for a perl cgi script, what is the difference (technically) between these two?
#!/usr/bin/perl
use CGI;
$cgi = new CGI;
print $cgi->header(),
$cgi->start_html(),
$cgi->pre($cgi->param()),
$cgi->end_html();
and
#!/usr/bin/perl
use CGI;
$cgi = new CGI;
print $cgi->header(),
$cgi->start_html(),
$cgi->pre($ENV{'QUERY_STRING'}),
$cgi->end_html();
The param method on the CGI object returns a list of all query parameters, including GET and POST parameters. Unless you pass in an argument, in which case it looks for a parameter with that name and returns the value.
The QUERY_STRING environment variable contains the unparsed query string.
This would have been pretty obvious if you had tried the code in question.
Here is the documentation for param.
Per the source of CGI.pm
#### Method: param
# Returns the value(s)of a named parameter.
# If invoked in a list context, returns the
# entire list. Otherwise returns the first
# member of the list.
# If name is not provided, return a list of all
# the known parameters names available.
# If more than one argument is provided, the
# second and subsequent arguments are used to
# set the value of the parameter.
QUERY_STRING is set by the web server it is simply the query string from the uri: you can read more about it here
Assume an HTTP request like this:
GET my.cgi?foo=bar&baz=buz
When run under a webserver with a conventional CGI interface, the environment variable QUERY_STRING will be foo=bar&baz=buz. The environment variable will not be URL-unescaped. Printing it with $cgi->pre(...) will simply enclose the env var with <pre></pre> tags (or a single <pre /> tag if the value is or is coerced to an empty string.
$cgi->param(), on the other hand, and assuming a list context with no arguments, will return a list of URL-unescaped CGI parameter names, in this case foo and bar.
(Note that $cgi->pre(...) does not HTML-escape its argument, so $ENV{QUERY_STRING} might just jeopardize your cgi with a little cross-site scripting injection.)