4/1/2004 3.0.1.3 - Introduction to CGI 1

3.0.1.3 – Introduction to CGI

3.0.1.3Introduction to CGI – Session 1

· Introduction to CGI:

HTML elements Sending Data: GET vs POST CGI.pm module Setting up a cgi script

4/1/2004 3.0.1.3 - Introduction to CGI 2

3.0.1.3 – Introduction to CGI

CGI: Common Gateway Interface

CGI definition:

Don’t get confused with other CGIs –CGI stands for common gateway interfaceand is designed to allow Web To do things.

The other kind of CGI: computer-generated image (we are going to discuss totally different CGI !!!)

NOT THIS CGI !NOT THIS CGI !

4/1/2004 3.0.1.3 - Introduction to CGI 3

3.0.1.3 – Introduction to CGI

Support of CGI for computer programming languages

Scripting Languages other than Perl may be used for CGI:

•Unix SH•KSH•CSH•C

Alternatives to CGI:•ASP (Microsoft)•PHP•ColdFusion•Java Servlets/JSP•FastCGI•Mod_perl

4/1/2004 3.0.1.3 - Introduction to CGI 4

3.0.1.3 – Introduction to CGI

Where you can see CGI at work

Wide range of government, scientific and commercial websites use CGI

4/1/2004 3.0.1.3 - Introduction to CGI 5

3.0.1.3 – Introduction to CGI

HTML stuff

URLs

HTTP Request Methods

· PUT Ask the server to create or replace a resource on the server· DELETE Ask the server to delete a resource on the server· CONNECT Used to allow secure SSL connection to tunnel through HTTP· OPTIONSAsk the server to list the request methods available for resource· TRACE Ask the server to echo back the request headers as it receives them

· HEAD Used as GET, but returns only HTTP headers· GET Ask the server for a resource· POST Instructs the server to modify the information on the server

http://www.bcgsc.ca:80/cgi-bin/sagesoma.cgi?org=human&mode=2

Protocol Host Port Path Query Fragment

4/1/2004 3.0.1.3 - Introduction to CGI 6

3.0.1.3 – Introduction to CGI

Forms on the Web

· Form tags:

· <FORM ACTION=“/cgi/register.cgi” METHOD=“POST”> Starts the Form

· <INPUT TYPE=“text” NAME=“name” VALUE=“value” Text Field· SIZE=“size”>

· <INPUT TYPE=“hidden” NAME=“name” Hidden Field· VALUE=“value”>

· <INPUT TYPE=“checkbox” NAME=“name” Checkbox· VALUE=“value”>

· <INPUT TYPE=“submit” NAME=“name” Submit Button· VALUE=“value”>

4/1/2004 3.0.1.3 - Introduction to CGI 7

3.0.1.3 – Introduction to CGI

Two examples of using GET and POST<HTML><HEAD><TITLE>Testing CGI</TITLE></HEAD><BODY><FORM NAME=“Customer_id” ACTION = “myURL/survey.cgi” METHOD=“POST”>Your Name: <INPUT TYPE=“TEXT” NAME=“f_name”><BR><INPUT TYPE=“SUBMIT” NAME=“send” VALUE=“Send Info”><FORM></BODY></HTML>

<HTML><HEAD><TITLE>Testing CGI</TITLE></HEAD><BODY><FORM NAME=“weather_report” ACTION = “myURL/report.cgi” METHOD=“GET”>

Weather Report: <INPUT TYPE=“RADIO” NAME=“city” VALUE=“Vancouver”>Vancouver<BR><INPUT TYPE=“RADIO” NAME=“city” VALUE=“Burnaby”>Burnaby<BR><INPUT TYPE=“RADIO” NAME=“city” VALUE=“Coquitlam”>Coquitlam<BR><INPUT TYPE=“SUBMIT” NAME=“send” VALUE=“Get Info”><FORM></BODY></HTML>

4/1/2004 3.0.1.3 - Introduction to CGI 8

3.0.1.3 – Introduction to CGI

GET vs POST

· GET:· Most common http request. Used to retrieve information from the server, does not have a body – passes request inside URL

· Clicking on hyperlink · typing location into browser URL box· clicking on bookmarks

· POST:· Used to submit information which alters data on the server (passes the data through STDIN)

· May be used for just retrieving information

Post more secure than GET because it doesn’t pass data inside URL and therefore, users can not modify this data: not true as it is legal to construct URLs and pass information with POST

The resources received via POST cannot be bookmarked or hyperlinked (and this is preferred behaviour)

4/1/2004 3.0.1.3 - Introduction to CGI 9

3.0.1.3 – Introduction to CGI

CGI.pm module: Why Perl?

· Why Perl is good for writing CGI applications?

