.ig >>
<STYLE TYPE="text/css">
<!--
        A:link{text-decoration:none}
        A:visited{text-decoration:none}
        A:active{text-decoration:none}
        OL,UL,P,BODY,TD,TR,TH,FORM { font-family: arial,helvetica,sans-serif;; font-size:small; color: #333333; }

        H1 { font-size: x-large; font-family: arial,helvetica,sans-serif; }
        H2 { font-size: large; font-family: arial,helvetica,sans-serif; }
        H3 { font-size: medium; font-family: arial,helvetica,sans-serif; }
        H4 { font-size: small; font-family: arial,helvetica,sans-serif; }
-->
</STYLE>
<title>ploticus: direct cgi mode</title>
<body bgcolor=D0D0EE vlink=0000FF>
<br>
<br>
<center>
<table cellpadding=2 bgcolor=FFFFFF width=550><tr>
<td>
  <table cellpadding=2 width=550><tr>
  <td><br><h2>Direct CGI mode</h2></td>
  <td align=right>
  <small>
  <a href="../doc/welcome.html"><img src="../doc/ploticus.gif" border=0></a><br>
  Version 2.40 Jan'08
  <td></tr></table>
</td></tr>
<td>
<br>
<br>
.>>

.TH Direct_CGI_mode PL "15-JAN-2008   PL ploticus.sourceforge.net"


.LP
.ig >>
<a href="pl.1.html">
.>>
\0pl
.ig >>
</a>
.>>
may be invoked from within an HTML \fC<img>\fR tag as a CGI program to create plots on the fly.
Direct CGI mode can produce PNG, JPEG, and other web browser displayable formats.
This is one of several possible ways to implement 
.ig >>
<a href="dynamic.html">
.>>
\0just-in-time charting.
.ig >>
</a>
.>>

.ig >>
<br><br><br>
.>>
.SH Security concerns
.LP

Please be sure you understand the various
.ig >>
<a href="#security">
.>>
\0CGI-related security concerns discussed below
.ig >>
</a>
.>>
that come into play when using ploticus in direct CGI mode.
.LP
In particular, note that
.ig >>
<a href="prefabs.html">
.>>
\0prefabs
.ig >>
</a>
.>>
are unsafe in direct CGI mode (and in any other situation
where unknown/untrusted users can directly or indirectly set or manipulate prefab parameters).

.ig >>
<br><br><br>
.>>

.SH Quick start
.LP
Briefly, here's what you need to do to use ploticus in direct CGI mode:
.LP
1. be sure you understand the
.ig >>
<a href="#security">
.>>
\0CGI-related security concerns
.ig >>
</a>
.>>
.LP
2. copy your pl executable to your cgi-bin (or perhaps create a soft link)
.LP
3. using a text editor, create a ploticus config file in your cgi-bin.  This allows ploticus to get its bearings and find things (discussed below)
.LP
4. check file and directory permissions - be sure that your web server (which typically runs as a UID of \fCnobody\fR) can
access your pl executable, config file, data file, and script file 
.LP
5. place an <IMG> construct into your HTML page that uses an appropriate URL (discussed below)
.LP
6. point your web browser to the HTML page.. this will cause pl to be executed and
if everything's working you will see the graphic result
.LP
7. If you're not getting the desired results, add the \fC-debug\fR option in your invoking URL, like this:
\fC/cgi-bin/pl&cgi=1&-debug&-gif \fR..  This causes error messages to be logged to \fC/tmp/plcgi_err\fR
and debug output to \fC/tmp/plcgi_diag\fR .
.LP
8. See the other
.ig >>
<a href="#troubleshooting">
.>>
\0troubleshooting tips below
.ig >>
</a>
.>>

.ig >>
<br><br><br>
.>>

.SH Config file
Because CGI programs are invoked in a generic, bare-bones environment, you must provide
some basic information so that ploticus can get its bearings and find necessary files.
This is done by creating a \fCconfig file\fR (not the same thing as a \fCscript file\fR).
It can be created using a text editor.
It must be located in your cgi-bin and named similarly to your \fBpl\fR executable.. eg. if your
pl executable is named \fCpl\fR or \fCpl.exe\fR your config file must be named \fCpl.cnf\fR.
.LP
Here's an example of a minimal config file for ploticus in CGI mode:
.nf
	projectroot: /home/steve/proj1
.fi
.LP
\fBprojectroot\fR specifies a directory where ploticus will execute and do its work.
It must be a directory accessible by your local web server.
Data file names and script file names should be expressed relative to \fBprojectroot\fR.
If you're using your own ploticus script it must reside within the \fBprojectroot\fR 
directory or one of its subdirectories.  
.LP
Don't set PLOTICUS_PREFABS here!  See 
.ig >>
<a href="#security">
.>>
\0security concerns, below.
.ig >>
</a>
.>>
.LP
There are many other optional things that can be done as well ...
.ig >>
<a href="config.html">
.>>
\0more about config files.
.ig >>
</a>
.>>

