ch05_01.htm

用perl编写CGI的好书。本书从解释CGI和底层HTTP协议如何工作开始

<?label 5. CGI.pm?><html><head><title>CGI.pm (CGI Programming with Perl)</title><link href="../style/style1.css" type="text/css" rel="stylesheet" />

<meta name="DC.Creator" content="Scott Guelich, Gunther Birznieks and Shishir Gundavaram" /><meta scheme="MIME" content="text/xml" name="DC.Format" /><meta content="en-US" name="DC.Language" /><meta content="O'Reilly & Associates, Inc." name="DC.Publisher" /><meta scheme="ISBN" name="DC.Source" content="1565924193L" /><meta name="DC.Subject.Keyword" content="stuff" /><meta name="DC.Title" content="CGI Programming with Perl" /><meta content="Text.Monograph" name="DC.Type" />

</head><body bgcolor="#ffffff">

<img src="gifs/smbanner.gif" alt="Book Home" usemap="#banner-map" border="0" /><map name="banner-map"><area alt="CGI Programming with Perl" href="index.htm" coords="0,0,466,65" shape="rect" /><area alt="Search this book" href="jobjects/fsearch.htm" coords="467,0,514,18" shape="rect" /></map>

<div class="navbar"><table border="0" width="515"><tr><td width="172" valign="top" align="left"><a href="ch04_03.htm"><img src="../gifs/txtpreva.gif" alt="Previous" border="0" /></a></td><td width="171" valign="top" align="center"><a href="index.htm">CGI Programming with Perl</a></td><td width="172" valign="top" align="right"><a href="ch05_02.htm"><img src="../gifs/txtnexta.gif" alt="Next" border="0" /></a></td></tr></table></div>
<hr align="left" width="515" />



<h1 class="chapter">Chapter 5. CGI.pm</h1>
<div class="htmltoc"><h4 class="tochead">Contents:</h4><p>
<a href="ch05_01.htm">Overview</a><br>
<a href="ch05_02.htm">Handling Input with CGI.pm</a><br>
<a href="ch05_03.htm">Generating Output with CGI.pm</a><br>
<a href="ch05_04.htm">Alternatives for Generating Output</a><br>
<a href="ch05_05.htm">Handling Errors</a><br></p></div>



<p>The<a name="INDEX-936" />
<a name="INDEX-937" />
CGI.pm module has become the standard tool for creating CGI scripts
in Perl. It provides a simple interface for most of the common CGI
tasks. Not only does it easily parse input parameters, but it also
provides a clean interface for outputting headers and a powerful yet
elegant way to output HTML code from your scripts.</p>


<p>We will cover most of the basics here and will revisit CGI.pm later
to look at some of its other features when we discuss other
components of CGI programming. For example, CGI.pm provides a simple
way to read and write to browser cookies, but we will wait to review
that until we get to our discussion about maintaining state, in <a href="ch11_01.htm">Chapter 11, "Maintaining State"</a>.</p>


<p>If after reading this chapter you are interested in more information,
the author of CGI.pm has written an entire book devoted to it:
<em class="citetitle">The Official Guide to Programming with CGI.pm</em> by Lincoln
Stein ( John Wiley &amp; Sons).</p>


<p>Because CGI.pm offers so many methods, we'll organize our
discussion of CGI.pm into three parts: handling input, generating
output, and handling errors. We will look at ways to generate output
both with and without CGI.pm. Here is the structure of our chapter:</p>


<ul><li><p>Handling Input with CGI.pm</p>


<ul>
<li><p><em class="emphasis">Information about the environment</em>. CGI.pm has
methods that provide information that is similar, but somewhat
different from the information available in <tt class="literal">%ENV</tt>.</p></li>
<li><p><em class="emphasis">Form input</em>. CGI.pm automatically parses
parameters passed to you via HTML forms and provides a simple method
for accessing these parameters.</p></li>
<li><p><em class="emphasis">File uploads</em>. CGI.pm allows your CGI script to
handle HTTP file uploads easily and transparently.</p></li></ul></li>

<li><p>Generating Output with CGI.pm</p>


<ul><li><p><em class="emphasis">Generating headers</em>. CGI.pm has methods to help
you output HTTP headers from your CGI script.</p></li>
<li><p><em class="emphasis">Generating HTML</em>. CGI.pm allows you to generate
full HTML documents via corresponding method calls.</p></li></ul></li>

<li><p>Alternatives for Generating Output</p>


<ul><li><p><em class="emphasis">Quoted HTML and here documents.</em> We will compare
alternative strategies for outputting HTML.</p></li></ul></li>

<li><p>Handling Errors</p>


<ul><li><p><em class="emphasis">Trapping die.</em> The standard way to handle errors
with Perl, <tt class="function">die</tt>, does not work cleanly with CGI.</p></li>

