Safer CGI Scripting

Charles Walker and Larry Bennett

The CGI is the simplest and by far the most common way of providing Web pages with dynamic content. Essentially, the CGI (Common Gateway Interface) is a way for the Web server to invoke a program to generate HTML that gets sent back to the Web browser, rather than simply serving up a static HTML file. Without the CGI and other similar dynamic content schemes, many things would be impossible on the Web -- stock trading and booking of vacations, for example, and just about anything requiring input from users. The Web would still be simply a mechanism for downloading static documents. Figure 1 shows how CGI scripts fit into the picture.

These programs invoked by the Web server are called CGI scripts. The name of the program is sent by the Web browser in the URL, followed by arguments to the CGI script. The Web server sets up the CGI script's environment so that it can access the arguments, then starts the CGI script. The CGI script then runs, does whatever the programmer coded, and writes its output to stdout. The Web server redirects stdout back to the Web browser that sent the request.

With static HTML, the Web server simply sends the requested HTML file back to the user's Web browser, which then interprets the HTML, formats it, and displays it. Take this URL for example:

http://www.trionetworks.com/hypertrak/techwhite.htm

This causes the server www.trionetworks.com to send the content of the file /hypertrak/techwhite.htm back to the Web browser. Look at the following URL for an example of how a CGI script might be invoked:

http://www.trionetworks.com/cgi-bin/hmshow.cgi?func=showlist&;rt=all&;set=all

On this Web server, the directory cgi-bin has been defined to the Web server to contain CGI scripts, rather than static HTML.