CGI Programming with Perl

Query String Format

When the submit button of a form is clicked,

the form's data is coded into a query string

The query string is sent to the server

• For each widget in the form
  
  
  • The widget name and value are coded as a character string in the form of an assignment statement
  
  
  
  • And included in the query string
  
  
  
  • If the value of a radio button named PoliticalParty is Independent

    PoliticalParty=Independent
    




• For more than one widget in the form, the assignment code are separated by (&) in the querry string

  RadicalTendency=Low&PoliticalParty=Independent
  




• Special Characters in the value of a widget, use the % followed by the special character two-caracter ASCI code, represented as a Hexadecimal,
  
  %21 codes for !



• Blank spaces
  
  
  • The ASCI code for a space is %20
    
    

    RadicalTendency=Low&PoliticalParty=Independent&Hero'sMotto=Die%20and%20Live%20Forever%21
    

  
  
  
  • Some bowsers replace blank with the + sign
    
    

    RadicalTendency=Low&PoliticalParty=Independent&Hero'sMotto=Die+and+Live+Forever%21
    




• The CGI script must change those charactes back to the original values.
  
  

  $query_string =~ s/%([\dA-Fa-f][\dA-Fa-f])/pack("C", hex($1))/eg;
  

  The Perl function pack() takes two parameters. The first parameter indicates the result format, in this case ASCII character. The second parameter specifies the current format of the data.



• The replacing of the + sign back to a space can be accomplished via:

  $name =~ s/[+]/\ $1/g;
  




• Suspicious and suspect characters should also be removed. Text in back quotation in Perl executes Unix commands: `rm *.*`.

  $name =~ s/[;<>\(\)\{\}\*\|'`\&\$!#:"\\]/\ $1/g;
  

  Would remove all suspicious and suspect characters.



• The method attribute of form uses one of two techniques to pass the date to the server
  
  
  1. The default is get
     
     
     • The browser attaches the query string to the URL of the CGI program separated with a ?
     
     
     
     • The server removes the query string and places it in its environment variable QUERY_STRING
     
     
     
     • Some servers place a limit on the length of the URL and truncate any past the limit
     
     
     
     • URL's are easy for network sniffers to find
     
     
     
     • The get method can be used to pass parameters to the server when forms are not involved
  
  
  
  2. The alternative is Post
     
     
     • The query string is passed through standard input to the CGI program
     
     
     
     • The length of the query string is passed through the environment variable CONTENT_LENGTH
     
     
     
     • The post method can only be used to pass parameters to the server when forms are involved