CGI Use at K-State
Common Gateway Interface (CGI) programs are a powerful tool for publishing
information on the World Wide Web.
However, they also have some important considerations and limitations
that must be understood before they can be used.
What is a CGI Program?
Consider how a normal non-CGI document is displayed using the Web.
- A user runs a Web browser, typically Netscape Navigator.
The user selects a Uniform Resource Locator (URL), either by entering it
directly or by clicking on a link in an already-displayed
- The Web browser uses the network to connect to a server,
typically a HyperText Transfer Protocol (HTTP) server.
The client Web browser sends the URL to the server.
- The server reads the requested document from disk and sends the
contents to the client.
- The client receives the data, formats it, and displays it for the user.
After reading the document, the user typically selects a link on that
page and the process repeats with step 1.
The difference for a CGI program is in step 3.
If the URL designates a CGI program, the server will
run the program and send the program's output back to the client.
Typically, the program's output is HTML.
From a user's viewpoint there is no difference:
the user selected a URL and it was displayed on the screen.
From the server's viewpoint the different is potentially massive:
reading a file is entirely different from running a program.
Why is running a program a potential problem?
There are several problems with CGI scripts.
Some are inherent in the technology, and some are imposed by K-State policies.
Some problems are:
- CGI development is difficult.
A CGI program is a program, and programming is more difficult
than composing documents with HTML.
The development enviroment is also problematic.
Error messages, for example, are by default routed to the server's error log and
are not available to the author.
- Hostile scripts could crash the entire HTTP server.
CGI scripts run as a separate process from the HTTP server,
which isolates the server from most script errors.
However, operating system errors do exist, and scripts that crash entire Unix
systems are routinely distributed on Network News.
- CGI scripts are a potential security exposure.
Scripts that are written without a paranoid attention to security holes
could cause the K-State HTTP server to be compromised.
Resource-intensive scripts could cause performance problems.
A poorly designed or implemented CGI script could cause performance
The HTTP server runs on a computer with limited processing power and memory.
CGI programs that are not aware and accomodative of these limitations
would impact the normal operation of the HTTP server, as well as any other
services on that computer.
The extreme example of this is
a CGI program that has an infinite loop.
There is no way for the Web browser to cancel a looping CGI script.
As the author, there is no way for you to cancel it either.
CGI programs run on CNS's HTTP server, which also manages other
tasks, and general users are not
allowed to log on to this server.
- Recreational uses.
Most requests for CGI access are to allow non-essential decorations
such as server-push animations
and "hit" counters.
CNS does not have the resources to support these uses.
For these reasons, CNS does not allow user-written CGI programs to be run
without additional authorization.
What CGI programs can I run?
Several CGI programs are installed already.
For a list, see
Common Gateway Interface (CGI) Programs.
The gist is that if you want to accept data on HTML forms and
send it as e-mail, this is easy to do.
If you need more specialized tasks, more work is needed.
Problems notwithstanding, I really need to use a CGI script!
In support of the missions of K-State,
CNS can provide support for CGI scripts in several ways:
- Programming support.
If your task is sufficiently useful to other K-State departments,
CNS could work with you to develop the CGI program.
Understand, of course, that programming resources are limited also.
- A test machine.
On an individual basis, we can provide access to a computer with a HTTP
server that does allow CGI access.
This can be used for testing, not production.
To discuss your CGI needs, contact
Are there any alternatives?
things that now require a CGI program.
However, these currently are not ubiqutous enough to rely on.
- Your own HTTP server.
If you can't live with the CGI limitations, you can always purchase
and maintain your own HTTP server.
Then if a CGI program crashes it, it is your problem!