CGI.pm - a Perl5 CGI Library

Version 2.18, 3/30/96, L. Stein

Warning: Version 2.18 requires the SelfLoader module. This module is part of the standard Perl 5.002 distribution, but can be used with older versions of Perl as well. If you don't want to use SelfLoader, you can disable this requirement easily. Read CGI.pm and the SelfLoader for an explanation of how the SelfLoader improves loading speed, a list of places where you can obtain it, and how to modify CGI.pm so that you can work without it.

Abstract

This perl 5 library uses objects to create Web fill-out forms on the fly and to parse their contents. It is similar to cgi-lib.pl in some respects. It provides a simple interface for parsing and interpreting query strings passed to CGI scripts. However, it also offers a rich set of functions for creating fill-out forms. Instead of remembering the syntax for HTML form elements, you just make a series of perl function calls. An important fringe benefit of this is that the value of the previous query is used to initialize the form, so that the state of the form is preserved from invocation to invocation.

Everything is done through a ``CGI'' object. When you create one of these objects it examines the environment for a query string, parses it, and stores the results. You can then ask the CGI object to return or modify the query values. CGI objects handle POST and GET methods correctly, and correctly distinguish between scripts called from <ISINDEX> documents and form-based documents. In fact you can debug your script from the command line without worrying about setting up environment variables.

A script to create a fill-out form that remembers its state each time it's invoked is very easy to write with CGI.pm:

use CGI;
$query = new CGI;
print $query->header;

print $query->startform;
print "What's your name? ",$query->textfield('name');

print "<P>What's the combination? ",
        $query->checkbox_group(-name=>'words',
                               -values=>['eenie','meenie','minie','moe']);

print "<P>What's your favorite color? ",
        $query->popup_menu(-name=>'color',
                           -values=>['red','green','blue','chartreuse']);

print "<P>",$query->submit;
print $query->endform;

print "<HR>\n";
if ($query->param) {
    print "Your name is <EM>",$query->param('name'),"</EM>\n";
    print "<P>The keywords are: <EM>",join(", ",$query->param('words')),"</EM>\n";
    print "<P>Your favorite color is <EM>",$query->param('color'),"</EM>\n";
}

Select this link to try the script
More scripting examples

Creating a new CGI query object

Saving the state of the form

CGI Functions that Take Multiple Arguments

Creating the HTTP header

HTML shortcuts

Creating forms

Debugging

HTTP session variables

Support for Netscape frames

Support for JavaScript

Advanced techniques

CGI.pm and the SelfLoader module

Using the File Upload Feature

Using CGI.pm on non-Unix Platforms

Future prospects

Distribution information

What's new in version 2.18?

Creating a new CGI object

The most basic use of CGI.pm is to get at the query parameters submitted to your script. To create a new CGI object that contains the parameters passed to your script, put the following at the top of your perl CGI programs:

    use CGI;
    $query = new CGI

In the object-oriented world of Perl 5, this code calls the new() method of the CGI class and stores a new CGI object into the variable named $query. The new() method does all the dirty work of parsing the script parameters and environment variables and stores its results in the new object. You'll now make method calls with this object to get at the parameters, generate form elements, and do other useful things.

An alternative form of the new() method allows you to read script parameters from a previously-opened file handle:

    $query = new CGI(FILEHANDLE)

The filehandle can contain a URL-encoded query string, or can be a series of newline delimited TAG=VALUE pairs. This is compatible with the save() method. This lets you save the state of a form to a file and reload it later!. See advanced techniques for more information.

Fetching A List Of Keywords From The Query

    @keywords = $query->keywords

If the script was invoked as the result of an <ISINDEX> search, the parsed keywords can be obtained with the keywords() method. This method will return the keywords as a perl array.

Fetching The Names Of All The Parameters Passed To Your Script

    @names = $query->param

If the script was invoked with a parameter list (e.g. "name1=value1&name2=value2&name3=value3"), the param() method will return the parameter names as a list. For backwards compatability, this method will work even if the script was invoked as an <ISINDEX> script: in this case there will be a single parameter name returned named 'keywords'.

Fetching The Value(s) Of A Named Parameter

   @values = $query->param('foo');
             -or-
   $value = $query->param('foo');

Pass the param() method a single argument to fetch the value of the named parameter. If the parameter is multivalued (e.g. from multiple selections in a scrolling list), you can ask to receive an array. Otherwise the method will return a single value.

As of version 1.50 of this library, the array of parameter names returned will be in the same order in which the browser sent them. Although this is not guaranteed to be identical to the order in which the parameters were defined in the fill-out form, this is usually the case.

Setting The Value(s) Of A Named Parameter

   $query->param('foo','an','array','of','values');
                   -or-
   $query->param(-name=>'foo',-values=>['an','array','of','values']);

This sets the value for the named parameter 'foo' to one or more values. These values will be used to initialize form elements, if you so desire. Note that this is the one way to forcibly change the value of a form field after it has previously been set.

The second example shows an alternative "named parameter" style of function call that is accepted by most of the CGI methods. See Calling CGI functions that Take Multiple Arguments for an explanation of this style.

Deleting a Named Parameter Entirely

   $query->delete('foo');

This deletes a named parameter entirely. This is useful when you want to reset the value of the parameter so that it isn't passed down between invocations of the script.

Importing parameters into a namespace

   $query->import_names('R');
   print "Your name is $R::name\n"
   print "Your favorite colors are @R::colors\n";

This imports all parameters into the given name space. For example, if there were parameters named 'foo1', 'foo2' and 'foo3', after executing $query->import('R'), the variables @R::foo1, $R::foo1, @R::foo2, $R::foo2, etc. would conveniently spring into existence. Since CGI has no way of knowing whether you expect a multi- or single-valued parameter, it creates two variables for each parameter. One is an array, and contains all the values, and the other is a scalar containing the first member of the array. Use whichever one is appropriate. For keyword (a+b+c+d) lists, the variable @R::keywords will be created.

If you don't specify a name space, this method assumes namespace "Q".

Warning: do not import into namespace 'main'. This represents a major security risk, as evil people could then use this feature to redefine central variables such as @INC. CGI.pm will exit with an error if you try to do this.

Note: this method used to be called import() (and CGI.pm still recognizes this method call). However the official method name has been changed to import_names() for compatability with the CGI:: modules.

Table of contents

Saving the Current State of a Form

Saving the State to a File

   $query->save(FILEHANDLE)

This writes the current query out to the file handle of your choice. The file handle must already be open and be writable, but other than that it can point to a file, a socket, a pipe, or whatever. The contents of the form are written out as TAG=VALUE pairs, which can be reloaded with the new() method at some later time. See advanced techniques for more information.

Saving the State in a Self-Referencing URL

   $my_url=$query->self_url

This call returns a URL that, when selected, reinvokes this script with all its state information intact. This is most useful when you want to jump around within a script-generated document using internal anchors, but don't want to disrupt the current contents of the form(s). See advanced techniques for an example.

If you'd like to get the URL without the entire query string appended to it, use the url() method:

   $my_self=$query->url

Table of contents

Calling CGI Functions that Take Multiple Arguments

In versions of CGI.pm prior to 2.0, it could get difficult to remember the proper order of arguments in CGI function calls that accepted five or six different arguments. As of 2.0, there's a better way to pass arguments to the various CGI functions. In this style, you pass a series of name=>argument pairs, like this:

   $field = $query->radio_group(-name=>'OS',
                                -values=>[Unix,Windows,Macintosh],
                                -default=>'Unix');

The advantages of this style are that you don't have to remember the exact order of the arguments, and if you leave out a parameter, iit will usually default to some reasonable value. If you provide a parameter that the method doesn't recognize, it will usually do something useful with it, such as incorporating it into the HTML tag as an attribute. For example if Netscape decides next week to add a new JUSTIFICATION parameter to the text field tags, you can start using the feature without waiting for a new version of CGI.pm:

   $field = $query->textfield(-name=>'State',
                              -default=>'gaseous',
                              -justification=>'RIGHT');

This will result in an HTML tag that looks like this:

   <INPUT TYPE="textfield" NAME="State" VALUE="gaseous"
          JUSTIFICATION="RIGHT">

Parameter names are case insensitive: you can use -name, or -Name or -NAME. You don't have to use the hyphen if you don't want to. After creating a CGI object, call the use_named_parameters() method with a nonzero value. This will tell CGI.pm that you intend to use named parameters exclusively:

   $query = new CGI;
   $query->use_named_parameters(1);
   $field = $query->radio_group('name'=>'OS',
                                'values'=>['Unix','Windows','Macintosh'],
                                'default'=>'Unix');

Actually, CGI.pm only looks for a hyphen in the first parameter. So you can leave it off subsequent parameters if you like. Something to be wary of is the potential that a string constant like "values" will collide with a keyword (and in fact it does!) While Perl usually figures out when you're referring to a function and when you're referring to a string, you probably should put quotation marks around all string constants just to play it safe.

