Reviewed by Donald Bryson

By Jeffry Dwight, Michael Erwin and Robert Niles
779 pages. 20 pages of contents; Appendix; 32 pages of index
ISBN 0-789 7-1139-7, paperback $49.99

Here's a Web page of source code, programs, and examples from the book .

Available at a discount from Amazon.com on this page

Technical Level: computing -- professional, subject -- experienced
Information: concepts: good; practice: good
Readability: textbook: good; reference: good
Summary: A general overview of the theory, tools, and techniques of CGI (Common Gateway Interface). There is a survey of the various tools available for Windows, UNIX, and Apple.

Publisher:
Que Corporation
201 W. 103rd Street, Indianapolis, Indiana 46290
http://www.mcp.com/que

REVIEW

I have a confession, while I've programmed on UNIX systems for years and even designed a Web site, CGI has been a dark art best left to the mystical Internet Illumina ti. However, the winds of change are blowing. SCO (Santa Cruz Operation) is telling commercial developers to move our programs to a Web-based user interface. While that's good sound marketing advice, it's like telling Sir Lancelot to grab a gun because the blacksmith just invented the musket. It's obvious advice that's usually resisted at first.

Well, I'm resisting no longer. I've decided to no longer grope in the dark ages of terminal emulators and curses routines. I'm jumping onto the Webtop with both feet and Using CGI is a good book to ease the landing. It has answered most of my questions and left me with an excitement to learn more. It explains general principles, shows possibilities, defines terms, and cautions against those special problems associated with CGI.

So, what did I learn about CGI? It's not so dark and mysterious. CGI works because it is a very simple interface. CGI gets its input from both environment variables and standard input. It then writes output to standard output. That sounds like an exercise from the first chapter of an introductory C programming book. Using CGI breaks this process down to ten basic steps:

1. Your browser decodes the first part of the URL and contacts the server.
2. Your browser supplies the remainder of the URL to the server.
3. The server translates the URL into a path and file name.
4. The server realizes that the URL points to a program instead of a static file.
5. The server prepares the environment and launches the CGI program.
6. The CGI program reads the environment variables and STDIN.
7. Next, the CGI writes the proper MIME headers to STDOUT for the forthcoming content.
8. Then the CGI sends the rest of its output to STDOUT and terminates.
9. The server notices that the CGI program has finished and closes the connection to your browser.
10. Your browser displays the output from the script.

Of course, step eight could include other processing by the CGI. For instance, it may write a log file to disk, or invoke an external program, like sendmail, to deliver an email message.

The authors treat the subjects of security, testing, and error handling exceptionally well. They strongly exhort us to always validate input. Why? With a compiled CGI program (for instance, C, C++, assembler), crackers can overflow input buffers in order to push machine instructions into the instruction space. Even a simple shell script can be coiled into an asp if you don't validate its input. Consider a script that prompts the user for a file name to cat the file. Wouldn't it ruin your day when someone enters:

file.txt;rm -rf /

The book also contains several good examples of someone gaining unauthorized access to sensitive files by typing full path names instead of the relative file name the programmer expected. There is a big difference between someone typing ``products.txt'' and ``/etc/pa sswd''. The authors also remind us that PostScript is a full-featured programming language that can be maliciously misused. For instance, the PostScript operators ``deletefile'' and ``renamefile'' are obvious problems. You should always use a helper application that doesn't allow potentially harmful operations, like GNU Ghostscript 2.6.1 (or a later version).

Testing is discussed in an experienced manner with sound programming advice. For example, ``play dumb'' when testing your own code. Forget how the program should be used and enter the ridiculous. Eventually, someone will do that and you should be the first to see what happens.

My favorite quote, which now hangs in my office, is on error handling:

How you detect errors in your code can be a good reflection about how you approach life: The foolishly bold simply ignore error checking, on the assumption that things can't possibly go wrong. The optimistic may check for errors, but figure that the odds of them actual ly happening are small enough to not require much effort or explanation. The pessimistic -- though no fun at parties -- often write the best code, not only checking for errors, but also individually identifying each for easy tracking. When you're programming CGI scripts, the worse your outlook is, the better your code will be.

Strong Points

• The writing is clear, concise, and entertaining.
• The book has a sharp focus. With the exception of the unnecessary chapter on video, everything relates to the subject.
• The book is full of links to useful sites.

Weak Point

• Although, various contributors to this book compare the various languages and operating systems, a good overview comparison is missing.

Do you need a good introduction to CGI? This book is for you.

