Panix, New York's first
Internet Service Provider

panix.user.html FAQ

CGI Scripts

Environment Variables

Environment variables (EVs) are information passed by the Web server to CGI scripts. (They can also be referenced in Server Side Include (SSI) HTML documents so that the server will fill them in as it parses the document.) Data may also be passed to CGIs via STDIN, but that route is basically used for form data during a POST request. EVs can be used to obtain info which have been passed during a GET, or to obtain other information about the server, the browser, the user, etc.

EVs are set by the server just prior to launching the CGI process, so the CGI doesn't have to do anything to declare them; it just needs to refer to them to be able to exploit their values. Depending on which language/scripting system you have written your CGI in, the format in which the CGI obtains the individual EV may vary, but not by much. For example, an EV called REMOTE_ADDR would be referenced as:

Perl script:

$ENV{"REMOTE_ADDR"}

shell script:

$REMOTE_ADDR

C program

getenv("REMOTE_ADDR")

Server Side Include:

<--#echo var="REMOTE_ADDR"-->

The following is a short list of some "core" variables and others that you're likely to see:

SERVER_NAME:
HTTP_HOST:: Hostname of the computer running the Web server.
SERVER_SOFTWARE:: The Web serving program; on Panix, it's Apache.
SERVER_PORT:: Port number on server to which request was sent; usually 80.
SERVER_PROTOCOL:: Name and revision of request, usually "HTTP/1.0".
GATEWAY_INTERFACE:: The CGI version number, expressed as "CGI/N.N".
SCRIPT_FILENAME:
SCRIPT_NAME:
SCRIPT_URI:
SCRIPT_URL:: Name and/or location of the CGI script, with varying degrees of detail.
REQUEST_METHOD:: Was request a GET, POST, HEAD, etc.? Depending on result, may have to look for additional info from requester in different places.
QUERY_STRING:: Information which followed the ? in the URL referring to this CGI script e.g., in "http://www.foo.com/bar.cgi?cmd=baz", the QUERY_STRING is "cmd=baz". Always set, but is frequently blank (especially if the CGI was called via a POST request). Most usefully passed during a GET request.
CONTENT_LENGTH:: If this is a POST request, the length of the additional information being passed from server to CGI via STDIN.
PATH_INFO:: Additional information which might have appeared in the URL after the CGI name; e.g., in "http://www.foo.com/bar.cgi/baz/", the PATH_INFO is "/baz/".
HTTP_USER_AGENT:: Requester's browser type. Usually starts off as "Mozilla/N.N", but may then state "(compatible; ...)". This indicates Netscape Navigator version N.N, or a browser compatible with that version, e.g., "(compatible; MSIE 4.0)". User's platform type (Mac, Windows, X11, Linux, or whatever) is likely also listed. On the other hand, if the request comes from a robot or a proxy, none of this sort of information may be there.
HTTP_REFERER:: URL which pointed to the script. Note that some browsers may be configured not to pass this information or to pass garbage. Additionally, if a user directly enteres a URL, the referer information might be the (unrelated) page she was looking at, or might not be passed at all. In other words, this variable is not always reliable.
HTTP_FROM:: An e-mail address for the person "visiting" your script. Due to privacy concerns, browsers rarely, if ever, pass this information.
REMOTE_ADDR:: The IP number of the machine making the request.
REMOTE_HOST:: The hostname of the machine making the request. If unknown, set equal to REMOTE_ADDR.
REMOTE_USER:: The ID of the person accessing the CGI, if the CGI is in an htpasswd-protected directory.

There are, of course, many more EVs. As noted by Carl Oppedahl: "The thing you must not forget is that anybody who wants to can make any newly defined environment variable come into existence. The server can offer it to the client, and the client can store it and give it to the next server. You can see this with all the talk of 'cookies' in the www.*.cgi group. Thank goodness EV's aren't executable or we would have another kind of computer virus on our hands!" Carl's business Web site, Oppedahl & Larson, contains a useful discussion of environment variables, including a list of all those that his site has detected.

For other information, you may also want to visit the NCSA CGI environment variable tutorial page.

Last modified: Tuesday, 23-Feb-1999 20:30:49 EST
RBS