How to write a Minimal CGI script


I show you here how to do an absolutely minimal CGI script, and you should be able to figure out lots of further possibilities yourself. This is what works for me - you may have to modify for your setup.

Introduction

A CGI script is the simplest way for a web page to take in some input from a user and then process it. The classic example would be a search engine. A search box embedded in a web page is implemented as a HTML Form embedded in the HTML code for the page. This passes its input to the (remote) CGI script for processing. The CGI script displays its output as another, new web page.




The file   $www/cgi-bin/$user/minimal-cgi-script

(Your path for where to put the script may vary)

The basic idea is that the CGI script builds a web page dynamically, by outputting HTML tags to stdout. The CGI script can be written in any language. I'll be writing it here simply in UNIX Shell.

The input comes in as the environment variable QUERY_STRING. If there is a single argument, QUERY_STRING will be of the form: fieldname=actualargument, so we need to edit it to remove the fieldname= bit at the front. As you will see in the HTML Form shortly, the fieldname here will be called "q": 


#!/bin/sh

echo "Content-type: text/html"
echo

echo '<html> <head> <title> CGI script </title> </head> <body>'

argument=`echo "$QUERY_STRING" | sed "s|q=||"`

echo "   QUERY_STRING is: <b> $QUERY_STRING </b> <br>"
echo "Actual argument is: <b> $argument     </b> <br>"

Sample usage

To call the CGI script, you then embed a HTML Form in your page, using code like this. Here, the single fieldname is called "q", so QUERY_STRING looks like: q=actualargument, and we need to remove q= in the script above. 


<FORM METHOD="GET"
      ACTION="http://computing.dcu.ie/cgi-bin/humphrys/demo/min-cgi-script">
<b> Enter argument: </b> 
<INPUT size=40 name=q VALUE="">
<INPUT TYPE="submit" VALUE="Submit">
<INPUT TYPE="reset" VALUE="Reset">
</FORM>


The user sees:


Enter argument:

Calling a C++ program

Say the program that we want the CGI script to call is written in C++ (or another high-level language). We could re-write the Shell CGI script in C++, somehow combining it with our program source code. Or we could simply keep the Shell script as a wrapper, and make the last line of it: 
prog "$argument"
where our C++ program writes HTML tags to stdout.
Or we could even just do: 
echo "<pre>"
prog "$argument"
echo "</pre>"
where the C++ program just writes its usual output to stdout.
This is what I use to put a Shell CGI wrapper round a Chaos Theory C++ program.

Security

In fact, I have over-simplified for both this and for the C++ Script, as you will see if you run them off my server with bad arguments.

Remember that anyone may send any input whatsoever to your CGI script, including attempts to run commands on your system. Even echoing in a shell script (as above) may not be safe, since echo recognises some switches and special characters.

The safest thing to do (and what I do in fact on this server, though I don't show it to you) is to switch into a HLL to process the input environment character by character before proceeding with safe and checked input.