· Multiple OS support· Interpreted language – no need to recompile· Great set of features (arguably the best reg. Expressions)· Short development time· May be used for full-scale backend support

4/1/2004 3.0.1.3 - Introduction to CGI 10

3.0.1.3 – Introduction to CGI

Namespace of your script and CGI.pm

Use CGI qw(:standard);

:cgiImport all CGI-handling methods, such as param(), path_info() and the like.

:formImport all fill-out form generating methods, such as textfield().

:html2Import all methods that generate HTML 2.0 standard elements.

:html3Import all methods that generate HTML 3.0 proposed elements (such as <table>, <super> and <sub>).

:netscapeImport all methods that generate Netscape-specific HTML extensions.

:htmlImport all HTML-generating shortcuts (i.e. 'html2' + 'html3' + 'netscape')...

:standardImport "standard" features, 'html2', 'html3', 'form' and 'cgi'.

:allImport all the available methods. For the full list, see the CGI.pm code, where the variable %EXPORT_TAGS is defined.Use CGI;

4/1/2004 3.0.1.3 - Introduction to CGI 11

3.0.1.3 – Introduction to CGI

Ways to generate HTML code: as always, more than one

#!/usr/local/bin/perl -wTuse strict;

print HTML<<; <HTML><HEAD><TITLE>Test HTML page</TITLE></HEAD><BODY><H1>Some Really Huge Letters</H1><BR></BODY></HTML>HTML

#!/usr/local/bin/perl -wTuse strict;use CGI;

my $q = new CGI;print $q->header(”text/html”), $q->start_html(“Test HTML page”), $q->h1(“Some Really Huge Letters), $q->br, $q->end_html;

Using here printing

Or object-oriented CGI:

4/1/2004 3.0.1.3 - Introduction to CGI 12

3.0.1.3 – Introduction to CGI

Using CGI.pm: basic syntax

· Standard HTML elements· Printing tags without closing tags:

· Printing opening and closing tags:

· Setting attributes for HTML element:

print $q->br; <BR>

print $q->p( “This is a paragraph”);

print $q->p(“My homepage is”, $q->em($q->server_name));

<P>This is a paragraph</P>

<P>My homepage is <EM>localhost</EM></P>

print $q->a({-href => “/downloads”}, “Download Area”); <A HREF=“/downloads”>Download Area</A>

4/1/2004 3.0.1.3 - Introduction to CGI 13

3.0.1.3 – Introduction to CGI

Using CGI.pm: basic syntax

· Printing Lists:

· More complex example:

print $q->ol($q->li( [“First”,”Second”,”Third”] ) );

<OL> <LI>First</LI> <LI>Second</LI> <LI>Third</LI></OL>

print $q->table( {-border => 1, -width => “100%” }, $q->Tr( [

$q->th( {-bgolor => “#cccccc” }, [“Name”, “Occupation” ] ),

$q->td( [“Frodo”, ”Hobbit”] ), $q->td( [“Gandalf”, “Wizard”] ), $q->td( [“Gollum”, “Frodo’s friend”] ) ] )

);

<TABLE BORDER=“1” WIDTH=“100%”> <TR> <TH BGCOLOR=“#cccccc”>Name</TH> <TH BGCOLOR=“#cccccc”>Occupation</TH></TR> <TR> <TD>Frodo</TD> <TD>Hobbit</TD></TR><TR> <TD>Gandalf</TD> <TD>Wizard</TD></TR><TR> <TD>Gollum</TD> <TD>Frodo’s friend</TD></TR></TABLE>

4/1/2004 3.0.1.3 - Introduction to CGI 14

3.0.1.3 – Introduction to CGI

CGI syntax allows to do new things easily

· Expandability

· This will produce the following nonstandard HTTP header:

· HTTP/1.0 200 OK· Cost: Three smackers· Annoyance-level: high· Complaints-to: bit bucket· Content-type: text/html

print $q->header(-type => 'text/html', -cost => 'Three smackers', -annoyance_level => 'high', -complaints_to => 'bit bucket');

4/1/2004 3.0.1.3 - Introduction to CGI 15

3.0.1.3 – Introduction to CGI

Form tags in CGI.pm

· Syntax for Forms in CGI is different from syntax for other elements

· start_form <FORM>· end_form </FORM>· textfield <INPUT TYPE=“TEXT”>· password_field <INPUT TYPE=“PASSWORD”>· filefield <INPUT TYPE=“FILE”>· button <INPUT TYPE=“BUTTON”>· submit <INPUT TYPE=“SUBMIT”>· radio_group <INPUT TYPE=“RADIO”>· textarea <TEXTAREA>

…my $q=new CGI;print $q->textfield(-name => ”username”,

-default => “Anonymous” );

