cgiparse Manual

cgiparse handles QUERY_STRING environment variable parsing for CGI scripts. It comes with W3C httpd distributions 2.15 and newer.

If the QUERY_STRING environment variable is not set, it reads CONTENT_LENGTH characters from its standard input.

Security fix

In reply to DFN-CERT#34784, you should apply this diff to the latest (3.0) version of WWW/Daemon/CGIParse.c:

296c296,297
< 	    printf("QUERY_STRING='%s'; export QUERY_STRING\n", query_string) ;
---
> 	    printf("QUERY_STRING=%s; export QUERY_STRING\n"
> 		   , sh_escape(query_string)) ;

Command Line Options

Main Options

cgiparse -keywords

Parse QUERY_STRING as search keywords. Keywords are decoded and written to standard output, one per line.

cgiparse -form

Parse QUERY_STRING as form request. Outputs a string which, when eval'ed by Bourne shell, will set shell variables beginning with FORM_ appended with field name. Field values are the contents of the variables.

cgiparse -value fieldname

Parse QUERY_STRING as form request. Prints only the value of field fieldname.

cgiparse -read

Just read CONTENT_LENGTH characters from stdin and write them to stdout.

cgiparse -init

If QUERY_STRING is not defined, read stdin and output a string that when eval'd by Bourne shell it will set QUERY_STRING to its correct value. This can be used when the same script is used with both GET and POST method. Typical use in the beginning of Bourne shell script:

        eval `cgiparse -init`

After this command the QUERY_STRING environment variable will be set regardless of whether GET or POST method was used. Therefore cgiparse may be called multiple times in the same script (otherwise with POST it could only be called once because after that the stdin would be already read, and the next cgiparse would hang).

Modifier Options

-sep separator

Specify the string used to separate multiple values. With

-value default is newline
-form default is ", "

-prefix prefix

Only with -form. Specify the prefix to use when making up environment variable names. Default is "FORM_".

-count

With

-keywords outputs the number of keywords
-form outputs the number of unique fields (multiple values are counted as one)
-value fieldname gives the number of values of field fieldname (no such field is zero, one field gives 1, one multiple 2, etc).

-number , e.g. -2

With

-keywords gives n'th keyword
-form gives all the values of n'th field
-value fieldname gives n'th of the multiple values of field fieldname (first value is number 1).

-quiet

Suppress all error messages. (Non-zero exit status still indicates error.)

All options have one-character equivalents: -k -f -v -r -i -s -p -c -q

Exit Statuses

0 Success
1 Illegal command line
2 Environment variables not set correctly
3 Failed to get requested information (no such field, QUERY_STRING contains keywords when form field values requested, etc).

Examples

Note: In real life, of course, QUERY_STRING is already set by the server.

Here $ is the Bourne shell prompt.

Keyword Search

    $ QUERY_STRING="is+2%2B2+really+four%3F"
    $ export QUERY_STRING
    $ cgiparse -keywords
    is
    2+2
    really
    four?
    $

Parsing All Form Fields

    $ QUERY_STRING="name1=value1&name2=Second+value%3F+That%27s right%21"
    $ export QUERY_STRING
    $ cgiparse -form

    FORM_name1='value1'; FORM_name2='Second value? That'\''s right!'

    $ eval `cgiparse -form`
    $ set
    ...
    FORM_name1=value1
    FORM_name2=Second value? That's right!
    ...
    $

Extracting Only One Field Value

    QUERY_STRING as in previous example.
    $ cgiparse -value name1
    value1
    $ cgiparse -value name2
    Second value? That's right!
    $

[email protected], July 1995