.ig >>
<br><br><br>
.>>

.SH URLs
In direct CGI mode you invoke ploticus using a URL instead of command line.
Fortunately the two methods are similar, varying only in argument delimitation syntax.
Here are two examples:
.LP
.LP
\fBExample command:\fR \fCpl scat1.pl  -png  TITLE="Usage report"  -scale 0.8\fR
.br
\fBURL equivalent:\fR \fC<img src="/cgi-bin/pl?cgi=1&scat1.pl&-png&TITLE=Usage%20report&-scale&0.8">\fR


.ig >>
<br><br>
.>>

.LP
\fBHere are the rules for URLs:\fR
.LP 
1. the first part of the URL locates your cgi-bin, eg.
\fChttp://abc.com/cgi-bin\fR or just \fC/cgi-bin\fR (relative)
and the program to execute (\fCpl\fR) .. of course this part is dependent on local configuration.
A question mark (\fC?\fR) must follow the program name.  This is all standard CGI practice.
.LP
2. The first argument after the question mark should be \fCcgi=1\fR.
This helps make it clear to \fCpl\fR that it is operating as a CGI program.
.LP
3. Next come all the other pl arguments and parameters.
Just about any set of 
.ig >>
<a href="pl.1.html#options">
.>>
\0ploticus command line arguments
.ig >>
</a>
.>>
can be used, in the usual order.
Each argument is delimited using an ampersand (\fC&\fR).
Some command line arguments, such as 
\fC-scale 0.8\fR are really two arguments, and must
be treated as such for URL purposes (see examples above).
Arguments that need to be quoted when used on the command line should \fBnot\fR be quoted in URL usage.
Standard URL encoding may be used to represent problematic characters such as spaces (\fC%20\fR), ampersands (\fC%26\fR), etc.
Arguments are truncated to a length of 250 chars each.
.LP
Note: any settings that apply to all your invocations can be conveniently made in your 
.ig >>
<a href="config.html">
.>>
\0config file
.ig >>
</a>
.>>
using the \fCoption:\fR or \fCvarvalue:\fR directives.  This also gets them out of the public eye.


.ig >>
<br><br><br>
.>>
.SH Notes
.LP
\fBpl\fR senses that it is running as a CGI program automatically if it finds the environment variable 
QUERY_STRING (set by your web server), and there are no conventional command line arguments present.
Command arguments are extracted from QUERY_STRING environment variable.
Providing the \fCcgi=1\fR dummy argument helps in cases where there are no other CGI user arguments.
.LP
Default output format will be PNG, JPEG, or GIF depending on the pl build.
An appropriate HTTP \fCContent-type\fR header is generated (based on output format type) and written to standard output.  
.LP
HTTP POST method is not supported.
.LP
You can only generate one image per invocation in direct CGI mode.
.LP
Clickmaps generally cannot be done in direct CGI mode, since the map and the image content require
two separate streams.
.LP
Command line options that are inappropriate in direct CGI mode, such as 
\fC-diagfile\fR, \fC-errfile\fR, \fC-viewer\fR, and \fC-o\fR, are automatically disabled.
.LP
I noticed some flakiness with SVG in direct CGI mode.

.ig >>
<a name=troubleshooting></a>
.>>
.ig >>
<br><br><br>
.>>

.SH Troubleshooting
Getting direct CGI mode to work can be tricky... and certain details depend on your 
local web server configuration.  Ploticus direct CGI mode should work on any server
that supports the CGI standard (almost all do).
.LP
The first thing to try is to use the \fB-debug\fR option in your invoking URL, like this:
\fChttp://abc.com/cgi-bin/pl&cgi=1&-debug&-gif\fR..
This will cause error messages to be logged to \fC/tmp/plcgi_err\fR
and additional diagnostic output to be logged to \fC/tmp/plcgi_diag\fR .

.ig >>
<br><br>
.>>

.LP
\fBThings to check:\fR
.IP \(bu
Be sure that at least one of the above files exists.  
If not, then pl probably was never invoked by your web server.. indicating an incorrect URL, or
a problem where your web server is not able to get or execute \fBpl\fR.
Try invoking pl (or better yet, some other program in your cgi-bin) directly 
by typing a URL into your web browser.  Your local webmaster or sysadmin team can help.
For example, on some installations the web server can't access any file located outside of the web tree.
(Note: Win32 uses \fCc:\\temp\fR.  Also,
if you specified a different temp directory in your ploticus config file, diagnostic
files may be placed there, if pl was able to read your config file).