Abridged Table of Contents:

Introduction to the Second Edition

I: CGI Fundamentals

• Cha pter 1: Introducing CGI
• CGI and the World Wide Web
• Beyond HTML with CGI
• How CGI Works
• Where CGI Scripts Live
• CGI Server Requirements
• The Future of CGI Scripting
• Chapter 2: Choosing Your CGI Tools
• Interpreted Scripting Languages
• Compiled Languages
• Modern Interpreted Scripting Languages
• Picking the Best Languages for Your Environment

II CGI Application Development

• Chapter 3: Designing CGI Applications
• CGI Script Structure
• Planning Your Script
• Standard CGI Environment Variables
• CGI Script Portability
• CGI Libraries
• CGI Limitations
• Chapter 4: Understanding Basic CGI Elements
• CGI Behind the Scenes
• Environment Variables: Information for the Taking
• Dealing with URL-Encoded Information
• Use Your Header
• Returning Outp ut to the Users
• Chapter 5: Using HTML and CGI as a User Interface
• Integrating CGI into Your HTML Pages
• Creating the Marketing Questionnaire
• The Good, the Bad, and the Ugly

III CGI Programming Examples and Server Configuration

• Chapter 6: Examples of Simple CGI Scripts
• E-Mail Gateways
• Feedback or Comment Scripts
• A Visitor Guest Book Script
• Page-Hit Counters
• Web-Based Bulletin-Board Systems
• Web-Based Games
• News Gateways, HyperNews, and WWWNNTP
• A Simple Guestbook Script Using C
• Chapter 7: Scripts for Form Processing
• Secure Form Transactions
• Configuring CGI with the NCSA Server
• Configuring the CERN HTTP Server for CGI
• Configuring Netscape for CGI
• Configuring CGI for Windows for NT or Windows 95
• Order Processing via Mail
• Managing Web Site Subscrip tions
• Using .htacess
• Creating the Registration Script
• Setting Up the Registration Page
• Creating a More Complex Guestbook
• Analyzing SGB1's Strengths and Weaknesses
• Creating a Separate Entry Form
• Collecting a Separate Entry Form
• Reversing the Display Order
• Adding Navigational Aids
• Making the Guestbook Configurable
• Configuring MacOS Web Servers for CGI
• Chapter 8: Modifying CGI Scripts
• Installing and Modifying a Guestbook CGI Script
• Defining System Variables
• Setting Guestbook Script Options
• E-Mail Notification
• Guestbook CGI Log File
• Adding E-Mail Address Linking
• Entries Separation Styles
• Handling URL Auto-Redirection
• Visitor's HTML Entry Order
• Sending an E-Mail Thank You
• To Allow or Not to Allow HTML Tags
• Handling Line Breaks
• Final Version of Guestbook
• Converting a Guestbook CGI to a Friend's Web Site List
• Modifying Compiled Page-Hit Counters
• Modifying Flexible Page-Hit Counters
• Chapter 9: How to Handle Custom Image Maps
• How an Image Map Functions
• Web Server Image Map Configurations
• Downloading an Image Map CGI Program
• NCSA Image Map Configuration
• Apache Image Map Configurations
• CERN and W3C Image Map Configurations
• Netscape Image Map Configurations
• Apple Internet Server Maps
• Client-Side Image Maps
• Image Map Tools
• Generating Images in Real Time
• Introducing GIFLib
• Introducing FLY
• Chapter 10: Using MIME with CGI
• What is MIME?
• How MIME Became Part of the HTTP Specifications
• How MIME is Used on the Web
• Understanding MIME Content Types
• Mapping MIME Types to Brow ser Helper Applications
• Configuring a Server to Recognize MIME Types
• Security Considerations with MIME
• Content Negotiation Based on MIME

IV CGI Search Engines

• Chapter 11: Indexing a Web Site
• A Brief Introduction to Searching
• Simple Searches
• Concept-Based Searching
• Search Functions as Part of Your Site
• Simple Search Engines for Smaller Sites
• ICE
• SWISH, the Simple Web Indexing System for Humans
• Hukilau 2
• GLIMPSE, Briefly
• An Overview of Search Engines for Business Sites
• Chapter 12: Using WAIS with CGI
• What is WAIS?
• Why Use WAIS?
• Creating and Using a WAIS Database
• WAIS Web Gateways(Scripts)
• freeWAIS
• For More Information
• Chapter 13: Custom Database Query Scripts
• Fundamental Design and Security Issues
• Why Build a Web/RDBMS Interface?
• Limitations of HTTP in a Database Context
• Security Issues
• A Simple Working Example in Perl
• Back-End Databases
• Problem Solving
• The Future of Web/Database Interfaces
• Chapter 14: Web Database Tools
• Available Database
• Database Tools
• Additional Resources on the Web
• Chapter 15: Robots and Web Crawlers
• Definition of Robots and Web Crawlers
• Introduction to robots.txt
• Considerations with robots.txt
• Where to Obtain Robots
• Server Performance Considerations
• IP Bandwidth Considerations
• Robot Etiquette
• Interfacing with Other Web Crawlers
• Chapter 16: Using Server-Side Includes
• Introducing SSI
• SSI Specifications
• Configuring SSI
• Using SSI in HTML
• Server Performance Considera tions
• Security Considerations

