Dr. Mark Humphrys

School of Computing. Dublin City University.

Home      Blog      Teaching      Research      Contact

Search:

CA216      CA249      CA318

CA400      CA651      CA668


How to write a CGI script

A CGI script (or CGI program) is the simplest way to put a program online that remote users can send input to.
CGI is language independent.

The classic example would be a search engine.
A search box in a web page is implemented as a HTML Form in the HTML code for the page.
This passes its input to the remote CGI script for processing.
The CGI script displays its output as another, new web page.





The HTML form

To send input to the CGI script, you embed a HTML Form in your page, using code like this.
Here, the input fieldname is called "q".


<FORM METHOD="GET"
      ACTION="http://computing.dcu.ie/cgi-bin/humphrys/demo/min-cgi-script">
<b> Enter argument: </b> 
<INPUT size=40 name=q VALUE="">
<INPUT TYPE="submit" VALUE="Submit">
<INPUT TYPE="reset" VALUE="Reset">
</FORM>


The CGI script

Unlike PHP scripts, which are in users' normal public_html directories, CGI programs are normally put in a special directory called something like /cgi-bin.
Everything in this directory is treated by the server as a program to be run, not a file to be displayed.

The script will go in something like:
/htdocs/cgi-bin/USER/prog
/cgi-bin/USER/prog
(recall /htdocs)
Your path for where to put the script may vary.

The input comes in as the environment variable QUERY_STRING.
If there is a single argument, QUERY_STRING will be of the form: fieldname=actualargument
So we need to edit it to remove the fieldname= bit at the front.

The CGI script builds a web page dynamically, by outputting HTML tags to stdout. (In fact, the CGI script could output something other than a web page, e.g. an image. It tells the client what is coming using the Content-Type: HTTP header and a MIME type.)

The CGI script can be written in any language. I'll be writing it here in UNIX Shell.


#!/bin/sh

echo "Content-type: text/html"
echo

echo '<html> <head> <title> CGI script </title> </head> <body>'

argument=`echo "$QUERY_STRING" | sed "s|q=||"`

echo "   QUERY_STRING is: <b> $QUERY_STRING </b> <br>"
echo "Actual argument is: <b> $argument     </b> <br>"


Try it out


Enter argument:




Security

I over-simplified above, as you will see if you try it out, and especially if you enter odd characters.

Remember that anyone may send any input whatsoever to your CGI script, including attempts to run commands on your system or attempts to upload spam.

Even echoing in a shell script (as above) may not be safe, since echo recognises some switches and special characters.

The safest thing to do (and what I do in fact on this server, though I don't show it to you) is to do some security pre-processing (I use C++) to check the input character by character, before proceeding with safe and checked input.



Putting an existing program online

Say I have an existing program written in C++. I want to put it online.

We could write the CGI script in C++, somehow combining it with our program source code. Or we could keep the Shell script as a wrapper, and make the last line of it:

prog "$argument"
where our C++ program writes HTML tags to stdout.
Or we could just do:
echo "<pre>"
prog "$argument"
echo "</pre>"
where the C++ program just writes its usual output to stdout.
This is what I use to put a Shell CGI wrapper round a Chaos Theory C++ program.





Feeds      w2mind.org

On Internet since 1987.