The Common Gateway Interface
Björn Andersson, 25.04.1997
The purpose of this document is to give a brief introduction
to and an easy-to-understand overview of the Common Gateway
Interface. Links for further and more detailed information is
Normal HTTP documents are static; a text file that doesn't change.
It is not unusual however that dynamic information is desired. CGI is the
answer to this as it lets a program be executed in real-time to
produce output. 
CGI provides an interface between the HTTP server and a program or
script. Together the HTTP server and the CGI script are responsible
for servicing a client request by sending back responses .
Flow of Data to Gateway Programs
This Figure illustrates the flow of data when a user accesses a CGI
program. The solid line shows the data flow using HTTP and CGI. HTTP
transfers data from the client to the HTTP server, and back again.
The CGI mechanisms control the flow of data from the server to the
gateway program (shown as the prism) and back again. These are called
gateway programs because they generally act as gateways between the
World Wide Web and server-side resources such as databases, feedback
forms, clickable imagemaps, and so on. 
Here follows the broad steps of the CGI process, simplified for
A few points mentioned above might be unclear, but will be better
described in the following section.
- Your browser decodes the first part of the URL and contacts the
- Your browser supplies the remainder of the URL to the server.
- The server translates the URL into a path and file name.
- The server realizes that the URL points to a program instead of
a static file.
- The server prepares the environment and launches the script.
- The script executes and reads the environment variables and
- The script sends the proper server directives to "standard out" for
the forthcoming content.
- The scripts sends the rest of its output to "standard out" and
- The server notices that the script has finished and closes the
connection to your browser.
- Your browser displays the output from the script.
General Principles of Generating a CGI Document
Input is often generated through HTML forms, but this is not a
must. A good overview of forms can be found here
. A CGI script or program is not restricted to any certain
language, but the most common language tends to Perl.
There are three ways of passing data to a CGI script :
- Through environment variables
There is a whole bunch of CGI environment
variables  available to the script. The most essential one is
QUERY_STRING. This variable contains the query
string that is sent to the script by appending a question
mark to the URL. E.g.
http://somewhere.foo.bar/myscript?aquery. In this example
myscript is the CGI script and
query string. A query can also be done with the aid of the HTTP
- As command-line arguments
This is provided through the query string (see above) or the HTTP
<ISINDEX> directive. Multiple arguments are separated by a plus
in the url.
- As standard input
This is used when the browser sends data to the HTTP server using the
There are two ways a information can be passed from the CGI script to
the http server :
- Data written to standard output
The data that is written to the standard output should be of the
- Server directives, such as MIME headers e.g.
- A blank line
- Data passed to the browser
- The name of the CGI program
These are script names beginning with
nph-. This is quite
unusual (?) and not discussed here.
A Simple Sample CGI Script
# First a server directive; the MIME type
echo Content-type: text/html
# Then the blank line
# After this comes the data passed to the browser
echo "<HTML><HEAD><TITLE>CGI Test</TITLE></HEAD>"
echo argc is $#. argv is "$*".
echo SERVER_SOFTWARE = $SERVER_SOFTWARE
echo QUERY_STRING = "$QUERY_STRING"
Since a CGI program is executable, it is basically the equivalent of
letting the world run a program on your system, which isn't the safest
thing to do. Therefore, there are some security precautions that need
to be implemented when it comes to using CGI programs. An innocent
looking statement in your script might have disastrous
consequences. Because it is very easy to write insecure scripts system
administrators do not let the average user execute CGI scripts.
Good documentation on CGI security is available on the Internet. For
instance checkout "CGI Security
Tutorial" . Another useful source might be an application, called
, that tests the security your CGI program .
All of the following links has a rating in the scale of one to five
stars. (Don't trust the stars, this assignment made
me do them ;-). Check out the links for your self!)
 NCSA, CGI - Common Gateway Interface
- <URL:http://hoohoo.ncsa.uiuc.edu/cgi/intro.html> (****)
-  D.R.T. Robinson, Common Gateway Interface v1.1 Internet Draft, 15.02.1996
- <URL:http://www.ast.cam.ac.uk/~drtr/cgi-spec.html> (***)
-  Introduction to the Common Gateway Interface
-  Michael Van Bisbrouk, CGI Security Tutorial, 16.04.1996
- <URL:http://www.csclub.uwaterloo.ca/u/mlvanbie/cgisec/> (*****)
-  Urgent Security Announcement
- <URL:http://www.perl.com/perl/news/latro-announce.html> (**)
-  Jeffry Dwight, Using CGI, 1996
-  Ian Graham, Introduction to HTTP and CGI, Instructional and
- <URL:ftp://ftp.hprc.utoronto.ca/pub/www/Documents/HTML/cgi.ps.gz> (****)
-  NCSA, CGI Environment Variables
- <URL:http://hoohoo.ncsa.uiuc.edu/cgi/env.html> (***)
-  NSCA, Mosaic for X version 2.0 Fill-Out Form Support
As an addition to the references the following links might be
- Link collections
- News groups
Page updated: 10.05.1997