalar($cgi->param("inputkey")) );
This is because the call to param is in list content. The bug is nasty because it often has security implications. The user can give multiple parameters to the web-script and then overwrite the parameters to the foo method.
This is an example:
$obj->foo( is_superuser =>0, name => $query->param("name") );
The user is able to call foo in superuser mode if he calls the script with the querystring
So who is too blame for this mess? The programmer? Well we have some very bright people and they made this mistake many times in the past. When many people make the same mistake many times it could be argued that it isn't only their fault. Should we blame perl? Maybe the context feature is just too advanced. We could however also blame the CGI module for having a crappy interface. Or blame the perl community for allowing CGI to be such an important module.