240 likes | 348 Views
3.0.1.3 Introduction to CGI – Session 1. Introduction to CGI: HTML elements Sending Data: GET vs POST CGI.pm module Setting up a cgi script. CGI: Common Gateway Interface. NOT THIS CGI !. CGI definition: Don’t get confused with other CGIs – CGI stands for common gateway interface
 
                
                E N D
3.0.1.3 Introduction to CGI – Session 1 • Introduction to CGI: • HTML elements • Sending Data: GET vs POST • CGI.pm module • Setting up a cgi script 3.0.1.3 - Introduction to CGI
CGI: Common Gateway Interface NOT THIS CGI ! CGI definition: Don’t get confused with other CGIs – CGI stands for common gateway interface and is designed to allow Web To do things. The other kind of CGI: computer-generated image (we are going to discuss totally different CGI !!!) 3.0.1.3 - Introduction to CGI
Support of CGI for computer programming languages Scripting Languages other than Perl may be used for CGI: • Unix SH • KSH • CSH • C Alternatives to CGI: • ASP (Microsoft) • PHP • ColdFusion • Java Servlets/JSP • FastCGI • Mod_perl 3.0.1.3 - Introduction to CGI
Where you can see CGI at work Wide range of government, scientific and commercial websites use CGI 3.0.1.3 - Introduction to CGI
HTML stuff URLs HTTP Request Methods • PUT Ask the server to create or replace a resource on the server • DELETE Ask the server to delete a resource on the server • CONNECT Used to allow secure SSL connection to tunnel through HTTP • OPTIONS Ask the server to list the request methods available for resource • TRACE Ask the server to echo back the request headers as it receives them • HEAD Used as GET, but returns only HTTP headers • GET Ask the server for a resource • POST Instructs the server to modify the information on the server 3.0.1.3 - Introduction to CGI
Forms on the Web • Form tags: • <FORM ACTION=“/cgi/register.cgi” METHOD=“POST”> Starts the Form • <INPUT TYPE=“text” NAME=“name” VALUE=“value” Text Field • SIZE=“size”> • <INPUT TYPE=“hidden” NAME=“name” Hidden Field • VALUE=“value”> • <INPUT TYPE=“checkbox” NAME=“name” Checkbox • VALUE=“value”> • <INPUT TYPE=“submit” NAME=“name” Submit Button • VALUE=“value”> 3.0.1.3 - Introduction to CGI
Two examples of using GET and POST <HTML> <HEAD> <TITLE>Testing CGI</TITLE> </HEAD> <BODY> <FORM NAME=“Customer_id” ACTION = “myURL/survey.cgi” METHOD=“POST”> Your Name: <INPUT TYPE=“TEXT” NAME=“f_name”><BR> <INPUT TYPE=“SUBMIT” NAME=“send” VALUE=“Send Info”> <FORM> </BODY> </HTML> <HTML> <HEAD> <TITLE>Testing CGI</TITLE> </HEAD> <BODY> <FORM NAME=“weather_report” ACTION = “myURL/report.cgi” METHOD=“GET”> Weather Report: <INPUT TYPE=“RADIO” NAME=“city” VALUE=“Vancouver”>Vancouver<BR> <INPUT TYPE=“RADIO” NAME=“city” VALUE=“Burnaby”>Burnaby<BR> <INPUT TYPE=“RADIO” NAME=“city” VALUE=“Coquitlam”>Coquitlam<BR> <INPUT TYPE=“SUBMIT” NAME=“send” VALUE=“Get Info”> <FORM> </BODY> </HTML> 3.0.1.3 - Introduction to CGI
GET vs POST • GET: • Most common http request. Used to retrieve information from the server, does not have a body – passes request inside URL • Clicking on hyperlink • typing location into browser URL box • clicking on bookmarks • POST: • Used to submit information which alters data on the server (passes the data through STDIN) • May be used for just retrieving information • Post more secure than GET because it doesn’t pass data inside URL and therefore, users can not modify this data: not true as it is legal to construct URLs and pass information with POST • The resources received via POST cannot be bookmarked or hyperlinked (and this is preferred behaviour) 3.0.1.3 - Introduction to CGI
CGI.pm module: Why Perl? • Why Perl is good for writing CGI applications? • Multiple OS support • Interpreted language – no need to recompile • Great set of features (arguably the best reg. Expressions) • Short development time • May be used for full-scale backend support 3.0.1.3 - Introduction to CGI