Table of contents

Creating the HTTP Header

Creating the Standard Header for a Virtual Document

   print $query->header('image/gif');

This prints out the required HTTP Content-type: header and the requisite blank line beneath it. If no parameter is specified, it will default to 'text/html'.

An extended form of this method allows you to specify a status code and a message to pass back to the browser:

   print $query->header(-type=>'image/gif',
                        -status=>'204 No Response');

This presents the browser with a status code of 204 (No response). Properly-behaved browsers will take no action, simply remaining on the current page. (This is appropriate for a script that does some processing but doesn't need to display any results, or for a script called when a user clicks on an empty part of a clickable image map.)

You can add any number of HTTP headers, including ones that aren't implemented, using named parameters:

   print $query->header(-type=>'image/gif',
                        -status=>'402 Payment Required',
                        -Cost=>'$0.02');

Magic cookies

Netscape 1.1 and higher supports a "magic cookie" HTTP header. This cookie is a piece of text that the browser sends to the server during each request to your script. Your script can set the cookie to whatever you like the first time it gets called, and retrieve it on later invocations. This allows you to track a particular browser; you can even store parameters in the cookie if you want to.

To set a browser cookie, call header with the -cookie parameter:

   print $query->header(-cookie=>'chocolate chip #3');

Later you can retrieve it using the cookie() method. The idiom for creating a cookie if it doesn't already exist looks like this:

   $cookie = $query->cookie();
   if (!$cookie) {
      $cookie = generate_some_random_cookie();
   }
   print $query->header(-cookie=>$cookie);

This technique will not work with non-Netscape browsers. You should also be warned that certain servers, such as Apache 1.0 and the Netscape servers, will attempt to generate magic cookies for you. You should be alert for any adverse interaction between your script and the server.

Creating the Header for a Redirection Request

   print $query->redirect('http://somewhere.else/in/the/world');

This generates a redirection request for the remote browser. It will immediately go to the indicated URL. You should exit soon after this. Nothing else will be displayed.

You can add your own headers to this as in the header() method.

You should always use absolute or full URLs in redirection requests. Relative URLs will not work correctly.

Table of contents

HTML Shortcuts

Creating an HTML Header

   named parameter style
   print $query->start_html(-title=>'Secrets of the Pyramids',
                            -author=>'fred@capricorn.org',
                            -base=>'true',
                            -BGCOLOR=>'blue');

   old style
   print $query->start_html('Secrets of the Pyramids',
                            'fred@capricorn.org','true');

This will return a canned HTML header and the opening <BODY> tag. All parameters are optional:

The title (-title)
The author's e-mail address (will create a <LINK REV="MADE"> tag if present (-author)
A true flag if you want to include a <BASE> tag in the header (-base). This helps resolve relative addresses to absolute ones when the document is moved, but makes the document hierarchy non-portable. Use with care!

A -xbase parameter, if you want to include a <BASE> tag that points to some external location. Example:

      print $query->start_html(-title=>'Secrets of the Pyramids',
                               -xbase=>'http://www.nile.eg/pyramid.html');

A -script parameter to define Netscape JavaScript functions to incorporate into the HTML page. This is the preferred way to define a library of JavaScript functions that will be called from elsewhere within the page. CGI.pm will attempt to format the JavaScript code in such a way that non-Netscape browsers won't try to display the JavaScript code. Unfortunately some browsers get confused nevertheless. Here's an example of how to create a JavaScript library and incorporating it into the HTML code header:

      $query = new CGI;
      print $query->header;
      
      $JSCRIPT=<<END;
      // Ask a silly question
      function riddle_me_this() {
         var r = prompt("What walks on four legs in the morning, " +
                       "two legs in the afternoon, " +
                       "and three legs in the evening?");
         response(r);
      }
      // Get a silly answer
      function response(answer) {
         if (answer == "man")
            alert("Right you are!");
         else
            alert("Wrong!  Guess again.");
      }
      END
      
      print $query->start_html(-title=>'The Riddle of the Sphinx',
                               -script=>$JSCRIPT);

-onLoad and -onUnload parameters to register JavaScript event handlers to be executed when the page generated by your script is opened and closed respectively. Example:
```
      print $query->start_html(-title=>'The Riddle of the Sphinx',
                                  -script=>$JSCRIPT,
                                  -onLoad=>'riddle_me_this()');
      
```
See JavaScripting for more details.
Any additional attributes you want to incorporate into the <BODY> tag (as many as you like). This is a good way to incorporate other Netscape extensions, such as background color and wallpaper pattern. (The example above sets the page background to a vibrant blue.)

Ending an HTML Document

  print $query->end_html

This ends an HTML document by printing the </BODY></HTML> tags.

Table of contents

Creating Forms

General note 1. The various form-creating methods all return strings to the caller. These strings will contain the HTML code that will create the requested form element. You are responsible for actually printing out these strings. It's set up this way so that you can place formatting tags around the form elements.

General note 2. The default values that you specify for the forms are only used the first time the script is invoked. If there are already values present in the query string, they are used, even if blank.

If you want to change the value of a field from its previous value, you have two choices:

call the param() method to set it.
use the -override (alias -force) parameter. (This is a new feature in 2.15) This forces the default value to be used, regardless of the previous value of the field:
```
       print $query->textfield(-name=>'favorite_color',
                               -default=>'red',
			       -override=>1);
       
```

If you want to reset all fields to their defaults, you can:

Create a special defaults button using the defaults() method.
Create a hypertext link that calls your script without any parameters.

General note 3. You can put multiple forms on the same page if you wish. However, be warned that it isn't always easy to preserve state information for more than one form at a time. See advanced techniques for some hints.

General note 4. By popular demand, the text and labels that you provide for form elements are escaped according to HTML rules. This means that you can safely use "<CLICK ME>" as the label for a button. However, this behavior may interfere with your ability to incorporate special HTML character sequences, such as Á (Á) into your fields. If you wish to turn of automatic escaping, call the autoEscape() method with a false value immediately after creating the CGI object:

     $query = new CGI;
     $query->autoEscape(undef);

You can turn autoescaping back on at any time with $query->autoEscape('yes')

Form Elements

Opening a form

Text entry fields

Big text entry fields

Popup menus

Individual checkboxes

Radio button groups

Submission buttons

Reset buttons

Reset to defaults button

Up to table of contents

Creating An Isindex Tag

   print $query->isindex($action);

isindex() without any arguments returns an <ISINDEX> tag that designates your script as the URL to call. If you want the browser to call a different URL to handle the search, pass isindex() the URL you want to be called.

Starting And Ending A Form

   print $query->startform($method,$action,$encoding);
     ...various form stuff...
   print $query->endform;

startform() will return a <FORM> tag with the optional method, action and form encoding that you specify. endform() returns a </FORM> tag.

