Programming tutorials for beginners,

Most forms you create will send their data using the POST method. POST is more secure than GET, since the data isn’t sent as part of the URL, and you can send more data with POST. Also, your browser, web server, or proxy server may cache GET queries, but posted data is resent each time.

Your web browser, when sending form data, encodes the data being sent. Alphanumeric characters are sent as themselves; spaces are converted to plus signs (+); other characters — like tabs, quotes, etc. — are converted to “%HH” — a percent sign and two hexadecimal digits representing the ASCII code of the character. This is called URL encoding.

In order to do anything useful with the data, your program must decode these. Fortunately the CGI.pm module does this work for you. You access the decoded form values the same way you did with GET:

$value = param(‘fieldname’);
So you already know how to process forms! You can try it now by changing your getform.html form to method=”POST” (rather than method=”GET”). You’ll see that it works identically whether you use GET or POST. Even though the data is sent differently, CGI.pm handles it for you automatically.

The Old Way of Decoding Form Data
Before CGI.pm was bundled with Perl, CGI programmers had to write their own form-parsing code. If you read some older CGI books (including the first edition of this book), or if you’re debugging old code, you’ll probably encounter the old way of decoding form data. Here’s what it looks like:

read(STDIN, $buffer, $ENV{‘CONTENT_LENGTH’});
@pairs = split(/&/, $buffer);
foreach $pair (@pairs) {
($name, $value) = split(/=/, $pair);
$value =~ tr/+/ /;
$value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack(“C”, hex($1))/eg;
$FORM{$name} = $value;
}
This code block reads the posted form data from standard input, loops through the fieldname=value fields in the form, and uses the pack function to do URL-decoding. Then it stores each fieldname/value pair in a hash called %FORM.

This code is deprecated and should be avoided; use CGI.pm instead. If you want to upgrade an old program that uses the above code block, you can replace it with this:

my %FORM;
foreach my $field (param()) {
$FORM{$field} = param($field);
}
Or you could use the Vars function:

use CGI qw(:standard Vars);
my %FORM = Vars();
Either method will replace the old form-parsing code, although keep in mind that this will not work if your form has multiple fields with the same name. We’ll look at how to handle those in the next chapter.

Guestbook Form
One of the first CGI programs you’re likely to want to add to your website is a guestbook program, so let’s start writing one. First create your HTML form. The actual fields can be up to you, but a bare minimum might look like this:

Source code: http://www.cgi101.com/book/ch4/guestbook1.html
(Stylistically it’s better NOT to include a “reset” button on forms like this. It’s unlikely the visitor will want to erase what they’ve typed, and more likely they’ll accidentally hit “reset” instead of “send”, which can be an aggravating experience. They may not bother to re-fill the form in such cases.)

Now you need to create post.cgi. This is nearly identical to the get.cgi from last chapter, so you may just want to copy that program and make changes:

Program 4-1: post.cgi – Form Processing Program Using POST

——————————————————————————–

#!/usr/bin/perl -wT
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;

print header;
print start_html(“Thank You”);
print h2(“Thank You”);

my %form;
foreach my $p (param()) {
$form{$p} = param($p);
print “$p = $form{$p}
\n”;
}
print end_html;

Environment variables are a series of hidden values that the web server sends to every CGI program you run. Your program can parse them and use the data they send. Environment variables are stored in a hash named %ENV:

Key Value
DOCUMENT_ROOT The root directory of your server
HTTP_COOKIE The visitor’s cookie, if one is set
HTTP_HOST The hostname of the page being attempted
HTTP_REFERER The URL of the page that called your program
HTTP_USER_AGENT The browser type of the visitor
HTTPS “on” if the program is being called through a secure server
PATH The system path your server is running under
QUERY_STRING The query string (see GET, below)
REMOTE_ADDR The IP address of the visitor
REMOTE_HOST The hostname of the visitor (if your server has reverse-name-lookups on; otherwise this is the IP address again)
REMOTE_PORT The port the visitor is connected to on the web server
REMOTE_USER The visitor’s username (for .htaccess-protected pages)
REQUEST_METHOD GET or POST
REQUEST_URI The interpreted pathname of the requested document or CGI (relative to the document root)
SCRIPT_FILENAME The full pathname of the current CGI
SCRIPT_NAME The interpreted pathname of the current CGI (relative to the document root)
SERVER_ADMIN The email address for your server’s webmaster
SERVER_NAME Your server’s fully qualified domain name (e.g. www.cgi101.com)
SERVER_PORT The port number your server is listening on
SERVER_SOFTWARE The server software you’re using (e.g. Apache 1.3)

Some servers set other environment variables as well; check your server documentation for more information. Notice that some environment variables give information about your server, and will never change (such as SERVER_NAME and SERVER_ADMIN), while others give information about the visitor, and will be different every time someone accesses the program.

Not all environment variables get set. REMOTE_USER is only set for pages in a directory or subdirectory that’s password-protected via a .htaccess file. (See Chapter 20 to learn how to password protect a directory.) And even then, REMOTE_USER will be the username as it appears in the .htaccess file; it’s not the person’s email address. There is no reliable way to get a person’s email address, short of asking them for it with a web form.

You can print the environment variables the same way you would any hash value:

print “Caller = $ENV{HTTP_REFERER}\n”;
Let’s try printing some environment variables. Start a new file named env.cgi:

Program 3-1: env.cgi – Print Environment Variables Program

——————————————————————————–

#!/usr/bin/perl -wT
use strict;
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);

print header;
print start_html(“Environment”);

foreach my $key (sort(keys(%ENV))) {
print “$key = $ENV{$key}
\n”;
}

print end_html;

——————————————————————————–
Source code: http://www.cgi101.com/book/ch3/env-cgi.html
Working example: http://www.cgi101.com/book/ch3/env.cgi
Save the file, chmod 755 env.cgi, then try it in your web browser. Compare the environment variables displayed with the list on the previous page. Notice which values show information about your server and CGI program, and which ones give away information about you (such as your browser type, computer operating system, and IP address).

Let’s look at several ways to use some of this data.

Referring Page
When you click on a hyperlink on a web page, you’re being referred to another page. The web server for the receiving page keeps track of the referring page, and you can access the URL for that page via the HTTP_REFERER environment variable. Here’s an example:

Program 3-2: refer.cgi – HTTP Referer Program

——————————————————————————–

#!/usr/bin/perl -wT
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;

print header;
print start_html(“Referring Page”);
print “Welcome, I see you’ve just come from
$ENV{HTTP_REFERER}!

\n”;

print end_html;