Query String Format
When the submit button of a form is clicked,
the form's data is coded into a query string
The query string is sent to the server
-
For each widget in the form
-
The widget name and value are coded as a character string in the form of an assignment statement
-
And included in the query string
-
For more than one widget in the form, the assignment code are separated by (&) in the querry string
RadicalTendency=Low&PoliticalParty=Independent
-
Special Characters in the value of a widget, use the % followed by the special character two-caracter ASCI code, represented as a Hexadecimal,
%21 codes for !
-
Blank spaces
-
The CGI script must change those charactes back to the original values.
$query_string =~ s/%([\dA-Fa-f][\dA-Fa-f])/pack("C", hex($1))/eg;
The Perl function pack() takes two parameters. The first
parameter indicates the result format, in this case ASCII character. The second
parameter specifies the current format of the data.
-
The replacing of the + sign back to a space can be accomplished via:
$name =~ s/[+]/\ $1/g;
-
Suspicious and suspect characters should also be removed.
Text in back quotation in Perl executes Unix commands: `rm *.*`.
$name =~ s/[;<>\(\)\{\}\*\|'`\&\$!#:"\\]/\ $1/g;
Would remove all suspicious and suspect characters.
-
The method attribute of form uses one of two techniques to pass the date to the server
-
The default is get
-
The browser attaches the query string to the URL of the CGI program separated with a ?
-
The server removes the query string and places it in its environment variable QUERY_STRING
-
Some servers place a limit on the length of the URL and truncate any past the limit
-
URL's are easy for network sniffers to find
-
The get method can be used to pass parameters to the server when forms are not involved
-
The alternative is Post
-
The query string is passed through standard input to the CGI program
-
The length of the query string is passed through the environment variable CONTENT_LENGTH
-
The post method can only be used to pass parameters to the server when forms are involved