The form encoding is a new feature introduced in version 1.57 in order to support the "file upload" feature of Netscape 2.0. The form encoding tells the browser how to package up the contents of the form in order to transmit it across the Internet. There are two types of encoding that you can specify:

application/x-www-form-urlencoded: This is the type of encoding used by all browsers prior to Netscape 2.0. It is compatible with many CGI scripts and is suitable for short fields containing text data. For your convenience, CGI.pm stores the name of this encoding type in $CGI::URL_ENCODED.
multipart/form-data: This is the newer type of encoding introduced by Netscape 2.0. It is suitable for forms that contain very large fields or that are intended for transferring binary data. Most importantly, it enables the "file upload" feature of Netscape 2.0 forms. For your convenience, CGI.pm stores the name of this encoding type in $CGI::MULTIPART
Forms that use this type of encoding are not easily interpreted by CGI scripts unless they use CGI.pm or another library that knows how to handle them. Unless you are using the file upload feature, there's no particular reason to use this type of encoding.

For compatability, the startform() method uses the older form of encoding by default. If you want to use the newer form of encoding by default, you can call start_multipart_form() instead of startform().

If you plan to make use of the JavaScript features of Netscape 2.0, you can provide startform() with the optional -name and/or -onSubmit parameters. -name has no effect on the display of the form, but can be used to give the form an identifier so that it can be manipulated by JavaScript functions. Provide the -onSubmit parameter in order to register some JavaScript code to be performed just before the form is submitted. This is useful for checking the validity of a form before submitting it. Your JavaScript code should return a value of "true" to let Netscape know that it can go ahead and submit the form, and "false" to abort the submission.

Starting a Form that Uses the Netscape 2.0 "File Upload" Feature

   print $query->start_multipart_form($method,$action,$encoding);
     ...various form stuff...
   print $query->endform;

This has exactly the same usage as startform(), but it specifies form encoding type multipart/form-data as the default.

Creating A Text Field

  Named parameter style
  print $query->textfield(-name=>'field_name',
	                    -default=>'starting value',
	                    -size=>50,
	                    -maxlength=>80);

   Old style
  print $query->textfield('foo','starting value',50,80);

textfield() will return a text input field.

The first parameter (-name) is the required name for the field.
The optional second parameter (-default) is the starting value for the field contents.
The optional third parameter (-size) is the size of the field in characters.
The optional fourth parameter (-maxlength) is the maximum number of characters the field will accomodate.

As with all these methods, the field will be initialized with its previous contents from earlier invocations of the script. If you want to force in the new value, overriding the existing one, see Generate note 2.

When the form is processed, the value of the text field can be retrieved with:

      $value = $query->param('foo');

JavaScripting: You can also provide -onChange, -onFocus, -onBlur and -onSelect parameters to register JavaScript event handlers.

Creating A Big Text Field

   Named parameter style
   print $query->textarea(-name=>'foo',
	 		  -default=>'starting value',
	                  -rows=>10,
	                  -columns=>50);

   Old style
   print $query->textarea('foo','starting value',10,50);

textarea() is just like textfield(), but it allows you to specify rows and columns for a multiline text entry box. You can provide a starting value for the field, which can be long and contain multiple lines.

JavaScripting: Like textfield(), you can provide -onChange, -onFocus, -onBlur and -onSelect parameters to register JavaScript event handlers.

Creating A Password Field

   Named parameter style
   print $query->password_field(-name=>'secret',
				-value=>'starting value',
				-size=>50,
				-maxlength=>80);

   Old style
   print $query->password_field('secret','starting value',50,80);

password_field() is identical to textfield(), except that its contents will be starred out on the web page.

Creating a File Upload Field

    Named parameters style
    print $query->filefield(-name=>'uploaded_file',
	                    -default=>'starting value',
	                    -size=>50,
	 		    -maxlength=>80);

    Old style
    print $query->filefield('uploaded_file','starting value',50,80);

filefield() will return a form field that prompts the user to upload a file.

The first parameter (-name) is the required name for the field.
The optional second parameter (-default) is the starting value for the file name. This field is currently ignored by Netscape 2.0, but there's always hope!
The optional third parameter (-size) is the size of the field in characters.
The optional fourth parameter (-maxlength) is the maximum number of characters the field will accomodate.

filefield() will return a file upload field for use with Netscape 2.0 browsers. Netscape will prompt the remote user to select a file to transmit over the Internet to the server. Other browsers currently ignore this field.

In order to take full advantage of the file upload facility you must use the new multipart form encoding scheme. You can do this either by calling startform() and specify an encoding type of $CGI::MULTIPART or by using the new start_multipart_form() method. If you don't use multipart encoding, then you'll be able to retreive the name of the file selected by the remote user, but you won't be able to access its contents.

When the form is processed, you can retrieve the entered filename by calling param().

       $filename = $query->param('uploaded_file');

where "uploaded_file" is whatever you named the file upload field. Under Netscape 2.0beta1 the filename that gets returned is the full local filename on the remote user's machine. If the remote user is on a Unix machine, the filename will follow Unix conventions:

	/path/to/the/file

On an MS-DOS/Windows machine, the filename will follow DOS conventions:

	C:\PATH\TO\THE\FILE.MSW

On a Macintosh machine, the filename will follow Mac conventions:

	HD 40:Desktop Folder:Sort Through:Reminders

Netscape 2.0beta2 changes this behavior and only returns the name of the file itself. Who knows what the behavior of the release browser will be?

The filename returned is also a file handle. You can read the contents of the file using standard Perl file reading calls:

	# Read a text file and print it out
	while (<$filename>) {
	   print;
        }

        # Copy a binary file to somewhere safe
        open (OUTFILE,">>/usr/local/web/users/feedback");
	while ($bytesread=read($filename,$buffer,1024)) {
	   print OUTFILE $buffer;
        }

You can have several file upload fields in the same form, and even give them the same name if you like (in the latter case param() will return a list of file names).

When processing an uploaded file, CGI.pm creates a temporary file on your hard disk and passes you a file handle to that file. After you are finished with the file handle, CGI.pm unlinks (deletes) the temporary file. If you need to you can access the temporary file directly. Its name is stored inside the CGI object's "private" data, and you can access it by passing the file name to the tmpFileName() method:

       $filename = $query->param('uploaded_file');
       $tmpfilename = $query->tmpFileName($filename);

JavaScripting: Like textfield(), filefield() accepts -onChange, -onFocus, -onBlur and -onSelect parameters to register JavaScript event handlers. Caveats and potential problems in the file upload feature.

Creating A Popup Menu

  Named parameter style
  print $query->popup_menu(-name=>'menu_name',
			    -values=>['eenie','meenie','minie'],
	                    -default=>'meenie',
	                    -labels=>{'eenie'=>'one','meenie'=>'two',
                                      'minie'=>'three'});
  
  Old style
  print $query->popup_menu('menu_name',
                              ['eenie','meenie','minie'],'meenie',
                              {'eenie'=>'one','meenie'=>'two','minie'=>'three'});

popup_menu() creates a menu.

The required first argument (-name) is the menu's name.
The required second argument (-values) is an array reference containing the list of menu items in the menu. You can pass the method an anonymous array, as shown in the example, or a reference to a named array, such as \@foo
The optional third parameter (-default) is the name of the default menu choice. If not specified, the first item will be the default. The value of the previous choice will be maintained across queries.
The optional fourth parameter (-labels) allows you to pass a reference to an associative array containing user-visible labels for one or more of the menu items. You can use this when you want the user to see one menu string, but have the browser return your program a different one. If you don't specify this, the value string will be used instead ("eenie", "meenie" and "minie" in this example).

When the form is processed, the selected value of the popup menu can be retrieved using:

     $popup_menu_value = $query->param('menu_name');

JavaScripting: You can provide

-onChange,
-onFocus, and -onBlur

parameters to register JavaScript event handlers.

Creating A Scrolling List

   Named parameter style
   print $query->scrolling_list(-name=>'list_name',
                                -values=>['eenie','meenie','minie','moe'],
                                -default=>['eenie','moe'],
	                        -size=>5,
	                        -multiple=>'true',
                                -labels=>\%labels);

   Old style
   print $query->scrolling_list('list_name',
                                ['eenie','meenie','minie','moe'],
                                ['eenie','moe'],5,'true',
                                \%labels);

scrolling_list() creates a scrolling list.