Namespace of your script and CGI.pm Use CGI qw(:standard); :cgi Import all CGI-handling methods, such as param(), path_info() and the like. :form Import all fill-out form generating methods, such as textfield(). :html2 Import all methods that generate HTML 2.0 standard elements. :html3 Import all methods that generate HTML 3.0 proposed elements (such as <table>, <super> and <sub>). :netscape Import all methods that generate Netscape-specific HTML extensions. :html Import all HTML-generating shortcuts (i.e. 'html2' + 'html3' + 'netscape')... :standard Import "standard" features, 'html2', 'html3', 'form' and 'cgi'. :all Import all the available methods. For the full list, see the CGI.pm code, where the variable %EXPORT_TAGS is defined.Use CGI; 3.0.1.3 - Introduction to CGI
Ways to generate HTML code: as always, more than one #!/usr/local/bin/perl -wT use strict; print HTML<<; <HTML> <HEAD><TITLE>Test HTML page</TITLE> </HEAD> <BODY> <H1>Some Really Huge Letters</H1> <BR> </BODY> </HTML> HTML Using here printing Or object-oriented CGI: #!/usr/local/bin/perl -wT use strict; use CGI; my $q = new CGI; print $q->header(”text/html”), $q->start_html(“Test HTML page”), $q->h1(“Some Really Huge Letters), $q->br, $q->end_html; 3.0.1.3 - Introduction to CGI
Using CGI.pm: basic syntax • Standard HTML elements • Printing tags without closing tags: • Printing opening and closing tags: • Setting attributes for HTML element: print $q->br; <BR> print $q->p( “This is a paragraph”); print $q->p(“My homepage is”, $q->em($q->server_name)); <P>This is a paragraph</P> <P>My homepage is <EM>localhost</EM></P> print $q->a({-href => “/downloads”}, “Download Area”); <A HREF=“/downloads”>Download Area</A> 3.0.1.3 - Introduction to CGI
Using CGI.pm: basic syntax • Printing Lists: • More complex example: <OL> <LI>First</LI> <LI>Second</LI> <LI>Third</LI> </OL> print $q->ol($q->li( [“First”,”Second”,”Third”] ) ); <TABLE BORDER=“1” WIDTH=“100%”> <TR> <TH BGCOLOR=“#cccccc”>Name</TH> <TH BGCOLOR=“#cccccc”>Occupation</TH> </TR> <TR> <TD>Frodo</TD> <TD>Hobbit</TD> </TR> <TR> <TD>Gandalf</TD> <TD>Wizard</TD> </TR> <TR> <TD>Gollum</TD> <TD>Frodo’s friend</TD> </TR> </TABLE> print $q->table( {-border => 1, -width => “100%” }, $q->Tr( [ $q->th( {-bgolor => “#cccccc” }, [“Name”, “Occupation” ] ), $q->td( [“Frodo”, ”Hobbit”] ), $q->td( [“Gandalf”, “Wizard”] ), $q->td( [“Gollum”, “Frodo’s friend”] ) ] ) ); 3.0.1.3 - Introduction to CGI
CGI syntax allows to do new things easily • Expandability • This will produce the following nonstandard HTTP header: • HTTP/1.0 200 OK • Cost: Three smackers • Annoyance-level: high • Complaints-to: bit bucket • Content-type: text/html print $q->header(-type => 'text/html', -cost => 'Three smackers', -annoyance_level => 'high', -complaints_to => 'bit bucket'); 3.0.1.3 - Introduction to CGI
Form tags in CGI.pm • Syntax for Forms in CGI is different from syntax for other elements • start_form <FORM> • end_form </FORM> • textfield <INPUT TYPE=“TEXT”> • password_field <INPUT TYPE=“PASSWORD”> • filefield <INPUT TYPE=“FILE”> • button <INPUT TYPE=“BUTTON”> • submit <INPUT TYPE=“SUBMIT”> • radio_group <INPUT TYPE=“RADIO”> • textarea <TEXTAREA> … my $q=new CGI; print $q->textfield(-name => ”username”, -default => “Anonymous” ); Generates: <INPUT TYPE=“TEXT” NAME=“username” VALUE=“Ananymous”> 3.0.1.3 - Introduction to CGI
Tainted data • Examples: • Potentially dangerous things: $foo = @ARGV; $bar = $foo; $file = <FOO>; $foo = “Hello”; Tainted (came from outside) Tainted (because $foo is tainted) Tainted (obtained with <> operator) Ok, as we set $foo inside unlink $foo; open(FOO, “$foo”); exec “cat $foo”; exec “cat”, $foo; Insecure Ok as it is read-only access Insecure as it uses sub-shell Ok, as we do not use the shell 3.0.1.3 - Introduction to CGI
