处理由CGI C中的html表单发送的POST数据 [英] Handling POST data sent by html form in CGI C
问题描述
所以,正如我几天前所说,我正在尝试在Apache服务器上使用CGI-C创建登录脚本。
So, as I said a few days ago, I'm trying to make a login script using CGI-C on a Apache server.
我的表单正在提交Test.cgi的两个变量:使用POST方法的用户名和密码(仅限2到40个字符)。
My form is submitting two variables to Test.cgi: username and password (pattern 2 to 40 characters only) using the POST method.
这是我到目前为止的代码:
here is my code so far:
#include <stdio.h>
#include <stdlib.h>
int main(void)
{
char *lengthy;
int figures;
char somelimit[512];
lengthy = getenv("CONTENT_LENGTH");
figures = atoi(lengthy);
fgets(somelimit, figures, stdin);
printf("Content-type: text/html\n\n");
printf("%s\n", somelimit);
return 0;
}
Q.如何从标准输入中提取用户名和密码值?我在上述情况下获得的正常回报是username = xyz& password = xyz12我该如何处理?
Q. How do I extract username and password values from stdin? A normal return I'm getting in the above case is "username=xyz&password=xyz12" how do I process this?
我想限制我从中读取的内容CONTENT_LENGTH标头,如果格式错误的CONTENT-LENGTH标头。
Q.I want to limit what I read from CONTENT_LENGTH header, in-case of a malformed CONTENT-LENGTH header.
此标头返回的是哪种类型的数据?我知道它应该返回一个Decimal no of Octets。有效值为0或更多。我想把1带到X,其中X是上限,考虑到我有两个变量,用户名/密码,每个都以html形式限制为40个字符。
what type of Data is this header returning? I know it is supposed to return a "Decimal no of Octets". Valid values are 0 or more. I want to take 1 to X, where X is the upper limit, considering I have two variables, username/password, both limited to 40 characters each in html form.
我尝试了int []和char [],而不是指针。为什么我不能直接用以下内容转换它:
I tried int[] and char[], instead of the pointer. Why can't I convert it directly with something like:
int some[1024];
some = atoi(gentenv("CONTENT_LENGTH"));
为什么atoi被认为不安全?
why is atoi considered unsafe?
Q.如何仅将stdin仅包含US-ASCII字符,以避免格式错误的消息体。
Q. How do I take only the stdin to contain only US-ASCII characters, to avoid malformed message-body.
我是C新手,所以请放心吧:)
PS:请不要推荐任何框架/网络服务器等。
I'm a C Newbie, so please go easy :) PS: Please don't recommend any frameworks/web-servers, etc.
编辑:我刚才意识到也许我问了太多问题。对于那个很抱歉。我将修复这篇文章,使其具有凝聚力和良好的界限。请待命。
I just realized that perhaps I asked too many questions. Sorry about that. I'm going to fix this post to make it cohesive and well bounded. Please stand by.
Edit2:这是最后一个问题,不再需要编辑。我会接受一个答案,至少回答上述3个问题中的2个问题。
This is the final question, no more edits. I will accept an answer which at least answers 2 out of 3 questions above.
推荐答案
这里发生了很多事情,还有很多问题。
A lot of things going on here, and a lot of questions.
首先,我建议您在输出其余信息之前不输出HTTP标头。这种方式更符合逻辑,并允许您输出重定向标头,而不是程序中的某些内容需要它。
First, I recommend that you not output your HTTP header until you're about to output the rest. It's more logical that way, and allows you to output a Redirect header instead if something in your program requires it.
其次,使用 strtoul()而不是 atoi(),因为后者没有错误检查。
Second, use strtoul() instead of atoi(), since the latter has no error-checking.
你只需要一个缓冲区,而不是两个;我建议你根据内容长度动态分配它。使用 malloc(),不要忘记检查返回值。不要试图预测内容长度的上限。
You only need one buffer, not two; and I recommend you allocate it dynamically based off the content length. Use malloc() and don't forget to check the return value. Do NOT try to anticipate the upper bounds of your content length.
您必须解码参数字符串以获取任何值。您使用它们取决于您自己,但处理用户名和密码是一个完全独立的主题,可能需要数天才能完成。但足以说明,永远不要在文件中以纯文本形式存储密码。
You'll have to decode the argument string to get any values out. What you do with them is up to you, but handling user names and passwords is a wholly separate topic that could take days to cover. But suffice it to say, never EVER store a password in plain text in a file.
CONTENT_LENGTH 是 stdin 传递的文本。该文本包括内容的字节数。在对您有用之前,您必须将文本转换为整数类型,可能是 size_t 。这就是你的 atoi()函数正在做的事情(再次,你应该用替换strtoul())
CONTENT_LENGTH is text passed by stdin. That text includes the number of bytes of content. You will have to convert the text to an integer type, probably size_t, before it is useful to you. That's what your atoi() function is doing (which, again, you should replace with strtoul())
使用HTTPS。
提前停止发出 Content-type 标题。然后,如果您决定需要重定向,则可以发出 Redirect 标头。
Stop emitting your Content-type header prematurely. Then, if you decide you need to redirect, you can emit a Redirect header instead.
getenv()返回指向无法更改的静态文本块的指针。如果复制指针,则无法更改字符串中的文本。如果将字符串复制到新数组,则可以更改字符串中的文本;但是,我想不出你为什么要那样做的原因。
getenv() returns a pointer to a static text block that you cannot change. If you copy the pointer, you cannot change the text in the string. If you copy the string to a new array, you would be able to change the text in the string; however, I cannot think of a reason why you'd want to do that.
在你当前的代码中,你没有从堆中分配任何内存,因此你不需要调用 free()。但是,我建议您重新考虑设计的这一方面。
In your current code, you do not allocate any memory off the heap so you do not need to call free(). However, I recommend you rethink this aspect of your design.
这篇关于处理由CGI C中的html表单发送的POST数据的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