The first and second arguments (-name, -values)are the list name and values, respectively. As in the popup menu, the second argument should be an array reference.
The optional third argument (-default)can be either a reference to a list containing the values to be selected by default, or can be a single value to select. If this argument is missing or undefined, then nothing is selected when the list first appears.
The optional fourth argument (-size) is the display size of the list.
The optional fifth argument (-multiple) can be set to true to allow multiple simultaneous selections.
The option sixth argument (-labels) can be used to assign user-visible labels to the list items different from the ones used for the values as above. In this example we assume that an associative array %labels has already been created.

When this form is processed, all selected list items will be returned as a list under the parameter name 'list_name'. The values of the selected items can be retrieved with:

     @selected = $query->param('list_name');

JavaScripting: You can provide -onChange, -onFocus, and -onBlur parameters to register JavaScript event handlers.

Creating A Group Of Related Checkboxes

   Named parameter style
   print $query->checkbox_group(-name=>'group_name',
                                -values=>['eenie','meenie','minie','moe'],
                                -default=>['eenie','moe'],
	                        -linebreak=>'true',
	                        -labels=>\%labels);

   Old Style
   print $query->checkbox_group('group_name',
                                ['eenie','meenie','minie','moe'],
                                ['eenie','moe'],'true',\%labels);

   HTML3 Browsers Only
   print $query->checkbox_group(-name=>'group_name',
                                -values=>['eenie','meenie','minie','moe'],
                                -rows=>2,-columns=>2);

checkbox_group() creates a list of checkboxes that are related by the same name.

The first and second arguments (-name, -values) are the checkbox name and values, respectively. As in the popup menu, the second argument should be an array reference. These values are used for the user-readable labels printed next to the checkboxes as well as for the values passed to your script in the query string.
The optional third argument (-default) can be either a reference to a list containing the values to be checked by default, or can be a single value to checked. If this argument is missing or undefined, then nothing is selected when the list first appears.
The optional fourth argument (-linebreak) can be set to true to place line breaks between the checkboxes so that they appear as a vertical list. Otherwise, they will be strung together on a horizontal line. When the form is procesed, all checked boxes will be returned as a list under the parameter name 'group_name'. The values of the "on" checkboxes can be retrieved with:
The optional fifth argument (-labels) is a reference to an associative array of checkbox labels. This allows you to use different strings for the user-visible button labels and the values sent to your script. In this example we assume that an associative array %labels has previously been created.
The optional parameter -nolabels can be used to suppress the printing of labels next to the button. This is useful if you want to capture the button elements individually and use them inside labeled HTML3 tables.
Browsers that understand HTML3 tables (such as Netscape) can take advantage of the optional parameters -rows, and -columns. These parameters cause checkbox_group() to return an HTML3 compatible table containing the checkbox group formatted with the specified number of rows and columns. You can provide just the -columns parameter if you wish; checkbox_group will calculate the correct number of rows for you.
To include row and column headings in the returned table, you can use the -rowheaders and -colheaders parameters. Both of these accept a pointer to an array of headings to use. The headings are just decorative. They don't reorganize the interpetation of the checkboxes -- they're still a single named unit.
When viewed with browsers that don't understand HTML3 tables, the -rows and -columns parameters will leave you with a group of buttons that may be awkwardly formatted but still useable. However, if you add row and/or column headings, the resulting text will be very hard to read.

When the form is processed, the list of checked buttons in the group can be retrieved like this:

     @turned_on = $query->param('group_name');

This function actually returns an array of button elements. You can capture the array and do interesting things with it, such as incorporating it into your own tables or lists. The -nolabels option is also useful in this regard:

       @h = $query->checkbox_group(-name=>'choice',
                                    -value=>['fee','fie','foe'],
                                    -nolabels=>1);
       create_nice_table(@h);

JavaScripting: You can provide an -onClick parameter to register some JavaScript code to be performed every time the user clicks on any of the buttons in the group.

Creating A Standalone Checkbox

   Named parameter list
   print $query->checkbox(-name=>'checkbox_name',
			   -checked=>'checked',
		           -value=>'TURNED ON',
		           -label=>'Turn me on');

   Old style
   print $query->checkbox('checkbox_name',1,'TURNED ON','Turn me on');

checkbox() is used to create an isolated checkbox that isn't logically related to any others.

The first parameter (-nameis the required name for the checkbox. It will also be used for the user-readable label printed next to the checkbox.
The optional second parameter (-checkedspecifies that the checkbox is turned on by default. Aliases for this parameter are -selected and -on.
The optional third parameter (-valuespecifies the value of the checkbox when it is checked. If not provided, the word "on" is assumed.
The optional fourth parameter (-labelassigns a user-visible label to the button. If not provided, the checkbox's name will be used.

The value of the checkbox can be retrieved using:

     $turned_on = $query->param('checkbox_name');

JavaScripting: You can provide an -onClick parameter to register some JavaScript code to be performed every time the user clicks on the button.

Creating A Radio Button Group

   Named parameter style
   print $query->radio_group(-name=>'group_name',
			     -values=>['eenie','meenie','minie'],
                             -default=>'meenie',
			     -linebreak=>'true',
			     -labels=>\%labels);

   Old style
   print $query->radio_group('group_name',['eenie','meenie','minie'],
                                          'meenie','true',\%labels);

   HTML3-compatible browsers only
   print $query->radio_group(-name=>'group_name',
                                -values=>['eenie','meenie','minie','moe'],
	                        -rows=2,-columns=>2);

radio_group() creates a set of logically-related radio buttons. Turning one member of the group on turns the others off.

The first argument (-nameis the name of the group and is required.
The second argument (-valuesis the list of values for the radio buttons. The values and the labels that appear on the page are identical. Pass an array reference in the second argument, either using an anonymous array, as shown, or by referencing a named array as in \@foo.
The optional third parameter (-defaultis the value of the default button to turn on. If not specified, the first item will be the default. Specify some nonexistent value, such as "-" if you don't want any button to be turned on.
The optional fourth parameter (-linebreakcan be set to 'true' to put line breaks between the buttons, creating a vertical list.
The optional fifth parameter (-labelsspecifies an associative array containing labels to be printed next to each the button. If not provided the button value will be used instead. This example assumes that the associative array %labels has already been defined.
The optional parameter -nolabels can be used to suppress the printing of labels next to the button. This is useful if you want to capture the button elements individually and use them inside labeled HTML3 tables.
Browsers that understand HTML3 tables (such as Netscape) can take advantage of the optional parameters -rows, and -columns. These parameters cause radio_group() to return an HTML3 compatible table containing the radio cluster formatted with the specified number of rows and columns. You can provide just the -columns parameter if you wish; radio_group will calculate the correct number of rows for you.
To include row and column headings in the returned table, you can use the -rowheader and -colheader parameters. Both of these accept a pointer to an array of headings to use. The headings are just decorative. They don't reorganize the interpetation of the radio buttons -- they're still a single named unit.
When viewed with browsers that don't understand HTML3 tables, the -rows and -columns parameters will leave you with a group of buttons that may be awkwardly formatted but still useable. However, if you add row and/or column headings, the resulting text will be very hard to read.

When the form is processed, the selected radio button can be retrieved using:

       $which_radio_button = $query->param('group_name');

This function actually returns an array of button elements. You can capture the array and do interesting things with it, such as incorporating it into your own tables or lists The -nolabels option is useful in this regard.:

       @h = $query->radio_group(-name=>'choice',
                                 -value=>['fee','fie','foe'],
                                 -nolabels=>1);
       create_nice_table(@h);

JavaScripting: You can provide an -onClick parameter to register some JavaScript code to be performed every time the user clicks on any of the buttons in the group.

