60
What is the CGI (common gateway interface) and what it does?
It’s an ancient technology?
Are there other alternatives to it? If so, which?
60
What is the CGI (common gateway interface) and what it does?
It’s an ancient technology?
Are there other alternatives to it? If so, which?
60
CGI (acronym for Common Gateway Interface), in Portuguese , Interface Comum de Porta de entrada.
Interface: element that provides a physical or logical link between two systems or parts of a system that could not be connected directly.
Generally, the server HTTP has a directory (folder), which is designated as a collection of documents(files), which can be sent to web browsers connected to this server. For example, if the Web server has the domain name exemplo.com
, and its collection of documents is stored in /usr/local/apache/htdocs
on the local file system, then the web server will respond to a request from http://exemplo.com/index.html
sending the file to the browser /usr/local/apache/htdocs/index.html
.
CGI extends this system, allowing the web server owner to designate a directory within the document collection containing executable scripts (or binary files) instead of pre-written pages, this is known as a directory CGI
. For example, /usr/local/apache/htdocs/cgi-bin
could be designated as a directory CGI
on the web server. If a web browser asks URL that points to a file inside the directory CGI
(for example, http://exemplo.com/cgi-bin/printenv.pl
), instead of simply uploading the file ( /usr/local/apache/htdocs/cgi-bin/printenv.pl
) for the web browser, the server HTTP runs the specified script and passes the script output to the web browser. That is, anything that the script sends the default output is passed to the Web client instead of being shown on the screen in a terminal window.
Reading and decoding data (and/or information fields of a bundle HTTP);
Data processing (storing information in databases,
perform calculations, recover data);
Creation of a web page with the results produced.
Processing of data submitted through forms;
Interface with databases, converting the
transaction of HTML
for SQL
and format in HTML
the answers obtained,
sending the results to the customer;
Convert system data to HTML
and return the result to the
client;
Creation of customized documents;
Manage access counters;
Map processing.
The protocol HTTP, uses various methods of data manipulation and organization. The two most commonly used methods for submitting data forms are the GET and the POST. Both methods transfer data from the browser to the server, the biggest difference between them is the way information is passed to the program CGI
:
GET
CGI called through the GET method
The browser adds a "?" to the URL specified in the attribute ACTION, and the coded values;
http://exemplo.com/cgi-bin/registra.pl?login=guest
The server when receiving one URL with a query-string, calls the program cgi
identified in the first part of the URL (before the '?'
) and save the part after the '?'
in the environment variable QUERY_STRING (to string
of consultations contained in URL after the '?'
) . Suppose the user typed "guest" in the login field, when the button Submit is clicked, the browser sends, to the server, a request of type:
GET /cgi-bin/registra.pl?login='guest' HTTP/1.0
Accept: www/source
Accept: text/html
Accept: image.gif
User-Agent: Lynx/2.4 libwww/2.14
From: [email protected]
The request GET
identifies the document to be sent (cgi-bin/registra.pl). As long as the server is configured to recognize all files in the directory cgi-bin
as being a program cgi
, runs the program instead of sending the document directly to the browser, and puts the string login='guest'
in the environment variable QUERY_STRING.
CGI program capable of managing this information
#! /usr/local/bin/tclsh
/* Diz ao servidor para correr o interpretador tcl localizado no directório /usr/local/bin/ para executar o programa cgi/*
puts "Content-type: text/plain", "\n\n"
set query_string $ENV{'QUERY_STRING'}
set par [split $query_string = ]
set field_name [lindex $par 0]
set command [lindex $par 1]
if {$command == "guest"} {
puts "usr/local/bin/guest"
} elsif {$command == "mgi"} {
puts "usr/ucb/mgi"
} else {
puts "usr/local/bin/outro";
}
exit(0);
(Environment Variables in CGI Scripts)
POST
If using the Post method, the request sent to the server would be of the type:
POST /cgi-bin /registra.pl HTTP/1.0
.
. (informação do cabeçalho)
.
Content-length: 11
login=guest
CGI program capable of managing this information
#! /usr/local/bin/tclsh
set size_of_form_information $env(CONTENT_LENGTH)
set form_info [read stdin $size_of_form_information]
set par [split $form_info = ]
set field_name [lindex $par 0]
set command [lindex $par 1]
puts "Content-type: text/plain", "\n\n"
if {$command == "guest"} {
puts "usr/local/bin/guest"
} elsif {$command == "mgi"} {
puts "usr/ucb/mgi"
} else {
puts "usr/local/bin/outro";
}
exit(0);
The programmer of CGI’s cannot control by which method the program will be called. Thus scripts are usually written to support both methods.
