|
Home >
Internet > www > |
FAQ: Frequently Asked Questions about CGI Programming
|
Section 1 of 2 - Prev - Next
Archive-Name: www/cgi-faq
Posting-Frequency: Irregular
Frequently Asked Questions on CGI Programming
---------------------------------------------
0. Preamble
0.1. Changes
0.2. Notice and Disclaimer
0.3. Where to get this document
0.4. How to contribute to this document?
0.5. Can I email the author my questions?
0.6. What's up with posting to comp.infosystems.www.authoring.cgi?
0.7. Credits
1. Basic Questions
1.1. What is CGI?
1.2. Is it a script or a program?
1.3. When do I need to use CGI?
1.4. Should I use CGI or JAVA?
1.5. Should I use CGI or SSI or ... { PHP/ASP/... }
1.6. Should I use CGI or an API?
1.7. So what are in a nutshell the options for webserver programming?
1.8. What do I absolutely need to know?
1.9. Does CGI create new security risks?
1.10. Do I need to be on Unix?
1.11. Do I have to use Perl?
1.12. What languages should I know/use?
1.13. Do I have to put it in cgi-bin?
1.14. Do I have to call it *.cgi? *.pl?
1.15. What is the "CGI Overhead", and should I be worried about it?
1.16. What do I need to know about file permissions and "chmod"?
1.17. What is CGIWrap, and how does it affect my program?
1.18. How do I decode the data in my Form?
2. HTTP Headers and NPH Scripts
2.1. What is HTTP (HyperText Transfer Protocol)?
2.2. What HTTP request headers can I use?
2.3. What Environment variables are available to my application?
2.4. Why doesn't my script get REMOTE_USER? My page is password-protected.
2.5. What HTTP response headers do I need to know about?
2.6. What is NPH?
2.7. Must/should/can I write nph scripts?
2.8. Do I have to call it nph-*
2.9. What is the difference between GET and POST?
3. Techniques: "How do I..."
3.1. Can I get information about who is visiting?
3.2. Can I get the email of visitors?
3.3. "But I saw some.kool.site display my email address..."
3.4. Can I verify the email addresses people enter in my Form?
3.5. Subject: How can I get the hostname of the remote user?
3.6. Can I get browser details and return different pages?
3.7. Can I trace where a user has come from/is going to?
3.8. Can I launch a long process and return a page before it's finished?
3.9. Can I launch a long process which the user interacts with?
3.10. Can I password-protect my pages?
3.11. Can I do HTTP authentication using CGI?
3.12. Can I identify users/sessions without password protection?
3.13. Can I redirect users to another page?
3.14. Can I run a CGI script without returning a new page to the browser?
3.15. Can I write output to a different Netscape frame?
3.16. Can I write output to several frames at once?
3.17. Can I use a CGI script to generate both text and inline images?
3.18. How can I use Caches to make CGI scripts faster and more Net-friendly?
3.19. How can I avoid users hitting "submit" twice?
3.20. How can I stop my CGI script reading and writing files as "nobody"?
3.21. How can I prevent my CGI results being cached by the browser?
3.22. How can I control the default filename when downloading a file via CGI?
4. Troubleshooting a CGI application
4.1. Are there some interactive debugging tools and services available?
4.2. I'm having trouble with my headers. What can I do?
4.3. Why do I get Error 500 ("the script misbehaved", or "Internal Server Error")
4.4. I tried to use (Content-Type|Location|whatever), but it appears in my Browser?
4.5. How can I run my CGI program 'live' in a debugger?
4.6. I'm using CGI with QUERY_STRING embedded in my HTML, but it gets corrupted?
5. Further Reading
5.1. Other FAQs/collections
5.2. Reference Pages
INDEX
-------------------------------------------------------------
Subject: SECTION 0 - PREAMBLE
NOTE: the numbering in this document is automatically generated by my
posting software, and will change between postings if new questions are
added (as _may_ happen when I see - or someone contributes - a FAQ I've
previously overlooked :-)
------------------------------
Subject: 0.1 Changes
Last Modified: July 2000. Updated several links reported
by Site Valet as moved. Otherwise unchanged.
