Re: CGI/1.1 draft

Rob McCool (robm@ncsa.uiuc.edu)
Thu, 17 Mar 1994 15:28:30 --100


/*
* Re: CGI/1.1 draft by George Phillips (Tel (604)-822-4230)
* written on Mar 16, 1:23pm.
*
* >I don't agree. I think that with dummy inputs available in forms, we can
* >finally move away from using PATH_INFO to convey state information to
* >scripts and go back to using them for their intended purpose: To allow
* >scripts to access the server's virtual->physical translation and access
* >authorization for auxillary files. If you're using filenames in PATH_INFO
* >then you don't have to escape the information, and if you have it as dummy
* >inputs in a form then your data is already escaped anyway.
*
* I agree that PATH_INFO is not the right place for user input, but
* PATH_INFO is something generated by the script for use by the script.
* The server shouldn't be touching it. It shouldn't even have any
* idea if % or some other escaping is done on the information there.
* As long as there are no bad characters in it, it just doesn't matter.

But it does touch it... it has to make PATH_TRANSLATED.

* I certainly don't agree with your idea of the intended purpose of
* CGI scripts. I use them all the time for dynamically translating
* data into browser-understandable formats (like HTML). Input
* forms and searches are just one possible use.
*/

I didn't say anything about the purpose of CGI scripts. I said something
about the intended purpose of PATH_INFO. I use CGI for much more than forms
too, and in the future these other uses will become very important. I just
don't think that having binary data in PATH_INFO is either a good idea or
a necessary action.

--Rob