Skip to the content

Kansas State University

CGI Use at K-State

Common Gateway Interface (CGI) programs are a powerful tool for publishing information on the World Wide Web. However, they also have some important considerations and limitations that must be understood before they can be used.

What is a CGI Program?

Consider how a normal non-CGI document is displayed using the Web.

  1. A user runs a Web browser, typically Netscape Navigator. The user selects a Uniform Resource Locator (URL), either by entering it directly or by clicking on a link in an already-displayed document.
  2. The Web browser uses the network to connect to a server, typically a HyperText Transfer Protocol (HTTP) server. The client Web browser sends the URL to the server.
  3. The server reads the requested document from disk and sends the contents to the client.
  4. The client receives the data, formats it, and displays it for the user. After reading the document, the user typically selects a link on that page and the process repeats with step 1.

The difference for a CGI program is in step 3. If the URL designates a CGI program, the server will run the program and send the program's output back to the client. Typically, the program's output is HTML.

From a user's viewpoint there is no difference: the user selected a URL and it was displayed on the screen. From the server's viewpoint the different is potentially massive: reading a file is entirely different from running a program.

Why is running a program a potential problem?

There are several problems with CGI scripts. Some are inherent in the technology, and some are imposed by K-State policies. Some problems are:

  • CGI development is difficult. A CGI program is a program, and programming is more difficult than composing documents with HTML. The development enviroment is also problematic. Error messages, for example, are by default routed to the server's error log and are not available to the author.
  • Hostile scripts could crash the entire HTTP server. CGI scripts run as a separate process from the HTTP server, which isolates the server from most script errors. However, operating system errors do exist, and scripts that crash entire Unix systems are routinely distributed on Network News.
  • CGI scripts are a potential security exposure. Scripts that are written without a paranoid attention to security holes could cause the K-State HTTP server to be compromised.
  • Resource-intensive scripts could cause performance problems. A poorly designed or implemented CGI script could cause performance problems. The HTTP server runs on a computer with limited processing power and memory. CGI programs that are not aware and accomodative of these limitations would impact the normal operation of the HTTP server, as well as any other services on that computer.

    The extreme example of this is a CGI program that has an infinite loop. There is no way for the Web browser to cancel a looping CGI script. As the author, there is no way for you to cancel it either. CGI programs run on CNS's HTTP server, which also manages other tasks, and general users are not allowed to log on to this server.

  • Recreational uses. Most requests for CGI access are to allow non-essential decorations such as server-push animations and "hit" counters. CNS does not have the resources to support these uses.
For these reasons, CNS does not allow user-written CGI programs to be run without additional authorization.

What CGI programs can I run?

Several CGI programs are installed already. For a list, see Common Gateway Interface (CGI) Programs.

The gist is that if you want to accept data on HTML forms and send it as e-mail, this is easy to do. If you need more specialized tasks, more work is needed.

Problems notwithstanding, I really need to use a CGI script!

In support of the missions of K-State, CNS can provide support for CGI scripts in several ways:

  • Programming support. If your task is sufficiently useful to other K-State departments, CNS could work with you to develop the CGI program. Understand, of course, that programming resources are limited also.
  • A test machine. On an individual basis, we can provide access to a computer with a HTTP server that does allow CGI access. This can be used for testing, not production.

To discuss your CGI needs, contact

Are there any alternatives?

  • Java and Javascript. At some point, Java and Javascript will be able to do some of the things that now require a CGI program. However, these currently are not ubiqutous enough to rely on.
  • Your own HTTP server. If you can't live with the CGI limitations, you can always purchase and maintain your own HTTP server. Then if a CGI program crashes it, it is your problem!