------------------------------
Subject: 0.2 Notice and Disclaimer
Copyright 1996-2000 Nick Kew.
You are free to copy or distribute this document in whole or in part
for any purpose and on any medium you choose, provided you include
this notice and disclaimer in full.
Disclaimer: This information is offered in good faith and in the hope
that it may be of use, but is not guaranteed to be correct, up to date
or suitable for any particular purpose. The author accepts no liability
in respect of this information or its use.
------------------------------
Subject: 0.3 Where to get this document
The official homes of this document on the Web are now
URL http://www.webthing.com/tutorials/cgifaq.html
URL http://www.htmlhelp.org/faq/cgifaq.html
NOTE - If you want to mirror the FAQ on your WWW site on a
publicly-visible server, please make sure you keep it up-to-date.
Other known sources are:
(1) USENET: posted to newsgroups (TEXT)
news:comp.infosystems.www.authoring.cgi
news:comp.answers
news:news.answers
(2) RTFM and mirror sites (TEXT)
ftp://rtfm.mit.edu/pub/usenet/news.answers/www/cgi-faq
(3) RTFM WWW mirror sites, including (Partial HTML)
Europe - http://www.cs.ruu.nl/cgi-bin/faqwais
America - http://www.cis.ohio-state.edu/hypertext/faq/usenet/
(4) By EMAIL from the FAQserver at RTFM (TEXT)
Send email to mailto:mail-server@rtfm.mit.edu with
send usenet/news.answers/www/cgi-faq
in the body of your message
------------------------------
Subject: 0.4 How to contribute to this document?
I have removed the InterFAQ from this answer, as it has become
clear that people prefer the familiar approach of emailing me
to that of contributing via the web, and (in turn) the InterFAQ
contents has not been maintained for some time. Thomas Boutell
has since introduced a somewhat similar project, the OpenFAQ.
Just mail me. ( mailto:nick@webthing.com )
------------------------------
Subject: 0.5 Can I email the author my questions?
Please don't. Post them to an appropriate newsgroup, where they'll
be seen and possibly answered by a whole lot more people than just me.
And remember: bad (or incoherent) questions get bad answers, so think
carefully before posting.
If you have an actual programming job to do, I might be interested
However, I am unlikely to be interested in jobs below $1000.
If you think something already in the FAQ needs clarifying, feel free
to mail me: don't expect a personal reply, but I *might* add
something to the answer in question, so check the next posting (or three).
------------------------------
Subject: 0.6 What's up with posting to comp.infosystems.www.authoring.cgi?
This is now a moderated newsgroup. The moderator is a bot run by
Thomas Boutell ( mailto:boutell@boutell.com ). The charter for
moderation is as follows:
This newsgroup is self-moderated. Your first posting will not appear
until you have read and responded to an automatic welcome mailing, at
which point your posting will appear with no further delay. Provision
will also be made to automatically approve first postings that contain
a header requesting this. Subsequent postings are approved
automatically.
If posting normally doesn't work - as could be the case if your
newsfeed has trouble with moderated groups - you can post articles
by emailing them to:
mailto:authoring-cgi@boutell.com
Provided the return address in your mail is correct, you will then
receive precise instructions for having your post(s) automatically approved.
Alternative means of posting are detailed in the WWW FAQ, posted
regularly by Thomas Boutell.
------------------------------
Subject: 0.7 Credits
This FAQ was written by Nick Kew, and has been considerably improved
with the help of comments and criticisms, newsgroup posts and
miscellaneous suggestions from correspondents including
Nathan Neulinger, Maurice L. Marvin, Matthew Healy, Alan J. Flavell,
Don Libes, Alain Deckers, David S. Jackson, J.M. Ivler, and no doubt
others I've forgotten to credit (please remind me if necessary).
-------------------------------------------------------------
Subject: SECTION 1 - BASIC QUESTIONS
This section aims to deal with basic questions, addressing the role and
nature of CGI, and its place in Web programming. Questions/answers which
just don't appear to 'fit' under any other section may also be included
here.
