CSC3530: Software Technology

Perl CGI

Dickson K.W. Chiu

Dept. of Computer Science & Engineering
Chinese University of Hong Kong, Shatin, HK

1
 CGI Scenario
1. User clicks on the form’s <submit> button
2. Web browser invokes a POST HTTP method through TCP/IP
3. HTTP server receives invocation via a socket connection
4. HTTP server set up environment variables, e.g,
server_name, request_method, path_info, script_name, content_type,
content_length
5. HTTP server starts a CGI program
6. CGI program reads the environment variables
7. CGI program receives the message body via stdin
8. CGI program does some work
9. CGI program output (generated web page) via stdout
10. HTTP server send the web page to client PC
11. User’s web browser shows the generated web page

Dickson Chiu CSC3530 03-2

HTML Form Elements
◼ Skeleton
<form method=“method name” {action=“<url>” …}>
</form>
◼ SELECT field
<SELECT NAME=“Field Name” SIZE=“N” {MUTIPLE}>
<OPTION {SELETED}> choice 1 …
<OPTION {SELETED}> choice n
</SELECT>
◼ returns multiple name=value pairs with MULTIPLE keyword
◼ SIZE - number of visible items
◼ TEXTAREA field
<TEXTAREA NAME=“Field Name”
ROWS=“Visible Rows” COLS=“Visible Rows”
Default text goes here…
</SELECT>

Dickson Chiu CSC3530 03-3

HTML Form Elements – INPUT field
◼ Skeleton
◼ <INPUT TYPE=“field type” NAME=“field name”
VALUE=“default value”>
◼ INPUT fields – TYPE
◼ TEXT, PASSWORD, HIDDEN – default value by VALUE clause
◼ CHECKBOX – returns multiple (or none) name=value pairs
◼ RADIO – returns one name=value
◼ CHECKED – default of CHECKBOX and RADIO

◼ RESET button – clears and restore form default

◼ SUBMIT button – initiates the POST method (send data)
◼ IMAGE button – special SUMBIT button with image file

Dickson Chiu CSC3530 03-4

 POST Method Message Example
◼ POST is mostly used in form-filling: the contents of a
form are translated by the browser into some special
format and sent to a script on the server using the
POST command
◼ Here's a typical form submission, using POST:

POST /path/script.cgi HTTP/1.0

From: [email protected]
User-Agent: HTTPTool/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 32

home=Cosby&favorite+flavor=flies

Dickson Chiu CSC3530 03-5

 Form Method: Get vs Post
◼ Historical meaning (confusing)
◼ Post – for posting news message
◼ Get – given an ID, go “get” new message
◼ Get Method
◼ Data appended to URL, e.g.,
http://www.url.com/cgi-bin/form.cgi?user=john&pwd=secret&select=123
◼ Obvious security problem - data revealed by URL
◼ Some servers limit the length of GET request (say 240 characters)
◼ Useful for links instead of forms, i.e., clicking onto a link invokes the
CGI program to display a generated page, e.g.,
http://www.webster.com/cgi-bin/dictionary?book=Dictionary&va=ubiquitous

Dickson Chiu CSC3530 03-6

 Simulating a POST Form with a Link
◼ From the main form of http://www.webster.com/:

<form name="dict" method="post" action="/cgi-bin/dictionary">

<input type="hidden" name="book" value="Dictionary">
<TD>Collegiate Dictionary</TD>
<TD><input name="va" size="15"></TD>
<TD><input type="submit" value="Look it up"></TD>
</form>

◼ Try clicking on this link instead of filling in the data with

the form:
http://www.webster.com/cgi-bin/dictionary?book=Dictionary&va=ubiquitous

Dickson Chiu CSC3530 03-7

 Sample Output of a CGI Program
◼ Objective of CGI program - to generate the exact
response (web page) to be sent back to the client
◼ You may wish to test running the program at
command prompt first
◼ Sample Output:
Content-type: text/html
Note this blank line
<HTML>
<HEAD>
<TITLE>Hello World Program</TITLE>
</HEAD>
<BODY>
<H1>Hello, time now: Thu Sep 6 16:45:49 HKT 2001</H1>
</BODY>
</HTML>

Dickson Chiu CSC3530 03-8

Choosing a Language for CGI
◼ Compiler availability on the server
◼ Language functionality and speed
◼ CGI requirements – environment, stdin, stdout, …
◼ Functionality required by the application
◼ Integration with other applications / languages
◼ Speed - compiled or interpreted language
◼ Software Engineering factors
◼ Modularity, code maintainability, reusability, extensibility
◼ Learning Curve
◼ Code libraries
◼ Short development Cycle
◼ Language support
◼ Explicit and implicit costs - licensing, testing,
debugging, maintenance, performance

