views:

263

answers:

3

for a perl cgi script, what is the difference (technically) between these two?

#!/usr/bin/perl 
use CGI; 
$cgi = new CGI; 
print $cgi->header(),
$cgi->start_html(),
$cgi->pre($cgi->param()), 
$cgi->end_html();

and

#!/usr/bin/perl 
use CGI; 
$cgi = new CGI; 
print $cgi->header(),
$cgi->start_html(), 
$cgi->pre($ENV{'QUERY_STRING'}), 
$cgi->end_html();
+1  A: 

The param method on the CGI object returns a list of all query parameters, including GET and POST parameters. Unless you pass in an argument, in which case it looks for a parameter with that name and returns the value.

The QUERY_STRING environment variable contains the unparsed query string.

This would have been pretty obvious if you had tried the code in question.

Here is the documentation for param.

friedo
A: 

Per the source of CGI.pm

#### Method: param
# Returns the value(s)of a named parameter.
# If invoked in a list context, returns the
# entire list.  Otherwise returns the first
# member of the list.
# If name is not provided, return a list of all
# the known parameters names available.
# If more than one argument is provided, the
# second and subsequent arguments are used to
# set the value of the parameter.

QUERY_STRING is set by the web server it is simply the query string from the uri: you can read more about it here

Evan Carroll
+3  A: 

Assume an HTTP request like this:

GET my.cgi?foo=bar&baz=buz

When run under a webserver with a conventional CGI interface, the environment variable QUERY_STRING will be foo=bar&baz=buz. The environment variable will not be URL-unescaped. Printing it with $cgi->pre(...) will simply enclose the env var with <pre></pre> tags (or a single <pre /> tag if the value is or is coerced to an empty string.

$cgi->param(), on the other hand, and assuming a list context with no arguments, will return a list of URL-unescaped CGI parameter names, in this case foo and bar.

(Note that $cgi->pre(...) does not HTML-escape its argument, so $ENV{QUERY_STRING} might just jeopardize your cgi with a little cross-site scripting injection.)

pilcrow
really nice explaination, thx!
CatholicEvangelist