To CGI or not CGI, that is the question

Massyn has asked for the wisdom of the Perl Monks concerning the following question:

#!/fellow/monks.pl

use cgi or die is a common statement made around the monestary. The use of "unweb" in CGI applications have been rejected in most discussions.

I started my perl, and basically my CGI programming days on Redhat 4.2, after following the tutorials on CGI101. The tutorials on CGI101 however never used cgi.pm for any CGI work, but rather use procedures like unweb to do the job.

In a way my personal programming style developed over the years to hard code as much as possible. I understand (to some extend) why cgi.pm has to be used.

My question really is to what extend do I have to convert my applications to utilise cgi.pm? I looked at it and saw that my unweb function could be converted to use cgi.pm fairly easily, so that bit's cool, but what about the other procedures available in cgi.pm? Should I use print "<h1>Hello</h1>"; or should I use the cgi.pm function to do it? I really do not want to go and change entire applications, however, I do want to make the necessary changes to ensure that all security areas are covered.

Thank you wise monks!!

#!/massyn.pl The early worm gets caught by the bird.

Comment on To CGI or not CGI, that is the question Download Code

Replies are listed 'Best First'.
Re: To CGI or not CGI, that is the question by tachyon (Chancellor) on Mar 12, 2003 at 11:01 UTC
I wrote CGI::Simple because I don't want/like the html output stuff and found the guts of CGI.pm to be somewhat convoluted. Same interfaces,full cgi-lib.pl support (which CGI.pm does not have), solid use of cgi_error() plus some different security related defaults and (IMHO) better docs. See CGI::Simple vs CGI.pm - Is twice as fast good enough? I almost invariably use templates for HTML myself. cheers tachyon s&&rsenoyhcatreve&&&s&n.+t&"$'$`$\"$\&"&ee&&y&srve&&d&&print	[reply]
Re: To CGI or not CGI, that is the question by davorg (Chancellor) on Mar 12, 2003 at 11:06 UTC
I've never heard of "unweb". I don't remember anything of that name in CGI101. I assume that it's one of the broken CGI parsers that are common in scripts written by people who learnt CGI programming by copying Matt Wright's scripts. It's clear that the CGI parameter parsing in CGI.pm is far superior to that found in most (if not all) of these parsers. See Use CGI or die; for the details on that. What is less clear is whether or not you should use the HTML shortcut functions in CGI programs. Whilst there are advantages to using the HTML shortcuts ("sticky" form inputs and XHTML compliance are two that spring to mind immediately) personally I don't use them very often. I would remove the presentation layer from the CGI program completely and use a templating system (like the Template Toolkit). -- <http://www.dave.org.uk> "The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg	[reply]
Re: To CGI or not CGI, that is the question by derby (Abbot) on Mar 12, 2003 at 12:52 UTC
Just to complicate things. I would recommend CGI (or CGI::Simple) for the handling of parameter parsing and such but not for outputting HTML. I've become a firm believer in templates and would recommend those (HTML::Embperl, HTML::Template, Template ToolKit, HTML::Mason or any other). Check out this node for some discussion on templates. -derby	[reply]
Re: To CGI or not CGI, that is the question by tadman (Prior) on Mar 12, 2003 at 12:38 UTC
There is no question about if one should use CGI or not. You should. The real question is if you will. Just one look through the site you reference is enough to make me run in fear. Here's a snippet of code in what is supposed to be an educational example: #!/usr/bin/perl print "Content-type:text/html\n\n"; # parse the form data. read(STDIN, $buffer, $ENV{'CONTENT_LENGTH'}); @pairs = split(/&/, $buffer); foreach $pair (@pairs) { ($name, $value) = split(/=/, $pair); $value =~ tr/+/ /; $value =~ s/%([a-fA-F0-9][a-fA-F0-9])/pack("C", hex($1))/eg; $FORM{$name} = $value; } # where is the mail program? $mailprog = '/usr/sbin/sendmail'; # change this to your own email address $recipient = 'nullbox@cgi101.com'; # this opens an output stream and pipes it directly to the # sendmail program. If sendmail can't be found, abort nicely # by calling the dienice subroutine (see below) open (MAIL, "\|$mailprog -t") or dienice("Can't access $mailprog!\n"); # ... (Continues) [download] No `warnings`? No `strict`? This is not educational, this is a bad B-movie! In short, if you were to use CGI, you would save yourself a lot of heartache becase the CGI routines it implements work, and work well. In fact, after a little effort to figure out how to use them, it's so easy. Don't get scared about CGI.pm, just invest in a good book, like the Lincoln Stein one, and spend a few hours reading about it. It will save you from a world of hurt!	[reply] [d/l]
Re: Re: To CGI or not CGI, that is the question by davorg (Chancellor) on Mar 12, 2003 at 12:59 UTC
It's worth pointing out that the author of that site has written a followup called CGI201 which teaches a far higher level of Perl programming. She's also talking about a new edition of CGI101 which will cover things like CGI.pm, strict and warnings. -- <http://www.dave.org.uk> "The first rule of Perl club is you do not talk about Perl club." -- Chip Salzenberg	[reply]