The Common Gateway Interface

Björn Andersson, 25.04.1997

The purpose of this document is to give a brief introduction to and an easy-to-understand overview of the Common Gateway Interface. Links for further and more detailed information is provided.


Normal HTTP documents are static; a text file that doesn't change. It is not unusual however that dynamic information is desired. CGI is the answer to this as it lets a program be executed in real-time to produce output. [1] CGI provides an interface between the HTTP server and a program or script. Together the HTTP server and the CGI script are responsible for servicing a client request by sending back responses [2].

Flow of Data to Gateway Programs

This Figure illustrates the flow of data when a user accesses a CGI program. The solid line shows the data flow using HTTP and CGI. HTTP transfers data from the client to the HTTP server, and back again. The CGI mechanisms control the flow of data from the server to the gateway program (shown as the prism) and back again. These are called gateway programs because they generally act as gateways between the World Wide Web and server-side resources such as databases, feedback forms, clickable imagemaps, and so on. [3]

Here follows the broad steps of the CGI process, simplified for clarity: [6]

  1. Your browser decodes the first part of the URL and contacts the server.
  2. Your browser supplies the remainder of the URL to the server.
  3. The server translates the URL into a path and file name.
  4. The server realizes that the URL points to a program instead of a static file.
  5. The server prepares the environment and launches the script.
  6. The script executes and reads the environment variables and "standard in".
  7. The script sends the proper server directives to "standard out" for the forthcoming content.
  8. The scripts sends the rest of its output to "standard out" and terminates.
  9. The server notices that the script has finished and closes the connection to your browser.
  10. Your browser displays the output from the script.
A few points mentioned above might be unclear, but will be better described in the following section.

General Principles of Generating a CGI Document

CGI Input

Input is often generated through HTML forms, but this is not a must. A good overview of forms can be found here [9]. A CGI script or program is not restricted to any certain language, but the most common language tends to Perl.

There are three ways of passing data to a CGI script [8]:

  1. Through environment variables
    There is a whole bunch of CGI environment variables [8] available to the script. The most essential one is perhaps QUERY_STRING. This variable contains the query string that is sent to the script by appending a question mark to the URL. E.g. In this example myscript is the CGI script and aquery the query string. A query can also be done with the aid of the HTTP GET method.
  2. As command-line arguments
    This is provided through the query string (see above) or the HTTP <ISINDEX> directive. Multiple arguments are separated by a plus in the url.
  3. As standard input
    This is used when the browser sends data to the HTTP server using the HTTP POST method.

CGI Output

There are two ways a information can be passed from the CGI script to the http server [7]:
  1. Data written to standard output
    The data that is written to the standard output should be of the following format:
  2. The name of the CGI program
    These are script names beginning with nph-. This is quite unusual (?) and not discussed here.

A Simple Sample CGI Script

# First a server directive; the MIME type
echo Content-type: text/html
# Then the blank line
# After this comes the data passed to the browser
echo "<BODY><PRE>"
echo argc is $#. argv is "$*".
echo "</PRE></BODY></HTML>"


Since a CGI program is executable, it is basically the equivalent of letting the world run a program on your system, which isn't the safest thing to do. Therefore, there are some security precautions that need to be implemented when it comes to using CGI programs. An innocent looking statement in your script might have disastrous consequences. Because it is very easy to write insecure scripts system administrators do not let the average user execute CGI scripts.

Good documentation on CGI security is available on the Internet. For instance checkout "CGI Security Tutorial" [4]. Another useful source might be an application, called Latro , that tests the security your CGI program [5].

All of the following links has a rating in the scale of one to five stars. (Don't trust the stars, this assignment made me do them ;-). Check out the links for your self!)


[1] NCSA, CGI - Common Gateway Interface
<URL:> (****)
[2] D.R.T. Robinson, Common Gateway Interface v1.1 Internet Draft, 15.02.1996
<URL:> (***)
[3] Introduction to the Common Gateway Interface
< URL:> (****)
[4] Michael Van Bisbrouk, CGI Security Tutorial, 16.04.1996
<URL:> (*****)
[5] Urgent Security Announcement
<URL:> (**)
[6] Jeffry Dwight, Using CGI, 1996
<URL:> (*****)
[7] Ian Graham, Introduction to HTTP and CGI, Instructional and Research Computing
<URL:> (****)
[8] NCSA, CGI Environment Variables
<URL:> (***)
[9] NSCA, Mosaic for X version 2.0 Fill-Out Form Support


As an addition to the references the following links might be helpfull.
Björn Andersson, <>
Page updated: 10.05.1997