Dickson Chiu CSC3530 03-9

CGI Program in Shell Script
#!/bin/sh
# hello world CGI program
“Here document” in
cat <<EOT matching end token
Content-type: text/html
Blank line
<HTML><HEAD>
<TITLE>Hello World Program</TITLE>
</HEAD><BODY>
<H1>Hello, time now: ‘date`</H1>
</BODY> Backquote: Run program and
</HTML> stuff output here
EOT

Dickson Chiu CSC3530 03-10

CGI Program in Perl
#!/usr/local/bin/perl5
# hello world CGI program
$time = `date`;
print <<EOT “Here document” in
matching end token also
Content-type: text/html supported in Perl

<HTML><HEAD>
<TITLE>Hello World Program</TITLE>
</HEAD><BODY>
<H1>Hello, time now: $time</H1>
</BODY>
</HTML>
EOT

Dickson Chiu CSC3530 03-11

CGI Program in Perl with CGI Module
#!/usr/local/bin/perl5 -w
# hello world CGI program using CGI module
use CGI qw(:standard);
$time = `date`;
print header();
print start_html("Hello World Program");
print h1(“Hello, time now: $time”);
print end_html;
() optional in Perl

Complete Reference Manual

=> http://stein.cshl.org/WWW/software/CGI/

Dickson Chiu CSC3530 03-12

Using CGI Module Functions
◼ CGI module Perl functions usually uses same
name as the tag, with optional parameter
◼ Single tags: br, hr, p
◼ Paired tags: h1, h2, …, h6, tr, td, th, a, …
◼ Tags with Attributes - pass a reference to an
associative array as the first argument, e.g.,
print a({-href=>“chk.html"},“Check Result");
◼ You may mix CGI Module functions with
printing out raw HTML code
◼ Some advance usage are complicated – just
print your raw HTML code then …

Dickson Chiu CSC3530 03-13

 Some Advanced CGI Module Usage
◼ Distributive HTML Tags - give them an argument
consisting of a reference to a list, the tag will be
distributed across each element of the list, e.g.
print ul(li({-type=>'disc'},
['Sneezy','Doc','Sleepy','Happy']););
generates
<UL><LI TYPE="disc">Sneezy</LI><LI TYPE="disc">Doc</LI>
<LI TYPE="disc">Sleepy</LI><LI TYPE="disc">Happy</LI></UL>
◼ Printing a table
print table({-border=>undef},
caption(strong('When Should You Eat Your Vegetables?')),
Tr({-align=>CENTER,-valign=>TOP},
[th(['','Breakfast','Lunch','Dinner']),
th('Tomatoes').td(['no','yes','yes']),
th('Broccoli').td(['no','no','yes']),
th('Onions').td(['yes','yes','yes'])
])
);
Dickson Chiu CSC3530 03-14
 CGI Program and States
◼ HTTP protocol is stateless
◼ CGI program finishes after sending a page to
the client
◼ When it runs next time, it naturally forgets
everything
◼ Kludges (Work around)
◼ Using Hidden fields (in HTML forms) directly
◼ Using Cookies
◼ Using variations of hidden fields
◼ Encoded parameter strings

◼ Session id with saved states in server database

Dickson Chiu CSC3530 03-15

Using Hidden Fields to Convey States

Dickson Chiu CSC3530 03-16

Comprehensive Example –
Editing a Database Table

◼ User query on different fields

◼ Edit all selected records
◼ Edit single record
◼ Insert record
◼ Delete record

Dickson Chiu CSC3530 03-17

 State Diagram for DB Table Editing
User invokes
URL field=field', quer
y=pattern
Database lookup Update
=f up (P
field attern query Records
fie
da res
tea s
p ld1 tte ll, f <Up
p
ry= field a
que lookup up>) = _2 rn ield dat
ok Display look field', qu = ,f =
fie v1_2 ield1 field all>)
e
Initial Page s <Lo ',
up ( e
Pres ry=patte ld2 _ ',
s fie Result _2 ..., fi 1=v que
(Pre ld
ie ey fie s <Ca
ncel
rn =v eld 1_ ry=
f
= k ld
=f ed ld=f > )
2_ 2_ 1,
2.. 1=
ld y= p ie ita , q ., . v2
fie uer ku ll ( ue
insert, ins_key=key

ld .. _1
lookup (dup

', P r
res y=p ,
(Press <Insert>)

q loo lo que

edit=key, field=f,
s < att

query=pattern
field=field',
query=key

ok ry ed ern

(Click link)
up =p ita
record)

ll>

looku field', qu
at ) Edit all
te

field=
rn Database
Update
licated

p (Pr
query
Record ess <
(P dat ', qu field
fie fiel

Check
C
ery=
up ield v1,
re e, er 2=

Read Delete
ld= d1

ance

duplication
ss ke y= v

variables in italic - for state check

f =

Record record
key
<U y1 p 2 ..

