Programming Forums - View Single Post

mackenga · Mar 22nd, 2007, 5:32 PM

You can do something like:

<A href="cginame?arg=value&arg2=value2">link</A>

which will send a GET request to a Perl CGI script with some options in it. If you were crazy, you could have a CGI that expected to be passed Perl code to run in this way but any user could just tap in the URL of your CGI and pass in some perl of their choice and have your server run it, which is what DaWei was getting at.

The whole idea with CGI is that there's the server side stuff and the client side stuff and the CGIs you provide and what they do with the arguments you pass them allow you to decide what it is possible for the outside world to ask for.

First, understand the divide between the server (trusted) and client (could be any scum and probably will be). Your CGI provides an operation that scum can do outside in the world wide wild west that will cause something to happen in the green and pleasant land of your server. You need to think about the project you're working on and the problem you're trying to solve and figure out what things the browser is going to have to ask the server to do, and how to handle all of those things in a safe way. If your problem seems to require doing a lot of little random snippets of Perl like this instead of a few well defined operations of this kind then you're probably either not thinking about the problem properly, or trying to do something that's just basically inadviseable.

It sounds to me like what you really want to do is probably just use Perl like people use PHP and ASP, with the files on the server looking basically like HTML files with bits of imperative code embedded in them. The difference is that with PHP and ASP, the code is interpreted at the server side and then its output is pumped to the client which is safe (well nothing's safe with ASP but that's another story). This means you never run code that the user might have tampered with and the user doesn't see the code you did run.

Normal Perl CGIs are not done in this style. The idea is that you write a Perl program and that program outputs the (usually HTML most of the time) data that gets shipped to the client by the web server. If you'd like to use Perl in a way that looks and works more like PHP, you might be interested in embperl - google for it and you'll find it. Personally I don't like it - tends to lead to unmaintainable code if you have a lot of it - but a lot of people do and it might suit your purpose.

Hope this helps.

Mar 22nd, 2007, 5:32 PM	#4
mackenga Professional Programmer Join Date: Mar 2005 Location: Glasgow, Scotland Posts: 314 Rep Power: 4	You can do something like: (Toggle Plain Text) <A href="cginame?arg=value&arg2=value2">link</A> <A href="cginame?arg=value&arg2=value2">link</A> which will send a GET request to a Perl CGI script with some options in it. If you were crazy, you could have a CGI that expected to be passed Perl code to run in this way but any user could just tap in the URL of your CGI and pass in some perl of their choice and have your server run it, which is what DaWei was getting at. The whole idea with CGI is that there's the server side stuff and the client side stuff and the CGIs you provide and what they do with the arguments you pass them allow you to decide what it is possible for the outside world to ask for. First, understand the divide between the server (trusted) and client (could be any scum and probably will be). Your CGI provides an operation that scum can do outside in the world wide wild west that will cause something to happen in the green and pleasant land of your server. You need to think about the project you're working on and the problem you're trying to solve and figure out what things the browser is going to have to ask the server to do, and how to handle all of those things in a safe way. If your problem seems to require doing a lot of little random snippets of Perl like this instead of a few well defined operations of this kind then you're probably either not thinking about the problem properly, or trying to do something that's just basically inadviseable. It sounds to me like what you really want to do is probably just use Perl like people use PHP and ASP, with the files on the server looking basically like HTML files with bits of imperative code embedded in them. The difference is that with PHP and ASP, the code is interpreted at the server side and then its output is pumped to the client which is safe (well nothing's safe with ASP but that's another story). This means you never run code that the user might have tampered with and the user doesn't see the code you did run. Normal Perl CGIs are not done in this style. The idea is that you write a Perl program and that program outputs the (usually HTML most of the time) data that gets shipped to the client by the web server. If you'd like to use Perl in a way that looks and works more like PHP, you might be interested in embperl - google for it and you'll find it. Personally I don't like it - tends to lead to unmaintainable code if you have a lot of it - but a lot of people do and it might suit your purpose. Hope this helps. __________________ "I'm not a genius. Why do I have to suffer?"