1 CGI with perl

2 References Perl tutorials and references: CGI: The links below will give you information on creating a webpage, using perl, cgi-scripts and general information about SCU Engineering Design Center For Webpage information: Perl Info: For general helpme: SCU Engineering Design Center:

3 CGI Scripts CGI is a standard interface that sits between the web browser (client) and the web server. When the browser makes a request of the server, all of the request details flow into the server through the input interface of the CGI. When the server responds with its output which is channeled through the interface of the CGI. A CGI generates a web page. If you are writing a CGI that's going to generate a HTML page, you must include the content header, before you print out anything else: – print "Content-type:text/html\n\n";

4 Sending back environmental information You can print out all of the environment variables. Example: #!/usr/bin/perl print "Content-type:text/html\n\n"; print "\n\n\n"; Print “ Print Environment Variables ” foreach $key (sort(keys %ENV)) { print "$key = $ENV{$key} \n"; } print " ";

5 Some Environment Variables DOCUMENT_ROOT The root directory of your server HTTP_COOKIE The visitor's cookie, if one is set HTTP_HOST The hostname of your server HTTP_REFERER The URL of the page that called your script HTTP_USER_AGENT The browser type of the visitor HTTPS"on" if the script is being called through a secure server PATH The system path your server is running under QUERY_STRING REMOTE_ADDR The IP address of the visitor REMOTE_HOST The hostname of the visitor

6 Some Environment Variables REMOTE_USER The visitor's username (for.htaccess- protected pages) REQUEST_METHOD GET or POST REQUEST_URI The interpreted pathname of the requested document or CGI (relative to the document root) SCRIPT_FILENAME The full pathname of the current CGI SCRIPT_NAME The interpreted pathname of the current CGI (relative to the document root) SERVER_ADMIN The address for your server's webmaster SERVER_NAME Your server's fully qualified domain name SERVER_PORT The port number your server is listening onS SERVER_SOFTWARE The server software you're using (such as Apache 1.3)

7 Generating an HTML page $title = "A Table of Doubles"; $rows=10; print "Content-Type: text/html\n\n"; print header(); print body(); sub header() { return qq{ \n \n $tit le };} sub body() { $body = qq{ $title }; for $val ( 1.. $rows ) { $body.= qq{ Row $val }; $body.= qq{ }; $body.= $val*2; $body.= qq{ \n}; } $body.= qq{ }; return $body; }

8 Showing a stored HTML file print "Content-Type: text/html\n\n"; open HTML_FILE, “show.html" or die $!; while( ) { print; } close HTML_FILE;

9 Showing a stored HTML file after editing print "Content-Type: text/html\n\n"; open HTML_FILE, "show.htm" or die $!; while( ) { s/( )(.*?)( )/ Test /; print ; } close HTML_FILE;

10 Showing a stored HTML file after editing with data from __DATA__ print "Content-Type: text/html\n\n"; for ( ) #DATA is an internal filehandle to attach code to data in __DATA__ { #skip blank lines next if /^$/; print "line: $_\n"; ($key, $value) = split /,/; $hyperlink{$key} = $value; } open HTML, "show.htm" or die $!; while( ) { for $key (keys %hyperlink ) { s/\s$key\s/ $key /; } print; } close HTML; #Two underscoresDATAtwoUnderscores ___DATA___ homesite, worksite,

11 Processing Form data Most forms you create will send their data using the POST method. POST is more secure than GET, since the data isn't sent as part of the URL, and you can send more data with POST. Your web server, when sending form data to your CGI, encodes the data being sent. Alphanumeric characters are sent as themselves; spaces are converted to plus signs (+); other characters - like tabs, quotes, etc. - are converted to "%HH" - a percent sign and two hexadecimal digits representing the ASCII code of the character. This is called URL encoding. Here's a table of some commonly encoded characters: Normal Character URL Encoded String \t (tab) %09 \n (return)%0A / %2F ~ %7E : %3A ; %40 & %26 In order to do anything useful with the data, your CGI must decode these.