Creating A Submit Button

   Named parameter style
   print $query->submit(-name=>'button_name',
		        -value=>'value');

  Old style
  print $query->submit('button_name','value');

submit() will create the query submission button. Every form should have one of these.

The first argument (-nameis optional. You can give the button a name if you have several submission buttons in your form and you want to distinguish between them.
The second argument (-valueis also optional. This gives the button a value that will be passed to your script in the query string, and will also appear as the user-visible label. You can figure out which button was pressed by using different values for each one:

    $which_one = $query->param('button_name');

JavaScripting: You can provide an -onClick parameter to register some JavaScript code to be performed every time the user clicks on the button. You can't prevent a form from being submitted, however. You must provide an -onSubmit handler to the form itself to do that.

Creating A Reset Button

  print $query->reset

reset() creates the "reset" button. It undoes whatever changes the user has recently made to the form, but does not necessarily reset the form all the way to the defaults. See defaults() for that. It takes the optional label for the button ("Reset" by default). JavaScripting: You can provide an -onClick parameter to register some JavaScript code to be performed every time the user clicks on the button.

Creating A Defaults Button

  print $query->defaults('button_label')

defaults() creates "reset to defaults" button. It takes the optional label for the button ("Defaults" by default). When the user presses this button, the form will automagically be cleared entirely and set to the defaults you specify in your script, just as it was the first time it was called.

Creating A Hidden Field

   Named parameter style
   print $query->hidden(-name=>'hidden_name',
                        -default=>['value1','value2'...]);

   Old style
   print $query->hidden('hidden_name','value1','value2'...);

hidden() produces a text field that can't be seen by the user. It is useful for passing state variable information from one invocation of the script to the next.

The first argument (-name) is required and specifies the name of this field.
The second and subsequent arguments specify the value for the hidden field. This is a quick and dirty way of passing perl arrays through forms. If you use the named parameter style, you must provide the parameter -default and an array reference here.

As of version 2.0 I have changed the behavior of hidden fields once again. Read this if you use hidden fields.

Hidden fields used to behave differently from all other fields: the provided default values always overrode the "sticky" values. This was the behavior people seemed to expect, however it turns out to make it harder to write state-maintaining forms such as shopping cart programs. Therefore I have made the behavior consistent with other fields.

Just like all the other form elements, the value of a hidden field is "sticky". If you want to replace a hidden field with some other values after the script has been called once you'll have to do it manually before writing out the form element:

     $query->param('hidden_name','new','values','here');
     print $query->hidden('hidden_name');

Fetch the value of a hidden field this way:

    $hidden_value = $query->param('hidden_name');
            -or (for values created with arrays)-
    @hidden_values = $query->param('hidden_name');

Creating a Clickable Image Button

   Named parameter style
   print $query->image_button(-name=>'button_name',
                              -src=>'/images/NYNY.gif',
                              -align=>'MIDDLE');	

   Old style
   print $query->image_button('button_name','/source/URL','MIDDLE');

image_button() produces an inline image that acts as a submission button. When selected, the form is submitted and the clicked (x,y) coordinates are submitted as well.

The first argument(-name is required and specifies the name of this field.
The second argument (-srcspecifies the URL of the image to display. It must be one of the types supported by inline images (e.g. GIF), but can be any local or remote URL.
The third argument (-alignis anything you might want to use in the ALIGN attribute, such as TOP, BOTTOM, LEFT, RIGHT or MIDDLE. This field is optional.

When the image is clicked, the results are passed to your script in two parameters named "button_name.x" and "button_name.y", where "button_name" is the name of the image button.

    $x = $query->param('button_name.x');
    $y = $query->param('button_name.y');

JavaScripting: You can provide an -onClick parameter to register some JavaScript code to be performed every time the user clicks on the button.

Creating a JavaScript Button

   Named parameter style
   print $query->button(-name=>'button1',
                           -value=>'Click Me',
                           -onClick=>'doButton(this)');	

   Old style
   print $query->image_button('button1','Click Me','doButton(this)');

button() creates a JavaScript button. When the button is pressed, the JavaScript code pointed to by the -onClick parameter is executed. This only works with Netscape 2.0 and higher. Other browsers do not recognize JavaScript and probably won't even display the button.

The first argument(-name is required and specifies the name of this field.
The second argument (-value gives the button a value, and will be used as the user-visible label on the button.
The third argument (-onClick is any valid JavaScript code. It's usually a call to a JavaScript function defined somewhere else (see the start_html() method), but can be any JavaScript you like. Multiple lines are allowed, but you must be careful not to include any double quotes in the JavaScript text.

See JavaScripting for more information.

Controlling HTML Autoescaping

By default, if you use a special HTML character such as >, < or & as the label or value of a button, it will be escaped using the appropriate HTML escape sequence (e.g. >). This lets you use anything at all for the text of a form field without worrying about breaking the HTML document. However, it may also interfere with your ability to use special characters, such as Á as default contents of fields. You can turn this feature on and off with the method autoEscape().

Use

    $query->autoEscape(undef);

to turn automatic HTML escaping off, and

    $query->autoEscape('true');

to turn it back on.

Debugging

If you are running the script from the command line or in the perl debugger, you can pass the script a list of keywords or parameter=value pairs on the command line or from standard input (you don't have to worry about tricking your script into reading from environment variables). You can pass keywords like this:

   my_script.pl keyword1 keyword2 keyword3

or this:

   my_script.pl keyword1+keyword2+keyword3

or this:

   my_script.pl name1=value1 name2=value2

or this:

   my_script.pl name1=value1&name2=value2

or even by sending newline-delimited parameters to standard input:

   % my_script.pl
   first_name=fred
   last_name=flintstone
   occupation='granite miner'
   ^D

When debugging, you can use quotation marks and the backslash character to escape spaces and other funny characters in exactly the way you would in the shell (which isn't surprising since CGI.pm uses "shellwords.pl" internally). This lets you do this sort of thing:

    my_script.pl "'name 1'='I am a long value'" "'name 2'=two\ words"

Table of contents

Dumping Out All The Name/Value Pairs

The dump() method produces a string consisting of all the query's name/value pairs formatted nicely as a nested list. This is useful for debugging purposes:

   print $query->dump

Produces something that looks like this:

   <UL>
   <LI>name1
       <UL>
       <LI>value1
       <LI>value2
       </UL>
   <LI>name2
       <UL>
       <LI>value1
       </UL>
   </UL>

You can achieve the same effect by incorporating the CGI object directly into a string, as in:

   print "<H2>Current Contents:</H2>\n$query\n";

HTTP Session Variables

Some of the more useful environment variables can be fetched through this interface. The methods are as follows:

accept(): Return a list of MIME types that the remote browser accepts. If you give this method a single argument corresponding to a MIME type, as in $query->accept('text/html'), it will return a floating point value corresponding to the browser's preference for this type from 0.0 (don't want) to 1.0. Glob types (e.g. text/*) in the browser's accept list are handled correctly.
auth_type(): Return the authorization type, if protection is active. Example "Basic".
cookie(): Returns the "magic cookie" maintained by Netscape 1.1 and higher. In conjunction with the header()-cookie parameter, this can be used to keep track of a particular browser. This will not work with non-Netscape browsers.
path_info(): Returns additional path information from the script URL. E.G. fetching /cgi-bin/your_script/additional/stuff will result in $query->path_info() returning "/additional/stuff"
path_translated(): As per path_info() but returns the additional path information translated into a physical path, e.g. "/usr/local/etc/httpd/htdocs/additional/stuff".
referer(): Return the URL of the page the browser was viewing prior to fetching your script. Not available for all browsers.
remote_addr(): Return the dotted IP address of the remote host.
remote_ident(): Return the identity-checking information from the remote host. Only available if the remote host has the identd daemon turned on.
remote_host(): Returns either the remote host name or IP address. if the former is unavailable.
remote_user(): Return the name given by the remote user during password authorization.
request_method(): Return the HTTP method used to request your script's URL, usually one of GET, POST, or HEAD.
script_name(): Return the script name as a partial URL, for self-refering scripts.
server_name(): Return the name of the WWW server the script is running under.
server_port(): Return the communications port the server is using.
user_agent(): Returns the identity of the remote user's browser software, e.g. "Mozilla/1.1N (Macintosh; I; 68K)"
user_name(): Attempts to obtain the remote user's name, using a variety of environment variables. This only works with older browsers such as Mosaic. Netscape does not reliably report the user name!

