|Each time the Web server
executes a CGI script, it creates a number of environment
variables to pass information to the CGI script. Theses
variables inform the CGI script how the script is being
invoked as well as provide information about the server
and the Web browser being used by the client. Depending
on how the CGI script is invoked, some environment
variables may not be available in some cases.
Environment variables supplied to CGI scripts are
always all uppercase. When they are being accessed by a C
Program or Perl Script, or whichever language
you are using, be sure to use all uppercase
This section discusses the environment variables
available to CGI scripts. By accessing these variables,
CGI scripts can obtain certain information, such as
the browser used to invoke the script. After the
following discussion about environment variables, you
learn how to access these variables from a Perl script,
as well as a C program via CGI.
Some Web servers can be configured to authenticate users.
If the server has authenticated a user, the
authentication type used to validate the user is stored
in the AUTH_TYPE variable. The authentication type is
determined b y examining the Authorization Header the Web
server might receive with an HTTP request.
Sometimes CGI scripts are invoked with additional
information. This information is typically input for the
CGI program. The length of this additional information is
specified by the number of bytes taken up by the
additional information in this variable. If a CGI script
is called with the PUT or POST method, CONTENT_LENGTH
is used to determine the length of the input.
MIME content types are used to label various types of
objects (HTML files, Microsoft Word files, GIF
files, etc.). The MIME content type for data being
submitted to a CGI script is stored in CONTENT_TYPE. For
example, if data is submitted to a CGI script using the
GET method, this variable will contain the
value application/x-www-form-urlencoded. This is because
responses to the form are encoded according to URL
The CGI specification revision number stored in the
GATEWAY_INTERFACE environment variable. The format
of this variable is CGI/revision. By
examining this variable, a CGI script can determine the
version of CGI that the Web server is using.
Various Web clients can handle different MIME types.
These MIME types are described in the HTTP_ACCEPT
variable. MIME types accepted by the Web client calling
the CGI script will be a list separated by commas. This
list takes the format type/subtype, type/subtype. For
example, if the Web client supports the two image
formats GIF and JPEG, the HTTP_ACCEPT list will contain
the two items image/gif, image/jpeg.
By looking at this value, the Web browser used by the
client can be determined. For example, if Netscape
2.0 beta 4 is being used by the client, the
HTTP_USER_AGENT variable will contain the value
Mozilla/2.0b4 (WinNT; I). The general format of this
variable is software/version library/version.
The PATH_INFO variable is usually used to pass various
options to a CGI program. These options follow the
script's URL. Clients may access CGI scripts with
additional information after the URL of the CGI script.
PATH_INFO will always contain the string that was used to
call the CGI script after the name of the CGI script. For
example, PATH_INFO will have the value
/These/Are/The/Arguments if the CGI script
FunWithNT.EXE is called with the following URL :
In the event the CGI script needs to know the absolute
path name of itself, the CGI script can obtain this
information from PATH_TRANSLATED. For example, if the CGI
script being invoked is HelloNTWorld.EXE, all CGI scripts
are stored in H:\www\http\ns-home\root\cgi-bin, and the
CGI script is accessed with the URL
PATH_TRANSLATED will contain the value the value
H:\www\http\ns-home\root\cgi-bin\HelloNTWorld.EXE. If the
CGI program needs to save or access any temporary files
in its home directory, it can use PATH_TRANSLATED to
determine its absolute location by examining this
You may have noticed that when you submit some forms,
there is a string of characters after a question
mark, followed by the URL name of the script being
called. This string of characters is referred to as
the query string and contains everything after the
question mark. When a CGI script is called with the GET
method, QUERY_STRING typically contains variables and
their values as entered by the person who filled in the
form. QUERY_STRING is sometimes used by various
search engines to examine the input when a form is
submitted for a keyword search. For example, if a
CGI applications is executed using the URL,
QUERY_STRING will contain the string
The IP address of the client that called the CGI program
is stored in the REMOTE_ADDR environment variable. Due
to security reasons, the value of this variable
should never be used for user authentication purposes.
It's not very hard to trick your Web server into
believing a client is connecting to your Web server
from a different IP address.
If the Web server can do a DNS lookup of the client's IP
address and finds the alias of the IP address, the
REMOTE_HOST variable will contain the alias name of the
client's IP address. Some Web server allow DNS lookups to
be turned on or off. If you will be using this variable
to find the IP address alias of clients, be sure the DNS
lookup option is turned on. The Web server can find the
IP address aliases of most clients, but it might not be
capable of getting the aliases of some clients. In
such an event, the REMOTE_HOST variable will not be
assigned the client's DNS alias value, it will just
contain the client's IP address. This value should never
be used for user authentication purposes.
If the Web server being used supports RFC
931 identification, this variable will contain the
user name retrieved from the server. Unfortunately, this
value cannot be trusted when transmitting sensitive data.
Typically a Web server obtains this value by
contacting the client that initialized the HTTP request
and speaking with the client's authentication server.
Some Web server support user authentication. If a user is
authenticated, the CGI script can find out the username
of the person browsing the Web site by looking at the
value of the REMOTE_USER environment variable. The
REMOTE_USER CGI variable is available only if the user
has been authenticated using an authentication mechanism.
A client can call a CGI script in a number o f ways. The
method used by the client to call the CGI script i
s in the REQUEST_METHOD variable. This variable can have
a value like HEAD, POST, GET, or PUT. CGI scripts use the
value of this variable to find where to obtain data
passed to the CGI script.
All files on a Web server are usually referenced relative
to its document root directory. SCRIPT_NAME contains the
virtual path name of the script called relative to
the document root directory. For example, if the document
root directory is c:\www\http\ns-home\root,
all CGI scripts are stored in
c:\www\http\ns-home\root\cgi-bin\ and the CGI script
HelloNTWorld.EXE is called, the SCRIPT_NAME variable will
contain the value \cgi-bin\HelloNTWorld.EXE. The
advantage of this variable is that is allows the
CGI script to refer to itself. This is handy if
somewhere in the output, the script's URL needs to
be made into a hypertext link.
The domain name of the Web server that invoked the CGI
script is stored in this variable. This domain name can
either be an IP address or DNS alias.
Typically, Web servers listen to HTTP requests on port
80. However, a Web server can listen to any port that's
not in use by another application. A CGI program can find
out the port the Web server is serving HTTP requests by
looking at the value of the SERVER_PORT environment
variable. When displaying self-referencing hypertext
links at runtime by examining the contents of
SERVER_NAME, be sure to append the port number of the Web
server (typically port 80) by concatenating it with
the value of SERVER_PORT.
Web servers speak the HyperText Transport Protocol
(HTTP). The version of HTTP the Web server is using can
be determined by examining the SERVER_PROTOCOL
environment variable. The SERVER_PROTOCOL variable
contains the name and revision data of the protocol being
used. This information is in the format
protocol/revision. For example, if the server speaks HTTP
1.0, this variable will have the value HTTP/1.0.
The name of the Web server that invoked the CGI script is
stored in the SERVER_SOFTWARE environment variable. This
environment variable is in the format name/version. If a
CGI script is designed to make use of various special
capabilities of a Web server, the CGI script can
determine the Web server being used by examining this
variable before those special capabilities are used.