12 Processing Form Data Suppose you are using a simple HTML form as shown below: Your Name: Address: Favorite Color:

13 Parsing a Query - Example 1 #!/usr/bin/perl print "Content-type:text/html\n\n"; read(STDIN, $buffer, = split(/&/, $buffer); foreach $pair { ($name, $value) = split(/=/, $pair); #Decoding the data $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $FORM{$name} = $value; } print " Form Output "; print " Results from FORM post \n"; foreach $key (keys(%FORM)) { print "$key = $FORM{$key} "; } print " ";

14 Getting Data from files Your CGI Program may require to access data from database. Let us assume the data is in flat text file. You should change the permissions on the file appropriately for a program to read (or write to the file). In order to write to a data file, you must usually make it world-writable, via the chmod command: –chmod 766 myfile.dat In order to just read from a data file, set the permissions as : –chmod 764 myfile.dat

15 File Locking For many purposes, simple file operations where a file is opened, read from or written to, and then closed. In single user applications there is no danger in overwriting data, or possibly corrupting a data file. However, when writing multi-user applications, this is not the case. Because we are working with CGI programs, you must also consider the fact that many copies of your script may be running all at once, each trying to get a hold of your text file for either reading, writing, or updating. To prevent this from happening, you must lock your file while it is open. Locking a file ensures that no other script may tamper with its contents (or even read the file, if it is locked exclusively) while it is locked. To lock a file, use the flock() command. The flock() command takes two parameters - the type of locking you wish to do, and the FILEHANDLE you wish to lock. The two versions most commonly used in CGI scripts are flock(FILEHANDLE, 2) or die "cannot lock file exclusively: $!"; and flock(FILEHANDLE, 8) or die "cannot unlock file: $!"; The lock will be released when your script finishes running, allowing the next CGI to access the file.

16 Reading From and Writing To Files File Locking CGI processes on a Unix web server can run simultaneously, and if two scripts try to open and write the same file at the same time, the file may be erased, and you'll lose all of your data. To prevent this, we use flock(FILEH,2) to exclusively lock the file while we are writing to it. (The 2 means exclusive lock.) The lock will be released when your script finishes running, allowing the next CGI to access the file.

17 Reading From and Writing To Files File Locking Since flock may force the CGI to wait for another CGI to finish writing to a file, you should also reset the file pointer, using the seek function: seek(FILEH, offset, filePosition); offset is the number of lines to move the pointer, relative to filePosition, which is one of the following: 0 beginning of file 1 current file position 2 end of file So, a seek(FILEH,0,2) ensures that you start writing at the very end of the file. If you were reading the file instead of writing to it, you'd want to do a seek(FILEH,0,0) to reset the pointer to the beginning of the file. Note that flock is not supported on all systems (definitely not on Windows).

18 Example #!/usr/bin/perl print "Content-type: text/html\n\n"; $comments = $dataFromForm{‘comments’}; open(LOGFILE, “>>../logfile") || die “$!”; flock(LOGFILE, 2); #exclusive access lock print LOGFILE “$comments\n”; flock(LOGFILE, 8);#release the file close(LOGFILE);

19 Example #!/usr/bin/perl print "Content-type: text/html\n\n"; $myfile = "friends.txt"; $newfriend = $ENV{'QUERY_INFO'}; open(MYFILE, "$myfile") || die; flock(MYFILE, 1); #read lock while( ) { if (m/^$newfriend$/) { print "You are already on the list!\n"; exit; } } close(MYFILE); $newfriend); open(MYFILE, "+< $myfile") || die; flock(MYFILE, 2); #exclusive lock seek(MYFILE, 0, 0); truncate (MYFILE,0); print close(MYFILE); print "You are in my list, $newfriend!\n" exit;

20 Sending mail #!/usr/bin/perl print "Content-type: text/html\n\n"; $to = $dataFromForm{‘to’}; $from = $dataFromForm{‘from’}; $subject = $dataFromForm{‘subject’}; $contents = $dataFromForm{‘contents’}; open(MAIL, “|/usr/bin/sendmail -t") || $Errors print MAILE “To: $to\n”; …. close(MAIL); sub Errors { print “Errors, exiting\n”; exit; }

