|
Netcom CGI Primer |
Under Construction
Introduction
This document is intended to provide enough information, rules, and
guidelines to get your CGI script accepted for installation onto your web
site as fast as possible. It assumes a basic working knowledge of CGI
programming.
Examples of good and bad scripts and script fragments are provided in
Perl, but the concepts explained adapt equally well to other languages
such as C or TCL.
The most important thing to remember about the CGI scripts on your site
is that they reside outside your document root. This means that
their working directory is also outside your document root. Therefore,
any files read or written by your script must use pathnames
beneath the DOCUMENT_ROOT environment variables.
Rules & Guidelines
The following rules must be observed:
- We will accept scripts written in Perl, C and Tcl. Perl is strongly
preferred.
If you are using C, you must verify that it compiles on at least one Unix
implementation. We cannot accept C source code which has been tested only
on Microsoft Windows, nor can we accept executable programs - C source
must be supplied. You should also be aware that due to extra complexity of
checking C programs, approval is likely to take significantly longer than
Perl scripts.
- If your CGI will read or write data files on your site, those files
must be within your document root. Your document root directory
is available to your CGI as the environment variable DOCUMENT_ROOT.
Here is a well-behaved Perl script fragment:
$filename = "$ENV{'DOCUMENT_ROOT'}/subdir/file.txt";
open(FP, $filename) or die;
# do some work...
close(FP);
However, this script fragment will not be accepted:
# No good - this file is not within your document root
$filename = "file.txt";
open(FP, $filename) or die;
# do some work...
close(FP);
- The path to all of your CGI scripts when called from a HTML form (or
directly from a Web browser) is /bin/cgi. e.g. if your script is
called myscript, you would use a line like the following in your
HTML:
<form method="post" action="/bin/cgi/myscript">
- All external programs must be called via a full pathname. E.g. you should
call /usr/lib/sendmail to send a message, not just sendmail. A list of the correct paths on our system for commonly used programs is
supplied in the next section.
- If your CGI generates HTML output which refers to pages or images within
your website, it must use absolute paths to the page or image. For example,
suppose you have an image called button.gif in a subdirectory called
images/ on your website. This script fragment will produce the
correct HTML:
print '<img src="/images/button.gif">';
but this fragment is wrong:
# this will lead to a broken image icon!
print '<img src="images/button.gif">';
- If you are passing form arguments to external programs, you must
check all of the arguments for special shell
characters and either escape or remove them. This is a common security
hole in CGI scripts. The following are considered to be dangerous characters:
& ; ` ' \ " | * ? ~ < > ^ ( ) [ ] { } $ \r \n
(\r and \n are carriage-return and newline, respectively)
- Perl scripts must conform to the Perl5 syntax - scripts which use
Perl4-only constructs
(these are rare) cannot be accepted. The most common problem here is
double-quoting the '@' character; this was fine in Perl4, but in Perl5 must
be escaped. E.g.:
$address = "someone\@somewhere.com"; # Fine
$address = "someone@somewhere.com"; # BAD!
If you have access to Perl5 on your local machine, you can (and should) check
your script with the following command:
perl -c -w scriptname
(-c means to check the script for syntax without executing it, and
-w means to warn about dubious syntax which may cause subtle errors)
Paths to Common Programs
- Perl5 is /usr/local/bin/perl
- Sendmail is /usr/lib/sendmail
- cp is /bin/cp
If you need to run programs other than the above, please contact
submit-cgi@corp.netcom.net.uk to
discuss your requirements.
Useful Perl Modules
In addition to the standard Perl5 module library, we've installed some extra
modules which you may find useful in your CGI's:
- cgi-lib.pl - old & simple CGI parsing routines
- CGI.pm - very powerful & complex object-oriented CGI module
- CGI-Lite.pm - lightweight, but very useful, object-oriented CGI module
- GD.pm - Perl interface to the GD graphics library, allowing GIF images to be generated on-the-fly
- GIFgraph.pm - allows graphs to be drawn and output in GIF format
Documentation for the above modules is available from the
CPAN
(Comprehensive Perl Archive Network).
If you have written a CGI which requires modules other than the modules in
the core Perl5 distribution, or in the list above, please contact
submit-cgi@corp.netcom.net.uk to
discuss your requirements.