.ig >>
<br><br>
.>>

.IP \(bu
File permissions are important.
On Unix systems, be sure that your pl executable file mode is readable & executable by world
(use command \fCchmod 755 pl\fR) so that your web server (which typically executes as a
generic UID such as \fCnobody\fR) can get and execute pl.
Be sure that all other necessary files and directories
(your config file, data file, and script file)
If you're using symbolic links, file permissions generally must be set on the actual file, not the link.

.ig >>
<br><br>
.>>
.IP \(bu
Another thing to try is to simulate CGI invocation from the command line.
To do this, \fCcd\fR to your cgi bin, deploy a new term window, and in the new window
manually set the QUERY_STRING environment variable,
eg:
.br
\fCexport QUERY_STRING="scat1.pl&-scale&0.8"\fR
.br
Then, in the new window, invoke pl by hand, with no command line arguments, similarly to this:
.br
\fC/data/htdocs/cgi-bin/pl > out\fR
.br
Any error messages should be visible on screen.  
(The output file will generally not be displayable because it contains a mime-type header.)

.ig >>
<br><br>
.>>
.IP \(bu
If you built ploticus with both GIF and PNG enabled, and want your CGI to generate PNG, 
you may need to place \fCplpng\fR into your cgi-bin and execute it instead of \fCpl\fR.


.ig >>
<a name=security></a>
.>>
.ig >>
<br><br><br>
.>>

.SH CGI security
.LP
.ig >>
<a href="prefabs.html">
.>>
\0Prefabs
.ig >>
</a>
.>>
are unsafe in 
.ig >>
<a href="cgi.html">
.>>
\0direct CGI mode
.ig >>
</a>
.>>
and in any other situation
where unknown/untrusted users can directly or indirectly set or manipulate prefab parameters.
.LP
When operating in direct cgi mode and similar situations 
script writers should be sure that prefabs are disabled.  In version 2.32 and later prefabs should
be automatically disabled in direct cgi mode.
Do not set the \fCPLOTICUS_PREFABS\fR environment variable in the config file.
Prefabs may also be disabled by simply renaming the \fCprefabs\fR directory to some other name, or removing it.
.LP
You should be fully familiar with CGI security issues and how
they relate to your platform and project,
before putting pl into
service as a CGI program.  
Some things to keep in mind:
.IP \(bu
Anyone can easily view your HTML, including your invocation of CGI programs.
It is also very easy for users to submit modified CGI invocations (especially altered
arguments).
.ig >>
<br><br>
.>>
.IP \(bu
Avoid building filenames from user-supplied values such as CGI user variables.
Where there's no alternative, proper measures including the following should be
used to guard against hacks on the file name:
.nf
\0 #if @DATAFILE inlike /*,.*,*..*
\0   #exit
\0 #endif
.fi
.ig >>
<br><br>
.>>
.IP \(bu
Avoid using \fC#shell\fR in your scripts that will run in direct CGI mode.
.ig >>
<br><br>
.>>
.IP \(bu
If you build a shell command using CGI user variables and execute it using the
.ig >>
<a href="plshellsql.html">
.>>
\0#shell
.ig >>
</a>
.>>
directive, embedded metacharacters that could be used to carry out malicious activity should
automatically be screened out from the shell command.  The developer should verify that
this is working as expected.
.ig >>
<br><br>
.>>
.IP \(bu
It is possible that undiscovered security holes exist with ploticus in direct CGI mode.
If you will lose sleep over this, consider one of the other methods for
.ig >>
<a href="dynamic.html">
.>>
\0just-in-time charting.
.ig >>
</a>
.>>

.ig >>
<br><br><br>
.>>
.SH Using ploticus CGI with ASP/VBS
This is discussed here:
.ig >>
<a href="http://groups.yahoo.com/group/ploticus/message/1358">
.>>
\0ploticus newsgroup message# 1358
.ig >>
</a>
.>>



.ig >>
<br>
<br>
</td></tr>
<td align=right>
<a href="../doc/welcome.html">
<img src="../doc/ploticus.gif" border=0></a><br><small>data display engine &nbsp; <br>
<a href="../doc/Copyright.html">Copyright Steve Grubb</a>
<br>
<br>
<center>
<img src="../gallery/all.gif"> 
</center>
</td></tr>
</table>
<br>
<center>
Ploticus is hosted at http://ploticus.sourceforge.net <br>
<img src="http://sourceforge.net/sflogo.php?group_id=38453" width="88" height="31" border="0" alt="SourceForge Logo">
</center>
.>>