Table of contents

Support for Netscape Frames

CGI.pm contains support for Netscape frames, a new feature in version 2.0 and higher. Frames are supported in two ways:

You can direct the output of a script into a new window or into a preexisting named frame by providing the name of the frame as a -target argument in the header method. For example, the following code will pop up a new Netscape window and display the script's output:
```
      $query = new CGI;
      print $query->header(-target=>'_blank');
      
```
You can provide the name of a new or preexisting frame in the startform() and start_multipart_form() methods using the -target parameter. When the form is submitted, the output will be redirected to the indicated frame:
```
      print $query->start_form(-target=>'result_frame');
      
```

Using frames effectively can be tricky. To create a proper frameset in which the query and response are displayed side-by-side requires you to divide the script into three functional sections. The first section should create the <frameset> declaration and exit. The second section is responsible for creating the query form and directing it into the one frame. The third section is responsible for creating the response and directing it into a different frame.

The examples directory contains a script called popup.cgi that demonstrates a simple popup window. frameset.cgi provides a skeleton script for creating side-by-side query/result frame sets.

Support for JavaScript

Netscape versions 2.0 and higher incorporate an interpreted language called JavaScript. It isn't the same as Java, and certainly isn't at all the same as Perl, which is a great pity. JavaScript allows you to programatically change the contents of fill-out forms, create new windows, and pop up dialog box from within Netscape itself. From the point of view of CGI scripting, JavaScript is quite useful for validating fill-out forms prior to submitting them.

You'll need to know JavaScript in order to use it. The Netscape JavaScript manual contains a good tutorial and reference guide to the JavaScript programming language.

The usual way to use JavaScript is to define a set of functions in a <SCRIPT> block inside the HTML header and then to register event handlers in the various elements of the page. Events include such things as the mouse passing over a form element, a button being clicked, the contents of a text field changing, or a form being submitted. When an event occurs that involves an element that has registered an event handler, its associated JavaScript code gets called.

The elements that can register event handlers include the <BODY> of an HTML document, hypertext links, all the various elements of a fill-out form, and the form itself. There are a large number of events, and each applies only to the elements for which it is relevant:

onLoad

The browser is loading the current document. Valid in:

The HTML <BODY> section only.

onUnload

The browser is closing the current page or frame. Valid for:

The HTML <BODY> section only.

onSubmit

The user has pressed the submit button of a form. This event happens just before the form is submitted, and your function can return a value of false in order to abort the submission. Valid for:

Forms only.

onClick

The mouse has clicked on an item in a fill-out form. Valid for:

Buttons (including submit, reset, and image buttons)
Checkboxes
Radio buttons

onChange

The user has changed the contents of a field. Valid for:

Text fields
Text areas
Password fields
File fields
Popup Menus
Scrolling lists

onFocus

The user has selected a field to work with. Valid for:

Text fields
Text areas
Password fields
File fields
Popup Menus
Scrolling lists

onBlur

The user has deselected a field (gone to work somewhere else). Valid for:

Text fields
Text areas
Password fields
File fields
Popup Menus
Scrolling lists

onSelect

The user has changed the part of a text field that is selected. Valid for:

Text fields
Text areas
Password fields
File fields

In order to register a JavaScript event handler with an HTML element, just use the event name as a parameter when you call the corresponding CGI method. For example, to have your validateAge() JavaScript code executed every time the textfield named "age" changes, generate the field like this:

   print $q->textfield(-name=>'age',-onChange=>"validateAge(this)");

This example assumes that you've already declared the validateAge() function by incorporating it into a <SCRIPT> block. The CGI.pm start_html() method provides a convenient way to create this section.

Similarly, you can create a form that checks itself over for consistency and alerts the user if some essential value is missing by creating it this way:

   print $q->startform(-onSubmit=>"validateMe(this)");

See the javascript.cgi script for a demonstration of how this all works.

Table of contents

Advanced Techniques

A Script that Saves Some Information to a File and Restores It

This script will save its state to a file of the user's choosing when the "save" button is pressed, and will restore its state when the "restore" button is pressed. Notice that it's very important to check the file name for shell metacharacters so that the script doesn't inadvertently open up a command or overwrite someone's file. For this to work, the script's current directory must be writable by "nobody".

#!/usr/local/bin/perl

use CGI;
$query = new CGI;

print $query->header;
print $query->start_html("Save and Restore Example");
print "<H1>Save and Restore Example</H1>\n";

# Here's where we take action on the previous request
&save_parameters($query)              if $query->param('action') eq 'save';
$query = &restore_parameters($query)  if $query->param('action') eq 'restore';

# Here's where we create the form
print $query->startform;
print "Popup 1: ",$query->popup_menu('popup1',['eenie','meenie','minie']),"\n";
print "Popup 2: ",$query->popup_menu('popup2',['et','lux','perpetua']),"\n";
print "<P>";
print "Save/restore state from file: ",$query->textfield('savefile','state.sav'),"\n";
print "<P>";
print $query->submit('action','save'),$query->submit('action','restore');
print $query->submit('action','usual query');
print $query->endform;

# Here we print out a bit at the end
print $query->end_html;

sub save_parameters {
    local($query) = @_;
    local($filename) = &clean_name($query->param('savefile'));
    if (open(FILE,">$filename")) {
	$query->save(FILE);
	close FILE;
	print "<STRONG>State has been saved to file $filename</STRONG>\n";
    } else {
	print "<STRONG>Error:</STRONG> couldn't write to file $filename: $!\n";
    }
}

sub restore_parameters {
    local($query) = @_;
    local($filename) = &clean_name($query->param('savefile'));
    if (open(FILE,$filename)) {
	$query = new CGI(FILE);  # Throw out the old query, replace it with a new one
	close FILE;
	print "<STRONG>State has been restored from file $filename</STRONG>\n";
    } else {
	print "<STRONG>Error:</STRONG> couldn't restore file $filename: $!\n";
    }
    return $query;
}


# Very important subroutine -- get rid of all the naughty
# metacharacters from the file name. If there are, we
# complain bitterly and die.
sub clean_name {
   local($name) = @_;
   unless ($name=~/^[\w\.-]+$/) {
      print "<STRONG>$name has naughty characters.  Only ";
      print "alphanumerics are allowed.  You can't use absolute names.</STRONG>";
      die "Attempt to use naughty characters";
   }
   return $name;
}

A Script that Uses Self-Referencing URLs to Jump to Internal Links

(Without losing form information).

Many people have experienced problems with internal links on pages that have forms. Jumping around within the document causes the state of the form to be reset. A partial solution is to use the self_url() method to generate a link that preserves state information. This script illustrates how this works.

#!/usr/local/bin/perl

use CGI;
$query = new CGI;

# We generate a regular HTML file containing a very long list
# and a popup menu that does nothing except to show that we
# don't lose the state information.
print $query->header;
print $query->start_html("Internal Links Example");
print "<H1>Internal Links Example</H1>\n";

print "<A NAME=\"start\"></A>\n"; # an anchor point at the top

# pick a default starting value;
$query->param('amenu','FOO1') unless $query->param('amenu');

print $query->startform;
print $query->popup_menu('amenu',[('FOO1'..'FOO9')]);
print $query->submit,$query->endform;

# We create a long boring list for the purposes of illustration.
$myself = $query->self_url;
print "<OL>\n";
for (1..100) {
    print qq{<LI>List item #$_<A HREF="$myself#start">Jump to top</A>\n};
}
print "</OL>\n";

print $query->end_html;

Multiple forms on the same page

There's no particular trick to this. Just remember to close one form before you open another one. You can reuse the same query object or create a new one. Either technique works.