<li><p><em class="emphasis">CGI::Carp.</em> The CGI::Carp module distributed with
CGI.pm makes it easy to trap <tt class="function">die</tt> and other error
conditions that may kill your script.</p></li>
<li><p><em class="emphasis">Custom solutions.</em> If you want more control when
displaying errors to your users, you may want to create a custom
subroutine or module.</p></li></ul></li></ul>

<p>Let's start with a general overview of CGI.pm.</p>










<div class="sect1"><a name="ch05-92399" />
<h2 class="sect1">5.1. Overview</h2>


<p>CGI.pm requires Perl 5.003_07 or higher and has been included with
the standard Perl distribution since 5.004. You can check which
version of Perl you are running with the
<a name="INDEX-938" /><em class="emphasis">-v</em> option:</p>


<blockquote><pre class="code">$ perl -v

This is perl, version 5.005

Copyright 1987-1997, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5.0 source kit.</pre></blockquote>


<p>You can verify whether CGI.pm is installed and which version by doing
this:</p>


<blockquote><pre class="code">$ perl -MCGI -e 'print "CGI.pm version $CGI::VERSION\n";'
CGI.pm version 2.56</pre></blockquote>


<p>If you get something like the following, then you do not have CGI.pm
installed, and you will have to download and install it. <a href="appb_01.htm">Appendix B, "Perl Modules"</a>, explains how to do this.</p>


<blockquote><pre class="code">
Can't locate CGI.pm in @INC (@INC contains:  /usr/lib/perl5/i386-linux/5.005 /usr/
lib/perl5 /usr/lib/perl5/site_perl/i386-linux /usr/lib/perl5/site_perl .).
BEGIN failed--compilation aborted.</pre></blockquote>


<p>New <a name="INDEX-939" />versions of CGI.pm are released
regularly, and most releases include bug fixes.<a href="#FOOTNOTE-6">[6]</a> We therefore
recommend that you install the latest version and monitor new
releases (you can find a version history at the bottom of the
<em class="filename">cgi_docs.html</em> file distributed with CGI.pm).
This chapter discusses features introduced as late as 2.47.</p><blockquote>

<a name="FOOTNOTE-6" /><p>[6]These
are not necessarily bugs in CGI.pm; CGI.pm strives to maintain
compatibility with new servers and browsers that sometimes include
buggy, or at least nonstandard, code.</p>

</blockquote>


<a name="ch05-33739" /><div class="sect2">
<h3 class="sect2">5.1.1. Denial of Service Attacks</h3>


<p>Before we get started, you should make a minor change to your copy of
CGI.pm. CGI.pm handles HTTP
<a name="INDEX-940" /> <a name="INDEX-941" />
<a name="INDEX-942" />file uploads and
automatically saves the contents of these uploads to temporary files.
This is a very convenient feature, and we'll talk about this
later. However, file uploads are enabled by default in CGI.pm, and it
does not impose any limitations on the size of files it will accept.
Thus, it is possible for someone to upload multiple large files to
your web server and fill up your disk.</p>


<p>Clearly, the vast majority of your CGI scripts do not accept file
uploads. Thus, you should disable this feature and enable it only in
those scripts where you wish to use it. You may also wish to limit
the size of <a name="INDEX-943" />POST requests, which includes file uploads
as well as standard forms submitted via the POST method.</p>


<p>To make these changes, locate CGI.pm in your Perl libraries and then
search for text that looks like the following:</p>


<blockquote><pre class="code"># Set this to a positive value to limit the size of a POSTing
# to a certain number of bytes:
$POST_MAX = -1;

# Change this to 1 to disable uploads entirely:
$DISABLE_UPLOADS = 0;</pre></blockquote>


<p>Set <tt class="literal">$DISABLE_UPLOADS</tt> to 1. You may wish to set
<tt class="literal">$POST_MAX</tt> to a reasonable upper bound as well,
such as 100KB. POST requests that are not file uploads are processed
in memory, so restricting the size of POST requests avoids someone
submitting multiple large POST requests that quickly use up available
memory on your server. The result looks like this:</p>


<blockquote><pre class="code"># Set this to a positive value to limit the size of a POSTing
# to a certain number of bytes:
$POST_MAX = 102_400;  # 100 KB

# Change this to 1 to disable uploads entirely:
$DISABLE_UPLOADS = 1;</pre></blockquote>


<p>If you then want to enable uploads and/or allow a greater size for
POST requests, you can override these values in your script by
setting <tt class="literal">$CGI::DISABLE_UPLOADS</tt> and
<tt class="literal">$CGI::POST_MAX</tt> after you use the CGI.pm module,
but before you create a CGI.pm object. We will look at how to receive
file uploads later in this chapter.</p>


<p>You may need special permission to update your CGI.pm file. If your
system administrator for some reason will not make these changes,
then you must disable file uploads and limit POST requests on a
script by script basis. Your <a name="INDEX-944" />scripts should begin like this:</p>


<blockquote><pre class="code">#!/usr/bin/perl -wT

use strict;