#! /usr/local/bin/tclsh
set request_method $env(REQUEST_METHOD)
if {$request_method =="GET"}{
et form_info $env(QUERY_STRING)
} else {
set size_of_form_information $env(CONTENT_LENGTH)
set form_info [read stdin $size_of_form_information]
}
The data entered in a form is part of the body of the message sent to the server.
While the method GET
passes the information through environment variables , the POST sends the data to the program CGI
through standard input (standard input,stdio. h), as a length string specified in the environment variable CONTENT_LENGTH
;
Make 2 connections to the server, one to contact the server and the other to send the parameters. In other words, if the server receives a request from a form using the POST
, he knows he has to keep "waiting" for the rest of the information.
Advantages/Disadvantages
The advantage of GET
is that allows access to the program CGI with a query without using a form, we are basically passing parameters to a program.
Example: <A HREF="/cgi-bin/program.pl?user=Larry%20Bird&age=35&pass=testing"> Programa CGI </A>
The biggest disadvantage of GET
is the lack of security and the fact that there has to be some care so that the browser or the server does not truncate the information exceeding the number of characters allowed.
The biggest advantage of the method POST
is the size of the query can be unlimited. To get information through the method POST
, the program CGI read from the standard input, for this reason it is not possible to access the CGI without using a form.
Taking into account the speed with which innovations happen, CGI can be considered old, taking into account the creation of the computer can be said to be in middle age.
In 1993, the National Center for Supercomputing Applications (NCSA) team wrote a specification to call command line executables in the www-talk mailing list. However, NCSA does not host the specification.
Other developers have adopted the specification, and it has been a standard for web servers ever since. A group chaired by Ken Coar started in November 1997 a work to obtain the NCSA definition of CGI more formally defined. This work resulted in RFC3875 , which specifies the version CGI 1.1.
Specifically mentioned in RFC are the taxpayers who follow:
Rob Mccool (author of NCSA Httpd Web Server ) John Franks (author of Web Server GN) Ari Luotonen (the developer of CERN httpd web server) Tony Sanders (author of Plexus Web server) George Phillips (Web server maintainer at the University of British Columbia ).
Alternatively you may consider:
PSGI(Perl Web Server Gateway Interface)
Rack (web server interface)
WSGI(Web Server Gateway Interface)
Simple example of a CGI script
<!DOCTYPE html>
<html>
<body>
<form action="add.cgi" method="POST">
Coloque os dois números:<br />
Primeiro número: <input type="text" name="num1" /><br />
Segundo número: <input type="text" name="num2" /><br />
<input type="submit" value="Enviar" />
</form>
</body>
</html>
Add.cgi file
#!/usr/bin/python
import cgi
import cgitb
cgitb.enable()
input_data=cgi.FieldStorage()
print 'Content-Type:text/html' #Envia o tipo HTML
print #deixa uma linha vazia entre o head e body
print '<h1>Resutados</h1>'
try:
num1=int(input_data["num1"].value)
num2=int(input_data["num2"].value)
except:
print '<p>Desculpe não podemos converter os campos em números (integers).</p>'
return 1
sum=num1+num2
print '<p>{0} + {1} = {2}</p>'.format(num1, num2, sum)
Sources: CGI/CGI complete
Whoa, we’re improving the level of responses. Let’s see what will happen in about 5 days to see who takes the bonus :) - however, already take a +1.
+1 for the excellent answer :)
@drmcarvalho with tutors as you difficult gets easy..;)
Very good +1 response, just fixed a few things like unused white line excesses and this script print '<p>{0} + {1} = {2}</p>'.format(num1, num2, sum)'
that had an apostrophe left, I took the opportunity to "aportuguesar" the comments in the code in python
24
CGI(Common Gateway Interface) is a technology that allows generating dynamic pages with interaction between scripts HTTP servers with Gateway Scripts and Programs through parameters. Therefore CGI scripts are the small programs that interpret these parameters and generate a page after processing them.
But the use of CGI is not very safe, bearing in mind that it is necessary to take some security precautions. Just below will be discussed on what safety precautions to take based on some rules of the programs CGI after the explanation of how the CGI works.
Example:
With the CGI, your server can access information that is not readable to the client (e.g. SQL database), and acts as a gateway between both to produce something the client can use. Gateways can be used for a variety of purposes, the most common are ISINDEX manipulation and HTTP form request.