Generates:<INPUT TYPE=“TEXT” NAME=“username” VALUE=“Ananymous”>

4/1/2004 3.0.1.3 - Introduction to CGI 16

3.0.1.3 – Introduction to CGI

Tainted data

· Examples:

· Potentially dangerous things:

$foo = @ARGV;

$bar = $foo;

$file = <FOO>;

$foo = “Hello”;

Tainted (came from outside)

Tainted (because $foo is tainted)

Tainted (obtained with <> operator)

Ok, as we set $foo inside

unlink $foo;

open(FOO, “$foo”);

exec “cat $foo”;

exec “cat”, $foo;

Insecure

Ok as it is read-only access

Insecure as it uses sub-shell

Ok, as we do not use the shell

4/1/2004 3.0.1.3 - Introduction to CGI 17

3.0.1.3 – Introduction to CGI

Using Carp module: your scripts will leave a suicide note

· Using Perl -T option:· -T option instructs Perl to monitor data for potential use in code, modifying something outside the script. Data considered to be tainted:

· Command line arguments· File input· Various system calls· Environment variables

· Carp module:· Catches fatal calls and shows the messages in the browser

· Use CGI::Carp qw( fatalsToBrowser );

4/1/2004 3.0.1.3 - Introduction to CGI 18

3.0.1.3 – Introduction to CGI

Complaining in your browser window

· No Carp:

· [an error occurred while processing this directive]·

· Internal Server Error· If you did not expect this error contact our webmaster. This error is due to either a script or server misconfiguration.

· [an error occurred while processing this directive]

· With CGI::Carp qw(fatalsToBrowser):

· Software error:· syntax error at /usr/local/web/apache/cgi-bin/intranet/people/pruzanov/quicktests/test2.cgi line

15, near "Name:"· Execution of /usr/local/web/apache/cgi-bin/intranet/people/pruzanov/quicktests/test2.cgi

aborted due to compilation errors.

· For help, please send mail to the webmaster (webmaster@bcgsc.ca), giving this error message and the time and date of the error.

4/1/2004 3.0.1.3 - Introduction to CGI 19

3.0.1.3 – Introduction to CGI

Getting values into script: param()

· Source of a test.cgi script:

· param() takes an id for variable and returns the value of this variable

#!/usr/bin/perl -wTuse strict;use CGI qw(:standard);use CGI::Carp qw(fatalsToBrowser);print header;print start_html(-title=>"Testing CGI");print "Your name is ".param('Y_name')."\<BR\>";

print end_html;

4/1/2004 3.0.1.3 - Introduction to CGI 20

3.0.1.3 – Introduction to CGI

Say Hello to World

Source of form_test.html:

Output:

<html> <head> <title>Form Tester</title> </head> <body> <br> <form name="test" action="../cgi-bin/quicktests/test.cgi" method="POST"> Enter Your name: <input type="TEXT" name="Y_name" value="Enter Your name"> <br> <br> <input type="SUBMIT" name="Send_it" value="Send"> </form> </body></html>

Note that weare using POSThere. GET, however, willwork in this situation just as well

4/1/2004 3.0.1.3 - Introduction to CGI 21

3.0.1.3 – Introduction to CGI

Using cgi to process HTML form

· CGI.pm at work:

Here we are typing in some name

At this point we are pressing‘Send’

4/1/2004 3.0.1.3 - Introduction to CGI 22

3.0.1.3 – Introduction to CGI

Self-processing script

· Doing it all at once in one place:

#!/usr/bin/perl -wTuse strict;use CGI qw(:standard);use CGI::Carp qw(fatalsToBrowser);print header;print start_html(-title=>"Testing CGI");if(my $name = param('Y_name')){ print "Your name is ".$name."\<BR\>";}else{ print start_form(-name =>"test", -action=>"", -method=>"post"), textfield(-name =>"Y_name", -default=>"Enter Your name"), submit(-name =>"Send_it", -value=>"Send"), end_form;}print end_html;

That is what we see when the

script first starts

That is what we see when we pass a

name to THE VERY SAME script

4/1/2004 3.0.1.3 - Introduction to CGI 23

3.0.1.3 – Introduction to CGI

HTML code produced by .cgi scripts:

· Output from test2.cgi:

· What we see in a browser:

<?xml version="1.0" encoding="iso-8859-1"?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"><head><title>Testing CGI</title></head><body><form method="post" action="" enctype="application/x-www-form-urlencoded" name="test">Enter Your Name:<input type="text" name="Y_name" /><br /><input type="submit" name="Send_it" value="Send" /><div></div></form></body></html>

4/1/2004 3.0.1.3 - Introduction to CGI 24

3.0.1.3 – Introduction to CGI

3.0.1.3Introduction to CGI – Session 1

· Common gateway interface

· CGI.pm usage:

· use POST to change data on a server

· use GET to get the data· strict and Carp are good for CGI· monitor your data with -T