1. Home
  2. Forums Index
  3. Server Side / Perl Server Side CGI Scripting 3:41 am May 21, 2026

Forum Moderators: coopster & phranque

Message Too Old, No Replies

The CGI.pm module

Using it to retrieve form entries

         

sugarkane

12:16 am on Mar 1, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



In many Perl scripts seen around the net, you'll see a whole chunk of heiroglyphics used to decode the variables supplied to a script by the form that called it. This section of the code is one that causes many errors - it's all too easy to make a typo amongst all that lot.

You can simplify things massively by using the CGI.pm module which is supplied as part of the standard Perl distribution. To get, for example, the value of a form field 'email', you'd use: 


# these first 2 lines should be used once,
# near the top of your script
use CGI;
$query=CGI::new();
# then actually retrieve the value
$email=$query->param("email");
print "$email\n";
exit;

The module takes care of all the decoding, whether the script was called with GET or POST.

CGI.pm is capable of much, much more than this (eg cookies), but this is a great simplifier to get started with.

Brett_Tabke

9:18 am on Mar 25, 2001 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



Anyone know the pros and cons of doing it by hand? I normally don't use cgi.pm and instead do it myself. I've heard there are some security issues to be concerned with. See anything major wrong with this way: 


my ($buffer, @pairs, $name, $value);
read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'});
if (length($buffer) < 5) {
$buffer = $ENV{QUERY_STRING};
}
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg;
$value =~ s/\r//g;
$FORM{$name} = $value;
print "<br>Form name : <b>$name</b> Value : <b> $value </b>\n" if ($debug >4);
}

sugarkane

10:48 pm on Mar 25, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I've also heard rumours of security issues but not been able to find anything specific. The only one I've come across is with the self_url function, where it's potentially possible to insert some extra html or JS into a page that prints the value of self_url without any sanity checking. Quite how useful / dangerous that could be is open to question.

Are there any sites out there giving details of specific security concerns?

Brett_Tabke

1:41 pm on Mar 29, 2001 (gmt 0)

WebmasterWorld Administrator 10+ Year Member Top Contributors Of The Month



W3C Web Security FAQ; but nothing on the above.
[w3.org]

I think the problem with the above has to do with length and a buffer overrun.

sugarkane

3:14 pm on Mar 29, 2001 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Hmmm, I'm not sure how it could cause a buffer overflow, as the module itself is written in Perl, and Perl should handle the memory allocation dynamically... now if you're passing CGI values to an external program without checking them, then that could certainly lead to overflows or worse ;)

Examples here [eekim.com]

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Perl Server Side CGI Scripting 3:41 am May 21, 2026