& Insert (User action / condition)

l>)
pd =k atte .

y,
at ey, rn

ke ttern
e>

edi =
y1 a CGI
que t = ke
)

, ke ry=p >) Show Web

r y, e e program
fiel
d=k y=key let qu ete
ey_ , de eld', <del data
Page to
fi s user (State)
,

fiel ld= es processing

d fie (Pr
Edit Item

Dickson Chiu CSC3530 03-18

 CGI Main Program (Generic)
#!/usr/local/bin/perl5 Connect to database } elsif (param(“editall”) {
use CGI qw(:standard); use DBI; do_query(); edit_all();
$ENV{'ORACLE_HOME'}='/opt5/oracle8i/app'; } elsif (param(“updateall”) {
my $dbh = DBI-connect("dbi:Oracle:db00", update_all();
‘user',‘password') do_query(); display_result();
or die "Can't connect to Oracle database"; } elsif (key=param(“edit”) {
showmenu(); read_record(); edit_item(key);
if (param(“lookup") || param(“cancel”)) { } elsif (param(“update”) {
do_query(); display_result(); do_update();
} elsif (key=param(“insert”)) { do_query(); display_result();
if (check_insert(key)) { } elsif (param(“delete”) {
edit_item(key); do_delete();
} else { do_query(); display_result();
err(“dup_key”); }
} print end_html;

Dickson Chiu CSC3530 03-19

Sample Screen – Query Result
Default values of these
fields from param()

Query part (as in the initial

screen) always displayed for
convenience

Link to edit/delete single item

<a href="http://www.server.com/cgi-
bin/test.pl?edit&key=LJ4000">LJ4000

Dickson Chiu CSC3530 03-20

 Sample Screen – Edit Single Item
•Key field cannot be edited
•Hidden field for passing state
<INPUT TYPE=“hidden"
NAME=“id1" value=“LJ4000">
Default Value of these
fields from param()
Default value from record data
<td><SELECT NAME=“category1">
<OPTION SELECTED>printer</OPTION>
<OPTION>scanner</OPTION>
<OPTION>modem</OPTION>
</SELECT></td>
Dickson Chiu CSC3530 03-21
 Sample Screen – Edit Multiple Items

•Key fields cannot be edited

•Hidden fields for passing state Other input fields:
<INPUT TYPE=“hidden" Category1 , Description1, Price1, Onhand1
NAME=“id1" value=“LJ4000">
<INPUT TYPE=“hidden" Category2 , Description2, Price2, Onhand2
NAME=“id2" value=“BJC200">
Dickson Chiu CSC3530 03-22
 Logic for Updating Multiple Records
sub update_data { Loop for each of the keys id1, id2,
for($i = 1; param("id$i"); i++) { … until further keys undef
$id = param("id$i");
$category = param(“category$i");
$description = param(“description$i");
$price = param(“price$i");
$onhand = param(“onhand$i");
$statement = $dbh->prepare(
“update product set category=‘$category’,”.
“description=‘$description’, price=‘$price’, onhand=‘$onhand’“.
“where id=‘$id’;”
) or die(“SQL Statement error: $DBI::errstr”.);
$statement->execute or die(‘Cannot Update $id - $DBI::errstr.’);
}
} Database error message

Dickson Chiu CSC3530 03-23

Cookie Conversation

First time visit web page

Here’s the cookie + page

Client … some time later Web

Browser Server
Visit web page
(send cookie matching domain)

I’ve seen you before

Here you are …

Dickson Chiu CSC3530 03-24

 What is a Cookie?
◼ Magical cookies: connecting CGI programs
◼ Usage
◼ Personalization
◼ Session Tracking (user need not logon every screen)
◼ Included within the official HTTP specification
◼ A text file, stored on the client’s hard drive.
◼ Netscape: a single file:
C:\Program Files\Netscape\Users\username\cookie.txt
◼ IE: one file for each domain in the following directory:
C:\WinNT\Profiles\Username\Cookies\
C:\Documents and Settings\administrator\Cookies\
(Win2000)