Using Carp module: your scripts will leave a suicide note • Using Perl -T option: • -T option instructs Perl to monitor data for potential use in code, modifying something outside the script. Data considered to be tainted: • Command line arguments • File input • Various system calls • Environment variables • Carp module: • Catches fatal calls and shows the messages in the browser • Use CGI::Carp qw( fatalsToBrowser ); 3.0.1.3 - Introduction to CGI
Complaining in your browser window • No Carp: • [an error occurred while processing this directive] • Internal Server Error • If you did not expect this error contact our webmaster. This error is due to either a script or server misconfiguration. • [an error occurred while processing this directive] • With CGI::Carp qw(fatalsToBrowser): • Software error: • syntax error at /usr/local/web/apache/cgi-bin/intranet/people/pruzanov/quicktests/test2.cgi line 15, near "Name:" • Execution of /usr/local/web/apache/cgi-bin/intranet/people/pruzanov/quicktests/test2.cgi aborted due to compilation errors. • For help, please send mail to the webmaster (webmaster@bcgsc.ca), giving this error message and the time and date of the error. 3.0.1.3 - Introduction to CGI
Getting values into script: param() • Source of a test.cgi script: • param() takes an id for variable and returns the value of this variable #!/usr/bin/perl -wT use strict; use CGI qw(:standard); use CGI::Carp qw(fatalsToBrowser); print header; print start_html(-title=>"Testing CGI"); print "Your name is ".param('Y_name')."\<BR\>"; print end_html; 3.0.1.3 - Introduction to CGI
Say Hello to World Source of form_test.html: Output: • <html> • <head> • <title>Form Tester</title> • </head> • <body> • <br> • <form name="test" action="../cgi-bin/quicktests/test.cgi" method="POST"> • Enter Your name: • <input type="TEXT" name="Y_name" value="Enter Your name"> • <br> • <br> • <input type="SUBMIT" name="Send_it" value="Send"> • </form> • </body> • </html> Note that we are using POST here. GET, however, will work in this situation just as well 3.0.1.3 - Introduction to CGI
Using cgi to process HTML form • CGI.pm at work: Here we are typing in some name At this point we are pressing ‘Send’ 3.0.1.3 - Introduction to CGI
Self-processing script That is what we see when the script first starts • Doing it all at once in one place: #!/usr/bin/perl -wT use strict; use CGI qw(:standard); use CGI::Carp qw(fatalsToBrowser); print header; print start_html(-title=>"Testing CGI"); if(my $name = param('Y_name')){ print "Your name is ".$name."\<BR\>"; }else{ print start_form(-name =>"test", -action=>"", -method=>"post"), textfield(-name =>"Y_name", -default=>"Enter Your name"), submit(-name =>"Send_it", -value=>"Send"), end_form; } print end_html; That is what we see when we pass a name to THE VERY SAME script 3.0.1.3 - Introduction to CGI
HTML code produced by .cgi scripts: • Output from test2.cgi: • What we see in a browser: <?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en-US" xml:lang="en-US"><head> <title>Testing CGI</title> </head> <body> <form method="post" action="" enctype="application/x-www-form-urlencoded" name="test"> Enter Your Name:<input type="text" name="Y_name" /> <br /> <input type="submit" name="Send_it" value="Send" /> <div></div> </form> </body> </html> 3.0.1.3 - Introduction to CGI
3.0.1.3 Introduction to CGI – Session 1 • Common gateway interface • CGI.pm usage: • use POST to change data on a server • use GET to get the data • strict and Carp are good for CGI • monitor your data with -T 3.0.1.3 - Introduction to CGI