You may be writing these CGI’s through gateways that can be written in any bindings that allow it to run on the system, such as:
CGI programs, or scripts, are executable programs that can be run by itself (which is not a safe way). So there are some safety precautions that need to be implemented when using CGI programs.
The main rules are:
Most systems store CGI scripts in a root directory of the HTTP server, called cgi-bin, which is configured in such a way that only certain trusted users can write to it. This avoids obvious security issues, which arise by allowing remote anonymous users to run anything on the system.
Example:/usr/local/apache/htdocs/cgi-bin
The script can collect its parameters, from the standard input (via keyboard), from environment variables or both.
The script should give as output, one of the three standard header types, as a normal text string. Being the three types:
CONTEXT_TYPE: Content type refers to any type of MIME data that is accepted by the server.
Common types include text/html, text/simple and data/gif.
Since the browser/server cannot deduce this type of file from a file name location or suffix, this title will inform the browser what type of data to expect and how to use it.
Format: type/type
LOCATION: Points to a document somewhere else on the server.
Allows you to redirect requests to documents, based on some criteria submitted by a form or environment variable.
STATUS: It can be used to run a script, without sending a new page to the client. It can also be used to send an error message or other information to the customer.
The script must be executable by the user the server has configured. (There is a special user called "NOBODY" which is the default user for most Web servers. You should make sure that the user "NOBODY" or the user your server is set to work for is allowed to run your scripts and read/write any files that the script can use).
More details of Security in CGI Scripts
Each time a user requests the URL corresponding to their program CGI, the server will run it in real time. A misconception about CGI is that you can send optional command lines and arguments to your program, such as:
command% myprog -qa blorf
CGI uses the command line for other purposes. Gateway uses environment variables to send its parameters to the program.
Example of server environment variables DCC:
#!/bin/sh
# disable filename globbing
set -f
echo "Content-type: text/plain; charset=iso-8859-1"
echo
echo CGI/1.0 test script report:
echo
echo argc is $#. argv is "$*".
echo
echo SERVER_SOFTWARE = $SERVER_SOFTWARE
echo SERVER_NAME = $SERVER_NAME
echo GATEWAY_INTERFACE = $GATEWAY_INTERFACE
echo SERVER_PROTOCOL = $SERVER_PROTOCOL
echo SERVER_PORT = $SERVER_PORT
echo REQUEST_METHOD = $REQUEST_METHOD
echo HTTP_ACCEPT = "$HTTP_ACCEPT"
echo PATH_INFO = "$PATH_INFO"
echo PATH_TRANSLATED = "$PATH_TRANSLATED"
echo SCRIPT_NAME = "$SCRIPT_NAME"
echo QUERY_STRING = "$QUERY_STRING"
echo REMOTE_HOST = $REMOTE_HOST
echo REMOTE_ADDR = $REMOTE_ADDR
echo REMOTE_USER = $REMOTE_USER
echo AUTH_TYPE = $AUTH_TYPE
echo CONTENT_TYPE = $CONTENT_TYPE
echo CONTENT_LENGTH = $CONTENT_LENGTH
Programs CGI can return a large number of document types. They can return an image to the user, an HTML document, or perhaps an audio clip. They may also refer to other documents.
The client needs to know what kind of document he will receive, so that he can present it properly. Soon the program CGI should inform the server what kind of document is being sent.
In order to communicate to the server the type of document that is returning, if it is a full document or a reference to another, CGI requires a small header in the output. This header is a text ASCII, consisting of separate lines or by linefeeds or by Carriage Returns (or both) followed by a blank line.
Example:
Sending an HTML document to the client.
Content-type: text/html
<html>
<head>
<title>saída HTML de um script CGI</title>
</head>
<body>
<h1>Saída de exemplo</h1>
O que você acha <strong>disso?</strong>
</body>
</html>
One reference to another document.
Content-type: text/html
Location: gopher://httprules.foobar.org/0
<html>
<head>
<title>Desculpe...moveu-se</title>
</head>
<body>
<h1>Ir para vez do Gopher</h1>
Agora disponível em
<a href="gopher://httprules.foobar.org/0">uma nova localização</a> no nosso servidor do Gopher.
</body>
</html>
A form can be created within an html page using the FORM tag. A page may contain multiple forms, but forms may not be contained in each other.
<form method="Método GET ou POST" action="A URL">...</form>
Where the ACTION is the URL of the server that will receive the form data (that is, the address of the CGI program responsible for data processing) and METHOD is the way the data will be passed to the CGI program.