V Interactive HTML Documents

• Chapter 17: Generating HTML Documents in Real Time
• Static HTML
• Real-Time HTML
• Near Real-Time HTML
• Server Performance Considerations
• Chapter 17: Person-to-Person Interaction
• The Next Step with CGI
• WWW Interactive Talk
• HTML-Based Chat Systems
• Introducing HTTP Cookies
• A Simple Shopping Cart
• Chapter 19: Using Web-Based Video Cameras
• Hardware Requirements
• Examples of Web-Based Video Cameras
• Movies vs. Still Images
• Image Formats: GIF vs. JPEG
• Capturing Movies
• Windows Implementations
• Server Performance Considerations
• HTML for Web Cams
• Java and Web Cams
• Chapter 20: Server-Side Java and JavaScript
• Running Java as a Server-Side Application
• Server Side versus Client Side
• Accessing a Database Using Java as a CGI
• Jeeves
• Server-Side JavaScript
• LiveWire
• Using JavaScript with LiveWire
• Chapter 21: Scripting with ActiveX
• ActiveX Defined
• VBScript and ActiveX
• JScript and ActiveX
• Performance Considerations
• Security Concerns

VI CGI Tips and Techniques

• Chapter 21: Tips and Techniques for Perl
• Perl CGI Examples
• Perl Security Concerns
• Obtaining the Latest Version of Perl 5
• Flavors of Perl
• Common Perl CGI Libraries
• Chapter 23: Tips and Techniques for Using WinCGI with Visual Basic
• What You Should Already Know
• The Windows Common Gateway Interface
• Creating a CGI Application Using VB
• Data Access CGI Programming
• Security Concerns and Restric ting Access to Your CGI Scripts
• Obtaining the Latest Version of Visual Basic
• Server Performance Issues
• Alternatives to Server-Based CGI: Microsoft's VBScript and JavaScript
• Chapter 24: Tips and Techniques for C and C++
• Reading the Input
• Parsing the Input
• Writing the Input
• Putting it All Together
• Helpful Libraries
• Chapter 25: Tips and Techniques for Java
• Introduction to Java
• The Java Development Environment
• Java and JavaScript
• Issues and Tradeoffs Related to Java
• Links Related to this Chapter
• Chapter 26: Tips and Techniques for AppleScript
• Introducing AppleScript
• Using AppleScript
• AppleScript and CGI
• Preparing to Write CGI
• Creating Text-Only AppleScript CGI
• Other AppleScript CGI Issues
• CGI Alternatives
• Links Related to This Chapter
• Chapter 27: Using PHP/FI
• How PHP/FI Works
• A Simple Guestbook
• A Phonebook Using mSQL and PHP/FI
• Exploring Other PHP/FI Examples

VII Polishing CGI Scripts

• Chapter 28: Testing and Debugging CGI Scripts
• Create a Lab to Isolate Your Tests
• Improving Reproducibility with Isolation
• Preserving Reputation and Safety
• Trying to Hide on the Web
• Creating an Isolated Environment
• Easing Out of Isolation
• Expecting the Unexpected
• Incorrect Output
• Testing Your Script
• Types of Testing
• Single-User Testing
• Multiuser Testing
• Automated Testing
• Testing Strategies
• Shot-Gun Testing
• Methodical Testing
• Code-Path Testing
• Creating Non-Production Data
• Documentation of Testing
• H and Documentation
• Automatic Documentation
• Debugging Your Script
• The Trouble with Debugging
• The Error Log
• A Debugging Flag
• Running from Outside the Server
• Testing the Impact of Your Script on the Server
• Busy Looping
• Easing Impact
• Chapter 29: Error Handling in CGI
• The Two Sides of Error Handling
• Error Detection
• Unrealistic Assumptions
• Positive Assumptions
• Negative Assumptions
• Error Reporting
• Error Appearance and the Importance of Consistency
• Simple Rejection
• Details
• Administrative Contacts and Help Pointers
• Navigational Aids
• Common Errors to Check
• User Error
• System Errors
• Your Own Errors
• A Philosophy of Error Handling
• Chapter 30: Understanding CGI Security Issues
• Scripts vs. Programs
• Trust No One
• Two Roads to Trouble
• Don't Trust Form Data
• Where Bad Data Comes From
• Fighting Bad Form Data
• Don't Trust Path Data
• Everything Seems Okay, But ...
• Handling File Names
• In with the Good, Out with the Bad
• Handling HTML
• Handling External Processes
• Inside Attacks
• Using Others' CGI Scripts

VIII Learning from the Pros

• Chapter 31: Expert Examples
• This Ever-Changing URL in Which We Live
• Programming Tutorials and Sample Code
• CGI and SSI Freeware and Shareware
• Fun Stuff: Examples of Doing it Right
• Indexing
• Connecting SQL Databases
• Spiders, Worms, Crawlers, and Robots
• CGI Interactive Games
• A Brief Case Study: CalWeb
• A Brief Case Study: Internet Concepts, LLC
• A Brief Case Study: R eal-Time Internet Services

Appendixes:

• A: What's on the Web Site?
• B: Commonly Used MIME Media Types
• C: Glossary of CGI-Related Terminology

( Return to the top of this review. )