21 CGI.pm CGI.pm is a perl module that is specifically developed for creating CGI code. CGI.pm performs the tasks to read user input, create forms, handle cookies, handle redirection, and more. It is a very useful module written using object-oriented constructs. CGI.pm is part of standard Perl (version 5.004) library. Some References: CGI.pm homepage: ml mlhttp:// mlhttp:// ml

22 CGI.pm CGI.pm can be used in a function-oriented mode or an object-oriented mode. CGI.pm comes with many methods that allow you to generate the basic components of an HTML page. Example: #!/usr/bin/perl use CGI qw(:standard); print header(); print start_html(); print “Body goes here print br(); print end_html();

23 Example #!/usr/bin/perl # this is script.cgi - accepts form input and displays welcome message use CGI qw(:all); # if param() returns a result, it means that the form has been submitted if (param()) { print header(), start_html(), "Hello, ". param('fname'), end_html(); }

24 Example else { #display a form to get the name etc. print header(); print start_html(-title=>'Personal Information'); print start_form(-method=>'post', - action=>myscript.cgi'); # text field print "First name: ". textfield(-name=>'fname'); print br(); … }

25 Using CGI.pm in object-oriented mode #!/usr/bin/perl use CGI; # create a new CGI object $regform = new CGI; if ($regform->param()) { print $regform->header(), $regform- >start_html(), "Hello, ". $regform- >param('fname'), $regform->end_html(); } else { print $regform->header(); print $regform- >start_html(-title=>'Personal Information'); print $regform->start_form(-method=>'post', - action=>‘myscript.cgi'); …. }

26 CGI Security If a CGI program is not carefully constructed, a malicious user may use it for unintended purposes. Some rules: –Do not execute any command with arguments that come straight from a query string. –The query string should be checked first for any special characters, if it is to be used as an argument to a command. –Before passing visitor’s input to a command, use a regular expression to check and ensure that the input looks the way it should. –Should use “taint checking” (using a –t switch) before running any system commands or writing to local files.

27 Example #!/usr/bin/perl $cameFrom = $ENV{‘HTTP_REFERER’}; print "Content-type: text/html\n\n"; if ($cameFrom =~ m”^ print “The page that started this script is on my server and is ok\n”; …. } else { print “Cnnot run this script \n”; }

28 Example- Avoiding tainted data #!/usr/bin/perl –T #-T switch turns on taint-checking. Prevents you from using # the visitor’s input to modify files, directories etc. print "Content-type: text/html\n\n"; $file = $dataFromForm{‘filename’}; $comments = $dataFromForm{‘comments’}; if ($file =~ m”^(\w)+$”){ #check if the data sent is ok $file = $1; print “Ok to open\n”; #The following will not be possible unless the data is checked open (FILE,”>>$file.txt”) || die “..$!\n”; #Can write tainted data to an external file, without checking it. print FILE “$comemnts\n”; ”); #Can open it in read mode without taint checking open (FILE_READ,” $file.txt } else { print “error with $file \n”; }

29 Debugging A number of problems can happen with your CGI, and the default response of the webserver when it encounters an error ("Internal Server Error") is not very useful for figuring out what happened. If you see the code for the actual Perl script instead of the desired output page from your CGI: either you didn't rename the file with the.cgi extension or your web server isn't configured to run CGIs. Consult the help page on running CGI scripts. If you get an Internal Server Error, there's a bug in your script. There are numerous ways to hunt down the bugs; perhaps the easiest is to modify your script and add the following line near the top: use CGI::Carp qw(fatalsToBrowser); This will display error messages that otherwise would go to the server log directly in your browser window.

30 Debugging You can try running the CGI from the command line in the Unix shell. The following will check the syntax of your script without actually running it: perl -c scriptname.cgi You might also try the -w flag (for "warnings"), to report any unsafe Perl constructs: perl -cw scriptname.cgi This will report any syntax errors in your script, and warn you of improper usage.