CGI with Linux Shell Script
Yes, you didn’t read wrong! CGI with Shell Script! Ok, I admit that it is unlikely that some are willing to write a WEB application using the Linux Shell Script, but I thougth the idea interesting - a little bit crazy - but interesting.
Ok, here we go… To start, you need to know where the directory CGI is located in your HTTP server. I’m using the Apache 2 HTTP server running under Ubuntu and the CGI directory is /usr/lib/cgi-bin.
CGI is an executable file (a program therefore) that “spits” for the standard output, a code that the browser “understands”.
So, look how it would be a Hello World CGI written in Linux Shell Script:
#!/bin/sh echo Content-type: text/html echo echo 'Hello, cruel world!'
Type the code above and save it to a file named helloworld.sh. After that, give to the file, permission for execution:
chmod +x helloworld.shThe first line of the code, identifies the interpreter to be used in the execution of the script (/bin/bash, in this case).
The second line is mandatory and identifies the content type (text/html, in this case).
Though the third line doesn’t have any content, is mandatory in all CGI programs. Following the Content-type, we need two line-breaks (\n). Don’t ask me why…
The last line of our script, just prints out the string that we want shown on browser.
To test, open the page on the browser:
Piece of cake, isn’t it? Now, let’s create an application accessing a MySQL database.
Using your favorite MySQL tool, create a database named “agenda”:
CREATE DATABASE `agenda` DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
Create the table named “contact” as following:
CREATE TABLE `contact` ( `name` VARCHAR( 40 ) NOT NULL, `address` VARCHAR( 255 ) NULL, `phone` VARCHAR( 40 ) NULL, `email` VARCHAR( 255 ) NULL, UNIQUE ( `name` ) ) ENGINE = MYISAM ;
Insert some data in the table “contact”:
INSERT INTO contact VALUES ('Andre Vasconcelos', 'Third Av, lote 644-A', '555-5555', 'contato@alovasconcelos.net'); INSERT INTO contact VALUES ('Peter Frampton', 'Central Av.', '123-1234', 'breakingalltherules@frampton.com'); INSERT INTO contact VALUES ('Mathias Wondracek', 'Central Av, 1001', '654-3210', 'wondracek@grimm.com'); INSERT INTO contact VALUES ('Rogerio Etsuo', 'Evergreen Terrace, S/N', '654-3210', 'etsuo@springfield.com'); INSERT INTO contact VALUES ('Pierre Freire', 'Neverland, S/N', '523-1595', 'pierre@byte.com.br');
Now, create a directory for our application in your CGI directory (you’ll need root password for this).
sudo mkdir /usr/lib/cgi-bin/agenda sudo chmod 777 /usr/lib/cgi-bin/agenda
So, you’ll create, using CGI Shell Script, one page to ask the name to be located in our database. For this, type the code below and save it in a file named askname.sh in the directory agenda you just created (/usr/lib/cgi-bin/agenda).
#!/bin/sh echo Content-type: text/html echo echo ' <form action="http://localhost/cgi-bin/agenda/search.sh" method="get">' echo ' <input name="search_name" type="text" />' echo ' <input type="submit" value="Search" />' echo '</form> '
The code in the first three lines of the script ain’t no new - we’ve seen it in helloworld. The rest of the script is intended to build a HTML form with an input for the name to be located and a button to submit the form. Note that the method used to submit the form is the GET. That’s not the better option, I know, but the goal here is to simplify.
Once the file is created, give it execution permission:
chmod +x /usr/lib/cgi-bin/agenda/askname.sh
Now, type the code below and save it in a file named search.sh in the same directory mentioned above. (/usr/lib/cgi-bin/agenda).
#!/bin/sh echo Content-type: text/html echo search_name=`echo "$QUERY_STRING" | sed -n 's/^.*search_name=\([^&]*\).*$/\1/p' | sed "s/%20/ /g"` command="select name,address,phone,email from contato where nome = '$search_name'" mysql -u root -p123456 -D agenda -e "$command" -H echo echo ' <form action="http://localhost/cgi-bin/agenda/askname.sh">' echo ' <input type="submit" value="Back" />' echo '</form> '
Don’t forget to give the file search.sh execution permission:
chmod +x /usr/lib/cgi-bin/agenda/search.sh
The fourth line in this script, reads the value of a variable received from a HTML form. This part of the scipt wasn’t made by me - I’ve found ready to use on the WEB. What’s important for us about this instruction is that the content of the variable search_name received from the HTML form will be assigned to a local variable named search_name.
Pay attention! There can be no spaces between the variable name, the equal sign, and the content.
Now the cool part of the script: the search in the database. On the fifth line of the script the SQL command is beeing built. Note the use of the variable search_name in the SQL command, starting with a $.
The sixth line of the script, sends the query to the database, using the MySQL Monitor. The options used was:
-u root
to identify the user
-p123456
the user’s password (root in this case)
-D agenda
to select the database (agenda in this case)
-e “$comand”
to execute the SQL command built in the fifth line
-H -
to show the result as a HTML table
Our application is ready! A simple search on a database, made using CGI, written in Shell Script.
Just put the following URL on your browser and test it:
http://localhost/cgi-bin/agenda/askname.sh Once more: This was just an interesting joke, not a pratical application. Just from the point of view of security (not considering performance, practicality, etc.) we had some basic rules was violated, here:
- given total permission (777) on the directory of the application;
- user and password of the database, human readable in the script;
- HTML form sent by GET method;
- no treatment for SQL injection.