------------------------------
Subject: 1.1 What is CGI?
[ from the CGI reference http://hoohoo.ncsa.uiuc.edu/cgi/overview.html ]
The Common Gateway Interface, or CGI, is a standard for external
gateway programs to interface with information servers such as HTTP servers.
A plain HTML document that the Web daemon retrieves is static,
which means it exists in a constant state: a text file that doesn't change.
A CGI program, on the other hand, is executed in real-time, so that it
can output dynamic information.
------------------------------
Subject: 1.2 Is it a script or a program?
The distinction is semantic. Traditionally, compiled executables
(binaries) are called programs, and interpreted programs are usually
called scripts. In the context of CGI, the distinction has become
even more blurred than before. The words are often used interchangably
(including in this document). Current usage favours the word "scripts"
for CGI programs.
------------------------------
Subject: 1.3 When do I need to use CGI?
There are innumerable caveats to this answer, but basically any
Webpage containing a form will require a CGI script or program
to process the form inputs.
------------------------------
Subject: 1.4 Should I use CGI or JAVA?
[answer to this non-question hopes to try and reduce the noise level of
the recurrent "CGI vs JAVA" threads].
CGI and JAVA are fundamentally different, and for most applications
are NOT interchangable.
CGI is a protocol for running programs on a WWW server. Whilst JAVA
can also be used for that, and even has a standardised API (the servlet,
which is indeed an alternative to CGI), the major role of JAVA on the
Web is for clientside programming (the applet).
In certain instances the two may be combined in a single application:
for example a JAVA applet to define a region of interest from a
geographical map, together with a CGI script to process a query
for the area defined.
------------------------------
Subject: 1.5 Should I use CGI or SSI or ... { PHP/ASP/... }
CGI and SSI (Server-Side Includes) are often interchangable, and it may
be no more than a matter of personal preference. Here are a few
guidelines:
1) CGI is a common standard agreed and supported by all major HTTPDs.
SSI is NOT a common standard, but an innovation of NCSA's HTTPD
which has been widely adopted in later servers. CGI has the
greatest portability, if this is an issue.
2) If your requirement is sufficiently simple that it can be done
by SSI without invoking an exec, then SSI will probably be
more efficient. A typical application would be to include
sitewide 'house styles', such as toolbars, netscapeised
tags or embedded CSS stylesheets.
3) For more complex applications - like processing a form -
where you need to exec (run) a program in any case, CGI
is usually the best choice.
4) If your transaction returns a response that is not an HTML page,
SSI is not an option at all.
Many more recent variants on the theme of SSI are now available.
Probably the best-known are PHP which embeds server-side scripting
in a pre-html page, and ASP which is Microsoft's version of a
similar interface.
------------------------------
Subject: 1.6 Should I use CGI or an API?
APIs are proprietary programming interfaces supported by particular
platforms. By using an API, you lose all portability. If you know
your application will only ever run on one platform (OS and HTTPD),
and it has a suitable API, go ahead and use it. Otherwise stick to CGI.
------------------------------
Subject: 1.7 So what are in a nutshell the options for webserver programming?
Too many to enumerate - but I'll try and summarise. Briefly, there
are several decisions you have to make, including:
* Power. Is it up to a complex task?
* Complexity. How much programming manpower is it worth?
* Portability. Might you want to run your program on another system?
So here's an overview of the main options. It's inevitably subjective,
but may be helpful to someone:
Basic SSI: Simple interface for basic dynamic content.
Non-standard - read your server docs.
Enhanced SSI[1]: Suitable for more complex tasks within
an HTML page.
CGI: The standardised, portable general-purpose API,
not limited to working with HTML pages.
Enhanced CGI-like[2]: Typically gain efficiency but lose portability
compared to standard CGI.
Servlets: An alternative API for JAVA, that overcomes
the limitation of JAVA not supporting
environment variables.
Server API: Generally the most powerful and most complex option.
[1] For example, PHP, ASP.