There is, however, a problem with maintaining the states of multiple forms. Because the browser only sends your script the parameters from the form in which the submit button was pressed, the state of all the other forms will be lost. One way to get around this, suggested in this example, is to use hidden fields to pass as much information as possible regardless of which form the user submits.

#!/usr/local/bin/perl
use CGI;

$query=new CGI;
print $query->header;
print $query->start_html('Multiple forms');
print "<H1>Multiple forms</H1>\n";

# form 1
print "<HR>\n";
print $query->startform;
print $query->textfield('text1'),$query->submit('submit1');
print $query->hidden('text2');  # pass information from the other form
print $query->endform;
print "<HR>\n";

# form 2
print $query->startform;
print $query->textfield('text2'),$query->submit('submit2');
print $query->hidden('text1');  # pass information from the other form
print $query->endform;
print "<HR>\n";
print $query->end_html;

CGI.pm and the Self Loader

In the past one problem with CGI.pm was that, being a bloated everything-but-the-kitchen sink module, it took a long time to load. The long loading time was due to the many functions it defined, most of which never got used in a particular session anyway. As of version 2.17, CGI.pm uses the SelfLoader module to load functions only on demand. This improves loading speed considerably.

When CGI.pm is first loaded, it only compiles the core new(), param(), keywords() and import() functions that are used by almost every CGI program. This cuts the loading time by a factor of half. If you use any of the other functions, the appropriate section of the code will be loaded and compiled.

For people who only want to read in and parse the CGI variables, this is a big win. For everyone else, there's more or less of a gain in load speed depending on how many functions you call on.

Unfortunately there are problems with the self loader. For one thing, it is not yet part of the standard Macintosh and Windows NT distributions, and the Unix variants of the self loader are not known to work with these versions of perl. For another, it is incompatible with the useful -T (taint checking) switch. Fortunately it is easy to modify CGI.pm so that you don't have to use the self loader. You just have to comment out two lines:

Find the line at the top of the file that reads:
```
use SelfLoader;
```
Comment it out.
Find the line midway into the file that reads:
```
__DATA__
```
Comment it out.

The SelfLoader can be found in the standard Perl 5.002 distribution. You can also obtain it separately and use it with 5.001. Use archie or a webcrawler to find a CPAN perl archive site near you, or consult this partial list:

Look in the Autoloader directory.

As an aside, I've noticed that the new perl debugger perl5db.pl that comes with the 5.002 distribution does not work very well with the SelfLoader. It produces spurious warning messages and occasionally causes Perl to core dump. I prefer the older version of perl5db.pl that comes with Perl 5.001.

Using the File Upload Feature

First of all, because the file upload feature is so new, this code is has not been tested as much as I'd like. A complicating factor is that the various versions of Netscape on the Macintosh, Unix and Windows platforms don't all seem to implement file uploading in exactly the same way. I've tried to make CGI.pm work with all versions on all platforms, but I keep getting reports from people of instances that break the file upload feature. (Currently the only unresolved problem is a report that uploads of large binary files are aborted when SSL is in use. If you can reproduce this problem and have some idea what's happening I'd like to know about it.)

The main technical challenge of handling file uploads is that it potentially involves sending more data to the CGI script than the script can hold in main memory. For this reason CGI.pm creates temporary files in either the /usr/tmp or the /tmp directory. These temporary files have names like CGItemp125421, and should be deleted automatically.

Frequent Problems

You can't retrieve the name of the uploaded file using the param() method

Most likely the remote user isn't using version 2.0 (or higher) of Netscape. Alternatively she just isn't filling in the form completely.

You can read the name of the uploaded file, but can't retrieve the data

First check that you've told CGI.pm to use the new multipart/form-data scheme. If it still isn't working, there may be a problem with the temporary files that CGI.pm needs to create in order to read in the (potentially very large) uploaded files. Internally, CGI.pm tries to create temporary files with names similar to CGITemp123456 in a temporary directory. To find a suitable directory it first looks for /usr/tmp and then for /tmp. If it can't find either of these directories, it tries for the current directory, which is usually the same directory that the script resides in.

If you're on a non-Unix system you may need to modify CGI.pm to point at a suitable temporary directory. This directory must be writable by the user ID under which the server runs (usually "nobody") and must have sufficient capacity to handle large file uploads. Open up CGI.pm, and find the line:

      package TempFile;
      foreach ('/usr/tmp','/tmp') {
         do {$TMPDIRECTORY = $_; last} if -w $_;
      }

Modify the foreach() line to contain a series of one or more directories to store temporary files in.

When you press the "back" button, the same page is loaded, not the previous one.

Netscape 2.0's history list gets confused when processing multipart forms. If the script generates different pages for the form and the results, hitting the "back" button doesn't always return you to the previous page; instead Netscape reloads the current page. This happens even if you don't use an upload file field in your form.

The workaround for this is to use additional path information to trick Netscape into thinking that the form and the response have different URLs. I recommend giving each form a sequence number and bumping the sequence up by one each time the form is accessed:

   my($s) = $query->path_info=~/(\d+)/; # get sequence
   $s++;                                #bump it up
   # Trick Netscape into thinking it's loading a new script:
   print $q->start_multipart_form(-action=>$q->script_name . '/$s');

You can't find the temporary file that CGI.pm creates

You're encouraged to copy the data into your own file by reading from the file handle that CGI.pm provides you with. In the future there may be no temporary file at all, just a pipe. However, for now, if you really want to get at the temp file, you can retrieve its path using the tmpFileName() method. Be sure to move the temporary file elsewhere in the file system if you don't want it to be automatically deleted when CGI.pm exits.

Using CGI.pm on non-Unix Platforms

Windows NT

The NT port of perl has an annoying habit of transforming newline (\n) sequences into carriage-return/newline (\r\n) sequences both on input and output. This confuses certain servers, such as the Netscape Communications Server. To make things work correctly, find the following line in CGI.pm

   $needs_binmode = 0;

and change it to

   $needs_binmode = 1;

CGI.pm works well with WebSite, the EMWACS server and Purveyor. CGI.pm must be put in the perl5 library directory, and all CGI scripts that use it should be placed in cgi-bin directory. You also need to associate the .pl suffix with perl5 using the NT file manager.

WebSite uses a slightly different cgi-bin directory structure than the standard. For this server, place the scripts in the cgi-shl directory.

The Netscape Communications Server has terrible problems with Perl scripts because it doesn't use the standard NT file extension associations. Netscape's recommendation of placing perl.exe in cgi-bin is a terrible mistake because it opens up a huge secure hole. Don't do it! It's also a mistake to place .bat files in cgi-bin because of another security hole in the server. You're safest running Visual Basic or C programs in cgi-bin if you use the Netscape Server.

VMS

Set $needs_binmode to 1 as described above.

Macintosh

Christian Huldt reports that at least the basic features of CGI.pm work correctly with MacPerl version 5.0.6r1 and the WebStar and MacHTTP servers. The following changes have to be made:

Replace $CRLF="\r\n" with $CRLF="\015\012". This has to do with MacPerl's rather liberal interpretation of the meaning of the \r and \n escapes! (NOTE: This has already been done for you in version 2.18).
Use '-value' instead of -value in the parameter lists.

Future Prospects for this Library

This library is a precursor to the full featured CGI, URL, and HTML modules being developed as part of the Perl CGI developer's effort. Although those modules supersede much of the functionality of this one, I am continuing to maintain and improve this library in order to maintain compatability with CGI scripts that rely on it and to satisfy people who are looking for an easy-to-use introduction to the world of CGI scripting.

The current version of CGI.pm can be found at:

  
http://www-genome.wi.mit.edu/ftp/pub/software/WWW/

You are encouraged to look at these other Web-related modules:

HTML.pm: A module that simplifies the creation of HTML documents programatically.
CGI::Base,CGI::Form,CGI::MiniSrv,CGI::Request and CGI::URI::URL: Modules for parsing script input, manipulating URLs, creating forms and even launching a miniature Web server.
libwww-perl: Modules for fetching Web resources from within Perl, writing Web robots, and much more.

