CGI is usually produced by such languages as C/C++, Perl, and PHP. Those CGI scritps constructed by Perl or PHP can be executed regardless of the kinds of servers, but in case of the program produced by C/C++, execution files provided by platform are needed unless the program is personally compiled. When web sites are constructed, various kinds of CGIs are used. Thus, idtenify the kind of server you are using as follows:
$ uname -a SunOS sun 5.5.1 Generic_103640-14 ... (SunOS 5.5.1 = Solaris 2.5.1) $ uname -a FreeBSD freebsd.nobreak.com 2.2.8-STABLE ... (FreeBSD 2.2.8)
The most widely used operating systems are Solaris, FreeBSD, and GNU/Linux. Files fit for the platform of the server should be used for those products that depend upon the system platform.
CGIWrap is a program that connects the Web servers with CGI for the user's CGI to operate not with the web server's uid/gid but with the user's uid/gid. Since Unix systems are basically in multi-user environment, they use the concept of uid(User ID) and gid(Group ID) in order to limit the privilege range among the users.
Isn't it a big problem if anyone can modify the important files of the system? Because the web servers, which pump your home pages onto the Internet, are also operated with specific uid/gid, the called CGI is executed not by your uid but by the web server's uid. For example, suppose there is a phone directory CGI named 'phone.cgi'. This CGI is implemented to add the contents to the phone.txt file once it receives names and phone numbers.
If the web server is operated by nobody/nobody, and if your uid/gid is nobreak/power, which one is going to be the owner of the phone.txt file that is created by the execution results of CGI? nobody/nobody, which is the web server's uid/gid, is to be the owner when CGIWrap has not been gone through. Then, you are notable to modify or delete the phone.txt file on the shell, are you?
This is thevery reason why CGIWrap has been developed to be used. If CGIWrap is used, phone.cgi is executed by the user's privilege, and phone.txt is created as nobreak/power. However, in order for CGIWrap to be used, CGI should be locatedin a specified directory. There are cumbersome matters such as permission's getting limited when CGIWrap is to be used. Link up as follows when using CGIWrap:
http://domain name/cgi-bin/cgiwrap/userID/CGI file /cgi-bin/cgiwrap/nobreak/phone.cgi
You should pay attention to the fact that you should locate CGI in the specified location (public_html/cgi-bin) for CGIWrap to find out. Since it may vary depending upon systems, refer to the service guide of the pertinent ISP.
It is not that you should use CGIWrap in order to execute CGI with your uid/gid. Adjust the CGI permission to 6755 as follows:
$ chmod 6755 phone.cgi $ ls -al -rwsr-sr-x 1 nobreak power 148526 Jan 4 04:12 phone.cgi
The 6755 permission means 'execution + set-uid + set-gid'. The set-uid/set-gid bit signifies, when the main file is executed, that the uid/gid value of the file itself is to be commissioned instead of the privilege of the calling process. Thus, since the owner of the main file is nobreak/power, CGI is executed as nobreak/power even when the Web server (nobody/nobody) is calling CGI. And phone.txt is also created as nobreak/power. In this case, it needs to be linked like a general HTML.
NOTE: This method does not apply to Perl or Shell scripts. It only applies to those programs that are constructed in C/C++ and thus can be independently executed. This is because perphone.cgi is interpreted only as a source file as the script (perlphone.cgi) constructed in Perl is executed along with the actual 'perl perlphone.cgi'. The set-uit bit assigned to sourcefiles has no meaning. It is perl itself that has a meaning.
The biggest difference between general application programs and CGI programs can be the fact that information is not maintained. Cookies refer to a systemthat stores information in clients (browsers) and retransmits the stored information to servers when a specific URL is connected. When you are going tocompose on a bulletin board again, the mechanism that automatically displays your name and e-mail address is the function of cookies. And shopping carts ofthe shopping malls also utilize it.
A cookie was developed to overcome the limitations of the Web. In case of the HTTP protocol, the protocol used for communications, only one-way information is considered since it is focused on hypertext that travels around the information links. And it is designed to be non-connection-oriented so that it can travel around fast while reducing traffic.
Accordingly, unlike telnet and ftp, there is no need for initialization works for connections between server and client. And servers are connected whenever there is a connection request. Although this may not seem to be efficient, it cuts off traffic very efficiently on the Web. Suppose a network accommodates 10 bytes, and a connection is 1 byte. Then, only up to 10 people will be able to use the Internet if the Web is operated by telnet. But actually, since the Web uses resources only when it transmits/receives information, more people can use theInternet at the same time.
But in this case, the link between the new connection and the previous connection gets lost. Thus, a cookie has been devised as a means to store needed past information.
SSI stands for "Server Side Include". In a sense, it is similar to CGI in that it is non-static processed data. SSI refers to the Web servers' preprocessing an agreed symbol on a document before a requested HTML document is transmitted.
Suppose there are 100 documents in a company's home page, and there is the link of "Product, Download, Contact" on top of all the documents. If "Product" needs to be modified to "Products", should all the 100 documents be modified? In general, they should. However, if SSI was used, it can be modified just simply.
Write "Product, ...." in the file of 'titlelink.html'. And then, include the following line in all the documents:
The Web servers interprets HTML documents before transmission and inserts the contents of titlelink.html. And then, it distributes. Thus, the 100 documents get modified instantly. '<!--#......-->' is not an explanatory note. It is anSSI agreed symbol.
The following is an example that shows how to display today's date, the nameof the current document, and the last-modified date.
Today is <!--#config timefmt="%m/%d %Y"--><!--#echo var="DATE_LOCAL"-->, This document, <!--#echo var="DOCUMENT_NAME" -->, was last modified at <!--#config timefmt="%m/%d %Y(%H:%M:%S)"--><!--#echo var="LAST_MODIFIED"-->.
It will appear as follows:
Today is 07/06 2008, This document, newbies.qsp, was last modified at 07/22 2001(00:00:00).
System commands including CGI can include the displayed results.
<!--#include virtual="/cgi-bin/CrazyWWWBoard.cgi?db=test"--> <!--#exec cmd="/bin/ls /home"-->
SSI documents usually have the extension of .shtml. Make a file like test.shtml and check to see if it supports SSI. SSI is useful and convenient for the management of the Web sites.
NOTE: The above example precisely works with NCSA and Apache Web servers. And it's operation may vary to some extent in case of other servers.
File uploading is transmitted to the server side through the encoding of 'multipart/form-data'. The following is an example of HTML tagging.
In case it is specified as 'multipart/form-data' as below, the arguments of standard input (stdin)--which is input as follows--should be interpreted by the separator boundary character string that can be taken with the environment variable of 'CONTENT_TYPE'.
Environment variable: CONTENT_TYPE multipart/form-data; boundary=---------------------------16079141025132
STDIN -----------------------------16079141025132 Content-Disposition: form-data; name="filename" index.html -----------------------------16079141025132 Content-Disposition: form-data; name="binary"; filename="X:\public_html\index.html" Content-Type: text/html Data Here -----------------------------16079141025132--
NOTE) Each section is separated by adding "--" before the boundary character string acquired by the environment variable. And the end of documents is distinguished by the boundary that has "__" before and after.
Each variable received by stdin can be interpreted in the order of '--boundary' -> variable name -> CR + LF -> variable value, and with regard to the variable values, special characters (Hangul and control characters) are transmitted without transformation unlike in the URL encoding method.
When the files to be uploaded are not registered in Mimetype, the 'Content-Type: Mimetype' line is not displayed.
|[Home] [About] [Examples] [Changes] [Download] [SVN Repository] [Install] [Reference]|