A form may contain several components, such as inputs, check boxes and radio.
There are two methods that can be used to access the forms, GET and POST. Depending on the method used, you will receive the data differently.
method="GET"
, your CGI program will receive the data encoded in the environment variable QUERY_STRING.Example:
<form method="GET" action="get-query.cgi">
Login: <input type="text" name="login" />
Senha: <input type="text" name="senha" />
<input type="submit" value="Enviar" />
</form>
get-query.cgi
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *query;
printf("Content-type: text/plain\n\n");
/* METHOD="GET" */
query=getenv("QUERY_STRING");
printf("Os dados recebidos do formulário são:\n\n");
printf("%s\n", query);
return(0);
}
method="POST"
, your CGI program will receive the standard stdin input data. The server will NOT send an EOF at the end of the data. Instead you will have to use the environment variable CONTENT_LENGTH to determine the amount of data to be read from stdin.Example:
<form method="POST" action="post-query.cgi">
Login: <input type="text" name="login" />
Senha: <input type="text" name="senha" />
<input type="submit" value="Enviar" />
</form>
post-query.cgi
#include <stdio.h>
#include <stdlib.h>
int main()
{
char *query;
int length;
printf("Content-type: text/plain\n\n");
/* METHOD="POST" */
length=atoi(getenv("CONTENT_LENGTH"));
query=(char *) malloc(sizeof(char)*(length+1));
if (query!=NULL)
fread(query, length, sizeof(char), stdin);
printf("Os dados recebidos do formulário são:\n\n");
printf("%s\n\n", query);
printf("A variável de ambiente CONTENT_LENGTH tem o valor %d.\n", length);
return(0);
}
How to read an environment variable will depend on the Operating System in which the CGI program will be run and the programming language in which it was written. A C program running on UNIX can use the function char *getenv(const char *name);
that takes the variable name as argument and returns its value in a string.
The CGI was conceived as the culmination of discussions by experts during the early days of the Internet, in 1993 by the NSCA (National Center for Supercomputing Applications) namely between Rob Mccool, John Franks, Ari Luotonen, George Phillips and Tony Sanders. What could make it an ancient technology.
Specification of CGI 1.1: RFC3875
Although the language typically associated with CGI is Perl, CGI is designed to be independent of the language used. Currently technologies such as ASP.NET
, PHP
, Python
and Ruby
continue to use the specification.
Sources:
http://penta.ufrgs.br/edu/forms/cgi.html
https://www.w3.org/CGI/
https://en.wikipedia.org/wiki/Common_Gateway_Interface
https://en.wikipedia.org/wiki/Common_Gateway_Interface
http://homepages.dcc.ufmg.br/~mlbc/cursos/internet/cgi/intro.htm
I liked the answer, the goal is not to compete, but to detail the maximum, such an interesting subject... And you made it... I just think that definition :"Gateways are actually programs", is not correct... I may be wrong, but I don’t think...https://pt.wikipedia.org/wiki/Gateway
There are several definitions for Gateway, my dear friend. The English wikipedia contains truer and cleaner information, I learned this from other more advanced users here: https://en.wikipedia.org/wiki/Gateway
You did it too, your answer is simply great, quite detailed
@Viníciuslima I disagree that in this case the information is truer and cleaner. The term Gateway, worldwide, refers to a node of the network. It is not because it is on the wiki/en that it is correct. But so the text is yours, if you think it is cool... Num muda Naum... Personality is all...I respect... Although it has 2 pages between 1 million, which makes use of the term, I still think incorrect... Like I said, I might be wrong, though...
Excuse me, I removed from the text did not need that...
Hi Vinicius. I gave the bonus for another answer, but I want to make it clear that yours is very good and I voted positive too. I was quite undecided, but I had to decide, and for a few small details I opted for that, but the important thing is that even the bonus not going to yours, it attracted votes for both of them (in fact, I’m glad it was much more than the 50 bonus). Grateful for the good contribution too.
7
CGI is a method for a web page to be dynamically generated by an executable, rather than a static file. Any text the executable sends to the "terminal" will appear on the page. In the early days of the Web, without many security concerns, it was common for dynamic pages to be generated even by shell scripts. Another CGI problem is that each page generation invokes a process, which weighs fast on a server with many accesses.
Browser other questions tagged cgi
You are not signed in. Login or sign up in order to post.
ready to Learn Something new.
– Lollipop
+1. I also want to know, but I don’t want to search on Google. And I corrected
Exitem
– Wallace Maxters