cvsuser 01/09/27 23:40:07
Modified: . perlfaq9.pod
* updated CGI answers:
+ reference the CGI Meta FAQ which contains all relevant pages
with up-to-date URLs
+ added CGI.pm examples to "How do I redirect..." answer
along with discussion about the difference between URLs
and URLpaths in Location headers.
(thanks to Alan Flavell)
+ added general answer about CGI responses that clears up
some misleading information about line endings.
(thanks to Alan Flavell, again :)
Revision Changes Path
1.2 +79 -63 perlfaq/perlfaq9.pod
RCS file: /home/perlcvs/perlfaq/perlfaq9.pod,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -w -r1.1 -r1.2
--- perlfaq9.pod 2001/09/20 03:03:00 1.1
+++ perlfaq9.pod 2001/09/28 06:40:07 1.2
@@ -1,46 +1,67 @@
-perlfaq9 - Networking ($Revision: 1.1 $, $Date: 2001/09/20 03:03:00 $)
+perlfaq9 - Networking ($Revision: 1.2 $, $Date: 2001/09/28 06:40:07 $)
This section deals with questions related to networking, the internet,
and a few on the web.
+=head2 What is the correct form of response from a CGI script?
+(Alan Flavell <firstname.lastname@example.org> answers...)
+The Common Gateway Interface (CGI) specifies a software interface between
+a program ("CGI script") and a web server (HTTPD). It is not specific
+to Perl, and has its own FAQs and tutorials, and usenet group,
+The original CGI specification is at: http://hoohoo.ncsa.uiuc.edu/cgi/
+Current best-practice RFC draft at: http://CGI-Spec.Golux.Com/
+Other relevant documentation listed in: http://www.perl.org/CGI_MetaFAQ.html
+These Perl FAQs very selectively cover some CGI issues. However, Perl
+programmers are strongly advised to use the CGI.pm module, to take care
+of the details for them.
+The similarity between CGI response headers (defined in the CGI
+specification) and HTTP response headers (defined in the HTTP
+specification, RFC2616) is intentional, but can sometimes be confusing.
+The CGI specification defines two kinds of script: the "Parsed Header"
+script, and the "Non Parsed Header" (NPH) script. Check your server
+documentation to see what it supports. "Parsed Header" scripts are
+simpler in various respects. The CGI specification allows any of the
+usual newline representations in the CGI response (it's the server's
+job to create an accurate HTTP response based on it). So "\n" written in
+text mode is technically correct, and recommended. NPH scripts are more
+tricky: they must put out a complete and accurate set of HTTP
+transaction response headers; the HTTP specification calls for records
+to be terminated with carriage-return and line-feed, i.e ASCII \015\012
+written in binary mode.
+Using CGI.pm gives excellent platform independence, including EBCDIC
+systems. CGI.pm selects an appropriate newline representation
+($CGI::CRLF) and sets binmode as appropriate.
=head2 My CGI script runs from the command line but not the browser. (500 Server Error)
-If you can demonstrate that you've read the following FAQs and that
+If you can demonstrate that you've read the FAQs and that
your problem isn't something simple that can be easily answered, you'll
probably receive a courteous and useful reply to your question if you
post it on comp.infosystems.www.authoring.cgi (if it's something to do
-with HTTP, HTML, or the CGI protocols). Questions that appear to be Perl
+with HTTP or the CGI protocols). Questions that appear to be Perl
questions but are really CGI ones that are posted to comp.lang.perl.misc
-may not be so well received.
-The useful FAQs and related documents are:
- CGI FAQ
+are not so well received.
- Web FAQ
+The useful FAQs, related documents, and troubleshooting guides are
+listed in the CGI Meta FAQ:
- WWW Security FAQ
- HTTP Spec
- HTML Spec
- CGI Spec
- CGI Security FAQ
=head2 How can I get better error messages from a CGI program?
Use the CGI::Carp module. It replaces C<warn> and C<die>, plus the
@@ -232,36 +253,38 @@
regexp for breaking any arbitrary URI into components (Appendix B).
=head2 How do I redirect to another page?
+Specify the complete URL of the destination (even if it is on the same
+server). This is one of the two different kinds of CGI "Location:"
+responses which are defined in the CGI specification for a Parsed Headers
+script. The other kind (an absolute URLpath) is resolved internally to
+the server without any HTTP redirection. The CGI specifications do not
+allow relative URLs in either case.
+Use of CGI.pm is strongly recommended. This example shows redirection
+with a complete URL. This redirection is handled by the web browser.
-According to RFC 2616, "Hypertext Transfer Protocol -- HTTP/1.1", the
-preferred method is to send a C<Location:> header instead of a
- Location: http://www.domain.com/newpage
-Note that relative URLs in these headers can cause strange effects
-because of "optimizations" that servers do.
- $url = "http://www.perl.com/CPAN/";
- print "Location: $url\n\n";
-To target a particular frame in a frameset, include the "Window-target:"
-in the header.
- print <<EOF;
- Location: http://www.domain.com/newpage
- Window-target: <FrameName>
-To be correct to the spec, each of those virtual newlines should
-really be physical C<"\015\012"> sequences by the time your message is
-received by the client browser. Except for NPH scripts, though, that
-local newline should get translated by your server into standard form,
-so you shouldn't have a problem here, even if you are stuck on MacOS.
-Everybody else probably won't even notice.
+ use CGI qw/:standard/;
+ my $url = 'http://www.perl.com/CPAN/';
+ print redirect($url);
+This example shows a redirection with an absolute URLpath. This
+redirection is handled by the local web server.
+ my $url = '/CPAN/index.html';
+ print redirect($url);
+But if coded directly, it could be as follows (the final "\n" is
+shown separately, for clarity), using either a complete URL or
+an absolute URLpath.
+ print "Location: $url\n"; # CGI response header
+ print "\n"; # end of headers
=head2 How do I put a password on my web pages?
That depends. You'll need to read the documentation for your web
@@ -281,17 +304,10 @@
->add($username => $password);
=head2 How do I make sure users can't enter values into a form that cause my CGI script to do bad things?
+See the security references listed in the CGI Meta FAQ
-Read the CGI security FAQ, at
-http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html , and the
-Perl/CGI FAQ at
-In brief: use tainting (see L<perlsec>), which makes sure that data
-from outside your script (eg, CGI parameters) are never used in
-C<eval> or C<system> calls. In addition to tainting, never use the
-single-argument form of system() or exec(). Instead, supply the
-command and arguments as a list, which prevents shell globbing.
=head2 How do I parse a mail header?