You might also be interested in two packages for creating graphics on the fly:

GD.html: A module for creating GIF images on the fly, using Tom Boutell's gd graphics library.
qd.pl: A library for creating Macintosh PICT files on the fly (which can be converted to GIF or JPEG using NetPBM).

For a collection of CGI scripts of various levels of complexity, see the companion pages for my book How to Set Up and Maintain a World Wide Web Site

Distribution Information:

This code is copyright 1995, 1996 by Lincoln Stein and the Whitehead Institute for Biomedical Research. It may be used and modified freely, but I do request that this copyright notice remain attached to the file. You may modify this module as you wish, but if you redistribute a modified version, please attach a note listing the modifications you have made.

Bug Reports

Address bug reports and comments to:
lstein@genome.wi.mit.edu

Up to table of contents

Revision History

Version 2.18

Fixed a bug that corrects a hang that occurs on some platforms when processing file uploads. Unfortunately this disables the check for bad Netscape uploads.
Fixed bizarre problem involving the inability to process uploaded files that begin with a non alphabetic character in the file name.
Fixed a bug in the hidden fields involving the -override directive being ignored when scalar defaults were passed.
Added documentation on how to disable the SelfLoader features.

Version 2.17

Added support for the SelfLoader module.
Added oodles of JavaScript support routines.
Fixed bad bug in query_string() method that caused some parameters to be silently dropped.
Robustified file upload code to handle premature termination by the client.
Exported temporary file names on file upload.
Removed spurious "uninitialized variable" warnings that appeared when running under 5.002.
Added the Carp.pm library to the standard distribution.
Fixed a number of errors in this documentation, and probably added a few more.
Checkbox_group() and radio_group() now return the buttons as arrays, so that you can incorporate the individual buttons into specialized tables.
Added the '-nolabels' option to checkbox_group() and radio_group(). Probably should be added to all the other HTML-generating routines.
Added the url() method to recover the URL without the entire query string appended.
Added request_method() to list of environment variables available.
Would you believe it? Fixed hidden fields again!

Version 2.16

Fixed hidden fields yet again.
Fixed subtle problems in the file upload method that caused intermittent failures (thanks to Keven Hendrick for this one).
Made file upload more robust in the face of bizarre behavior by the Macintosh and Windows Netscape clients.
Moved the POD documentation to the bottom of the module at the request of Stephen Dahmen.
Added the -xbase parameter to the start_html() method, also at the request of Stephen Dahmen.
Added JavaScript form buttons at Stephen's request. I'm not sure how to use this Netscape extension correctly, however, so for now the form() method is in the module as an undocumented feature. Use at your own risk!

Version 2.15

Added the -override parameter to all field-generating methods.
Documented the user_name() and remote_user() methods.
Fixed bugs that prevented empty strings from being recognized as valid textfield contents.
Documented the use of framesets and added a frameset example.

Version 2.14

This was an internal experimental version that was never released.

Version 2.13

Fixed a bug that interfered with the value "0" being entered into text fields.

Version 2.01

Added -rows and -columns to the radio and checkbox groups. No doubt this will cause much grief because it seems to promise a level of meta-organization that it doesn't actually provide.
Fixed a bug in the redirect() method -- it was not truly HTTP/1.0 compliant.

Version 2.0

The changes seemed to touch every line of code, so I decided to bump up the major version number.

Support for named parameter style method calls. This turns out to be a big win for extending CGI.pm when Netscape adds new HTML "features".
Changed behavior of hidden fields back to the correct "sticky" behavior. This is going to break some programs, but it is for the best in the long run.
Netscape 2.0b2 broke the file upload feature. CGI.pm now handles both 2.0b1 and 2.0b2-style uploading. It will probably break again in 2.0b3.
There were still problems with library being unable to distinguish between a form being loaded for the first time, and a subsequent loading with all fields blank. We now forcibly create a default name for the Submit button (if not provided) so that there's always at least one parameter.
More workarounds to prevent annoying spurious warning messages when run under the -w switch. -w is seriously broken in perl 5.001!

Version 1.57

Support for the Netscape 2.0 "File upload" field.
The handling of defaults for selected items in scrolling lists and multiple checkboxes is now consistent.

Version 1.56

Created true "pod" documentation for the module.
Cleaned up the code to avoid many of the spurious "use of uninitialized variable" warnings when running with the -w switch.
Added the autoEscape() method.
Added string interpolation of the CGI object.
Added the ability to pass additional parameters to the <BODY> tag.
Added the ability to specify the status code in the HTTP header.

Bug fixes in version 1.55

Every time self_url() was called, the parameter list would grow. This was a bad "feature".
Documented the fact that you can pass "-" to radio_group() in order to prevent any button from being highlighted by default.

Bug fixes in version 1.54

The user_agent() method is now documented;
A potential security hole in import() is now plugged.
Changed name of import() to import_names() for compatability with CGI:: modules.

Bug fixes in version 1.53

Fixed several typos in the code that were causing the following subroutines to fail in some circumstances
1. checkbox()
2. hidden()
No features added

New features added in version 1.52

Added backslashing, quotation marks, and other shell-style escape sequences to the parameters passed in during debugging off-line.
Changed the way that the hidden() method works so that the default value always overrides the current one.
Improved the handling of sticky values in forms. It's now less likely that sticky values will get stuck.
If you call server_name(), script_name() and several other methods when running offline, the methods now create "dummy" values to work with.

Bugs fixed in version 1.51

param() when called without arguments was returning an array of length 1 even when there were no parameters to be had. Bad bug! Bad!
The HTML code generated would break if input fields contained the forbidden characters ">< or &. You can now use these characters freely.

New features added in version 1.50

import() method allows all the parameters to be imported into a namespace in one fell swoop.
Parameters are now returned in the same order in which they were defined.

Bugs fixed in version 1.45

delete() method didn't work correctly. This is now fixed.
reset() method didn't allow you to set the name of the button. Fixed.

Bugs fixed in version 1.44

self_url() didn't include the path information. This is now fixed.

New features added in version 1.43

Added the delete() method.

New features added in version 1.42

The image_button() method to create clickable images.
A few bug fixes involving forms embedded in <PRE> blocks.

New features added in version 1.4

New header shortcut methods
- redirect() to create HTTP redirection messages.
- start_html() to create the HTML title, complete with the recommended <LINK> tag that no one ever remembers to include.
- end_html() for completeness' sake.
A new save() method that allows you to write out the state of an script to a file or pipe.
An improved version of the new() method that allows you to restore the state of a script from a file or pipe. With (2) this gives you dump and restore capabilities! (Wow, you can put a "121,931 customers served" banner at the bottom of your pages!)
A self_url() method that allows you to create state-maintaining hypertext links. In addition to allowing you to maintain the state of your scripts between invocations, this lets you work around a problem that some browsers have when jumping to internal links in a document that contains a form -- the form information gets lost.
The user-visible labels in checkboxes, radio buttons, popup menus and scrolling lists have now been decoupled from the values sent to your CGI script. Your script can know a checkbox by the name of "cb1" while the user knows it by a more descriptive name. I've also added some parameters that were missing from the text fields, such as MAXLENGTH.
A whole bunch of methods have been added to get at environment variables involved in user verification and other obscure features.

Bug fixes

The problems with the hidden fields have (I hope at last) been fixed.
You can create multiple query objects and they will all be initialized correctly. This simplifies the creation of multiple forms on one page.
The URL unescaping code works correctly now.

Table of Contents

Lincoln D. Stein, lstein@genome.wi.mit.edu
Whitehead Institute/MIT Center for Genome Research

Last modified: Tue Apr 2 23:54:50 EST 1996

	Netmar.com
	Contact Netmar
	Order Webhosting
	Linux control panel