[2] For example, CGI adapted to mod_perl or fastcgi.
------------------------------
Subject: 1.8 What do I absolutely need to know?
If you're already a programmer, CGI is extremely straightforward, and just
three resources should get you up to speed in the time it takes to read them:
1) Installation notes for your HTTPD. Is it configured to run CGI
scripts, and if so how does it identify that a URL should be executed?
(Check your manuals, READMEs, ISP webpages/FAQS, and if you still can't
find it ask your server administrator).
2) The CGI specification at NCSA tells you all you need to know
to get your programs running as CGI applications.
http://hoohoo.ncsa.uiuc.edu/cgi/interface.html
3) WWW Security FAQ. This is not required to 'get it working', but
is essential reading if you want to KEEP it working!
http://www.w3.org/Security/Faq/www-security-faq.html
If you're NOT already a programmer, you'll have to learn. If you would
find it hard to write, say, a 'grep' or 'cat' utility to run from the
commandline, then you will probably have a hard time with CGI. Make
sure your programs work from the commandline BEFORE trying them with CGI,
so that at least one possible source of errors has been dealt with.
------------------------------
Subject: 1.9 Does CGI create new security risks?
Yes. Period.
There is a lot you can do to minimise these. The most important thing
to do is read and understand Lincoln Stein's excellent WWW security
FAQ, at http://www.w3.org/Security/Faq/www-security-faq.html
------------------------------
Subject: 1.10 Do I need to be on Unix?
No, but it helps. The Web, along with the Internet itself, C, Perl,
and almost every other Good Thing in the last 20 years of computing,
originated in Unix. At the time of writing, this is still the
most mature and best-supported platform for Web applications.
------------------------------
Subject: 1.11 Do I have to use Perl?
No - you can use any programming language you please. Perl is simply
today's most popular choice for CGI applications. Some other widely-
used languages are C, C++, TCL, BASIC and - for simple tasks -
even shell scripts.
Reasons for choosing Perl include its powerful text manipulation
capabilities (in particular the 'regular' expression) and the fantastic
WWW support modules available.
------------------------------
Subject: 1.12 What languages should I know/use?
It isn't really that important. Use what you're comfortable with,
or what you're constrained (eg by your manager) to use.
If you're just dabbling with programming, Perl is a good choice, simply
because of the wealth of ready-to-run Perl/CGI resources available.
If you're serious about programming, you should be at home in a
range of languages. C, the industry standard, is a must (at least to
the level of comfortably reading other people's code). You'll
certainly want at least one scripting language such as Perl, Python
or Tcl. C++ is also a good idea.
In response to a Usenet newbie question:
> I am seriously wanting to learn some CGI programming languages
J.M. Ivler wrote some eloquent words of wisdom:
> If you want to learn a programming language, learn a programming language.
> If you want to learn how to do CGI programming, learn a programming
> language first.
>
> My book is one of the few that tackles two languages at the same time.
> Why? because it's not about languages (which are just syntax for logic).
> CGI programming is about programming, and how to leverage the experience
> for the person coming to the site, or maintaining the site, or in some way
> meeting some requirements. Language is just a tool to do so.
------------------------------
Subject: 1.13 Do I have to put it in cgi-bin?
see next question
------------------------------
Subject: 1.14 Do I have to call it *.cgi? *.pl?
Maybe. It depends on your server installation.
These types of filenames are commonly used conventions - no more.
It is up to the server administrator whether or not CGI scripts are
enabled, and (if so) what conventions tell the server to run or
to print them.
If you are running your own server, read the manual.
If you're on ISP or other rented webspace, check their webpages for
information or FAQs. As a last resort, ask the server administrator.
------------------------------
Subject: 1.15 What is the "CGI Overhead", and should I be worried about it?
The CGI Overhead is a consequence of HTTP being a stateless protocol.
This means that a CGI process must be initialised for every "hit"
from a browser.
In the first instance, this usually means the server forking a
new process. This in itself is a modest overhead, but it can
become important on a heavily-used server if the number of
processes grows to problem levels.
