- Calling a CGI Script (Perl) (Cont.)
CGI security concerns
PHP (Hypertext Preprocessor) is an open source, server-side, HTML embedded scripting language used to create dynamic Web pages.
In an HTML document, PHP script is enclosed within special PHP tags.
Because PHP is embedded within tags, the author can jump between HTML and PHP (similar to ASP and Cold Fusion).
Unlike PHP, the blue-color code of the previous slide does not change for all CGI code.
To use PHP, programmers have to learn the PHP scripts, which are coded in a whole new language.
The fixed code is the beauty of CGI.
Therefore, we can focus on the database applications and Web processing instead of learning a new language.
However, the major drawback of CGI is the security flaws.
To avoid potential security attacks, the Web input is sent to the external programs via files instead of command-line arguments.
For example, the following four statements are used by the CGI Perl script ListItems.pl:
open ( fh, "> p1" );
syswrite( fh, $FORM{keyword}, 32 );
close ( fh );
system ( "/usr/bin/java ListItems" );
They perform the following two tasks:
- The Web input
$FORM{keyword} is written to a file named p1.
- The JDBC class
ListItems is then activated to list the memento items whose messages contain the keyword $FORM{keyword}.
The ListItemss will read the keyword from the file p1 .