Dickson Chiu CSC3530 03-25

 Cookie Anaotmy
◼ Cookie Conversation Content
◼ Name/value pairs
◼ Passed as part of HTTP header
◼ Usually insecure unless encrypted
◼ 6 Parts
◼ Name: cookie name
◼ Example: “Location”
◼ Value: value of cookie
◼ Example: “VancouverBCCanada”
◼ No commas, white spaces, etc
◼ Domain: domain that generated cookie
◼ Example: “www.amazon.com”
◼ Path: the page that created the cookie; restricts cookie within
site so that other sites cannot use it
◼ Expires: Wdy DD-Mon-YYYY HH:MM:SS GMT
◼ Secure: flag; (Not used – don’t trust it!)
Dickson Chiu CSC3530 03-26
 Cookie Details
◼ Typical Limitations
◼ Cookies cannot be larger than 4K
◼ No domain (netscape.com, microsoft.com) can have more
than 20 cookies.
◼ Cookies stay on your machine until:
◼ they automatically expire
◼ they are explicitly deleted
◼ Controversial, as it enables web sites to track web
users and their habits
◼ Reference => http://www.cookiecentral.com/
◼ Example tool to view cookies in PC: Cookie Pal
http://www.kburra.com/

Dickson Chiu CSC3530 03-27

 CGI program Creating a Cookie
#!/usr/local/bin/perl5
# Fig. 29.22, Dietel : cookies.pl
use CGI qw( :standard );
$name = param( NAME ); $height = param( HEIGHT ); $color= param( COLOR );
$expires = "Monday, 11-JUN-01 16:00:00 GMT";
print "Set-Cookie: Name=$name; expires=$expires; path=\n";
print "Set-Cookie: Height=$height; expires=$expires; path=\n";
print "Set-Cookie: Color=$color; expires=$expires; path=\n";
print header, start_html( "Cookie Saved" );
print <<End_Data; Omitting domain:
other sites can
The cookie has been set to your browser:<BR> use these
<FONT COLOR = BLUE>Name:</FONT> $name <BR> cookies…
<FONT COLOR = BLUE>Height:</FONT> $height<BR>
<FONT COLOR = BLUE>Favorite Color:</FONT>
<BR>Click <A HREF = "read_cookies.pl">here</A>to read saved cookie.
End_Data
print end_html;
Dickson Chiu CSC3530 03-28
 CGI Program to Retrieve Cookie
#!/usr/local/bin/perl5
# Dietel Fig. 29.25: readCookies.pl
use CGI qw( :standard );
print header, start_html( "Read cookies" );
print "The following cookies are detected from your browser: <BR>”;
%cookies = readCookies();
print "<TABLE BORDER = \“1\" ";
foreach $cookieName ( "Name", "Height", "Color" ) {
print "<TR> <TD>$cookieName</TD>”;
print "<TD>$cookies{ $cookieName }</TD>";
}
print "</TABLE>“, end_html;

Dickson Chiu CSC3530 03-29

CGI Subprogram to Retrieve Cookie
Content of environment variable HTTP_COOKIE:
sub readCookies name1=value1;name2=value2;name3=value3…
{
@cookieArray = split( "; ", $ENV{ 'HTTP_COOKIE' } );
foreach ( @cookieArray ) {
( $cookieName, $cookieValue ) = split ( "=", $_ );
$cookieHash{ $cookieName } = $cookieValue;
}
return %cookieHash;
}

Dickson Chiu CSC3530 03-30

 CGI vs Cookies
Trade-Off Cookies Hidden Fields
Ease of Use Requires cookie string Requires form set up
parsing and access
Browser / Not supported by all Supported by all
Server Support browsers / servers browsers/ servers
Performance Slower – require disk Faster – implemented in
I/O RAM
Persistent Supported Not Supported
Storage in client
Availability Limits in length and No practical limitation
number

Dickson Chiu CSC3530 03-31

 CGI Security
◼ Problem
◼ CGI scripts may intentionally or unintentionally leak information
about the host system that will help hackers break in.
◼ Form contents may be vulnerable to attacks, in which the
remote user tricks them into executing commands
◼ Always check scripts for known holes
◼ avoid giving out too much information
◼ never pass unchecked remote user input to a shell command or
to the database
◼ Compiled scripts usually safer than interpreted scripts
◼ Access Control
◼ Specify a directory for CGI scripts only (e.g., cgi-bin)
◼ Specify that all CGI scripts are a certain file type (e.g., .cgi)
◼ Restrict access to files
◼ If using server-side includes (SSI), disable “exec” tag
◼ Queries submitted with POST don’t usually appear in logs, while
GET queries do
Dickson Chiu CSC3530 03-32