In the second place, the CGI program must initialise. In the
case of a compiled language such as C or C++ this is negligible,
but there is a small penalty to pay for scripting languages such as Perl.
Thirdly, CGI is often used as 'glue' to a backend program, such as
a database, which may take some considerable time to initialise.
This represents a major overhead, which must be avoided in any
serious application. The most usual solution is for the backend
program to run as a separate server doing most of the work, while
the actual CGI simply carries messages.
Fourthly, some CGI scripts are just plain inefficient, and may
take hundreds of times the resources they need. Programs using
system() or `backtick` notation often fall into this category.
Note that there are ways to reduce or eliminate all these overheads,
but these tend to be system- or server-specific. The best-supported
server is probably Apache, as commercial server-vendors may prefer to
push their proprietary solutions in preference to CGI.
------------------------------
Subject: 1.16 What do I need to know about file permissions and "chmod"?
Unix systems are designed for multiple users, and include provision
for protecting your work from unauthorised access by other users
of the system. The file permissions determine who is permitted
to do what with your programs, data, and directories. The command
that sets file permissions is chmod.
Web servers typically run as user "nobody". That means that, setting
aside serious bugs (such as those in certain versions of the Frontpage
extensions), your files are absolutely secure from damage through the
webserver. It also means that you may have to make explicit changes to
enable the server to access them in a CGI context.
There are two ways to run CGI:
- by default they run as the webserver user (nobody)
For most purposes this is safest, as your programs and data
are protected by the operating system from unauthorised access
through possible bugs in your CGI. However, when the CGI has
to write to a file, that file must be writable to every web
user on the system, and is therefore completely unprotected.
- setuid, they run under your own userid.
This means that files written by your CGI can be secure.
On the other hand, any bugs in your CGI could now compromise
*all* your programs and data on the server.
As an elementary security precaution, scripts (e.g. Perl) are
prevented from running setuid by most OSs. The "cgiwrap"
program offers a workaround for this.
A third way you should *never* permit CGI to be run is:
- as root or setuid root, they can run as any user.
This is extremely dangerous, as any bugs could compromise the
entire server, including every user's files. Fortunately only
the system administrator can install setuid root programs. If
you are *at all* concerned about security, make sure that no such
programs (in particular Frontpage extensions) are installed,
regardless of whether you use them yourself.
For a proper overview, "man chmod". Some modes that may be useful
in a typical CGI context are:
* CGI programs, 0755
* data files to be readable by CGI, 0644
* directories for data used by CGI, 0755
* data files to be writable by CGI, 0666 (data has absolutely no security)
* directories for data used by CGI with write access, 0777 (no security)
* CGI programs to run setuid, 4755
* data files for setuid CGI programs, 0600 or 0644
* directories for data used by setuid CGI programs, 0700 or 0755
* For a typical backend server process, 4750
Finally, if this answer tells you anything you didn't already know,
don't even think about trying to set up a secure server!
------------------------------
Subject: 1.17 What is CGIWrap, and how does it affect my program?
[ quoted from http://www.umr.edu/~cgiwrap/intro.html ]
> CGIWrap is a gateway program that allows general users to use CGI scripts
> and HTML forms without compromising the security of the http server.
> Scripts are run with the permissions of the user who owns the script. In
> addition, several security checks are performed on the script, which will not
> be executed if any checks fail.
>
> CGIWrap is used via a URL in an HTML document. As distributed, cgiwrap
> is configured to run user scripts which are located in the
> ~/public_html/cgi-bin/ directory.
See http://www.umr.edu/~cgiwrap/
------------------------------
Subject: 1.18 How do I decode the data in my Form?
The normal format for data in HTTP requests is URLencoded. All Form data
is encoded in a string, of the form
param1=value1¶m2=value2&...paramn=valuen
Many non-alphanumeric characters are "escaped" in the encoding:
the character whose hexadecimal number is "XY" will be represented by
the character string "%XY".
Decoding this string is a fundamental function of every CGI library.
Another format is "multipart/form-data", also known as "file upload".
You will get this from the HTML markup
