Implementing CGI

John Franks ([email protected])
Wed, 5 Jan 1994 13:56:56 -0600 (CST)


I am still confused about (at least) one implementation issue for a
CGI compliant server, namely, when to put something on the command
line that invokes the script.

According to the spec this should be done only for ISINDEX items.
Looking at the source of imagemap, I see that it assumes the query is
in argv[1], but it is normally not an ISINDEX item. The suggested way
to tell if something is an ISINDEX item is to see if there are +'s in
the QUERY, or to see that there are no ='s in the QUERY. But what
happens if an ISINDEX query never contains an =, or if a form returns
a value containing '+'.

The spec also says that if a server decides a QUERY cannot be put on
the command line for security reasons it should be put in QUERY_STRING
untouched and the command line should be empty. Presumably a good
CGI program expecting an ISINDEX should then go to QUERY_STRING if
there are no args, but I haven't seen examples of this.

Here is what I would like to see the spec mean (and I think this is
consistent with what it says, just not with current practice). The
QUERY_STRING should be parsed and put on the command line *only* if
it contains a '+' (and it is deemed safe). Presumably the only reason
to use the command line at all is so the server can do some parsing
for simple scripts. This achieves that. If an ISINDEX script sees
no args it should know that there is just one arg and it is in
QUERY_STRING. A form processing script for which a value containing
a '+' is returned would get stuff on the command line, but would ignore
it.

John Franks Dept of Math. Northwestern University
[email protected]