WebHosting Paid by #1Payday.Loans
cgi-postin - World-Wide Web CGI form data processor.
cgi-postin [ -pTt ] [ -v name ]
The cgi-postin utility processes data generated from a World-Wide Web form. It is a standalone processor that may be run easily from sh, perl, or tcl scripts. By default, cgi-postin retrieves the form data and emits a short sh(1) script. If this script is evaluated, the shell will create a set of variables, one per form ele- ment. The variables will be named after the form element names, and they will be initialized to the associated form element values. If, for instance, a simple form has two fields called ``name'' and ``address'', cgi-postin will emit the sh(1) commands to create variables called ``name'' and ``address'', and each variable will be initialized to the value given in the form. This can be done by simply say- ing: eval "`cgi-postin`" || exit 1 If an error occurs, cgi-postin emits a complete HTTP docu- ment (including a ``Content-type:'' header), and termi- nates with a non-zero exit status. The following options are supported. -p The variable assignments will use perl(1) syntax. Recommended usage is something similar to: eval `cgi-postin -p`; exit 1 if $? != 0; -T The variable assignments will use tcl(1) syntax. Recommended usage is something similar to: eval [exec cgi-postin -T] -t Selects ``terse diagnostics'' mode. When an error occurs, a typical Unix error message is emitted rather than an HTTP document. -v name This option almost always should be specified. It is an option only for historical reasons. It is explained below. The -v option affects how the variables are named. By default, its name argument is used as a prefix on all of the sh(1) variable names. This is avoids a serious security problem. Without the prefix, hacked form data could manipulate arbitrary shell environment parameters. (Actually, cgi-postin has some built-in checks to prevent this. Still, always use this option to constrain the namespace that can be scribbled upon.) When -p (perl mode) or -T (Tcl mode) are specified, then the -t option creates an associative array rather than individual (scaler) variables for each form element. The array has the specified name, and the data are stored one form element per array element. The following table illustrates how this naming scheme works. It shows the variable name that would be associ- ated with a form element called ``query'' for all the var- ious command line invocations. command variable name cgi-postin $query cgi-postin -v CGI $CGI_query cgi-postin -p $query cgi-postin -p -v CGI $CGI{'query'} cgi-postin -T $query cgi-postin -T -v CGI $CGI(query)
It is dangerous to blindly run a sh(1) ``eval'' command on data provided by the client. This utility takes several precautions to mitigate the danger, and will abort with an error when problems are encountered. The following requirements are enforced: o Form element names must be composed of ``safe'' charac- ters (letters, numbers, and underscores). o Form element values are quoted to inhibit all side effects in the assignment statement. o There are some simple consistency checks on the CGI data stream.
gn(8), wn(8), httpd(8)
For historical reasons, the -v option is incredibly awk- ward. In some future release, the behavior when -v is not specified likely will change. Each form element must have a unique name. Be careful of conflicts, particularly when using ``<INPUT TYPE=checkbox>''.
Chip Rosenthal Unicom Systems Development <chip@unicom.com> https://www.unicom.com/