<?label 6.2. Server Side Includes?><html><head><title>Server Side Includes (CGI Programming with Perl)</title><link href="../style/style1.css" type="text/css" rel="stylesheet" /><meta name="DC.Creator" content="Scott Guelich, Gunther Birznieks and Shishir Gundavaram" /><meta scheme="MIME" content="text/xml" name="DC.Format" /><meta content="en-US" name="DC.Language" /><meta content="O'Reilly & Associates, Inc." name="DC.Publisher" /><meta scheme="ISBN" name="DC.Source" content="1565924193L" /><meta name="DC.Subject.Keyword" content="stuff" /><meta name="DC.Title" content="CGI Programming with Perl" /><meta content="Text.Monograph" name="DC.Type" /></head><body bgcolor="#ffffff"><img src="gifs/smbanner.gif" alt="Book Home" usemap="#banner-map" border="0" /><map name="banner-map"><area alt="CGI Programming with Perl" href="index.htm" coords="0,0,466,65" shape="rect" /><area alt="Search this book" href="jobjects/fsearch.htm" coords="467,0,514,18" shape="rect" /></map><div class="navbar"><table border="0" width="515"><tr><td width="172" valign="top" align="left"><a href="ch06_01.htm"><img src="../gifs/txtpreva.gif" alt="Previous" border="0" /></a></td><td width="171" valign="top" align="center"><a href="index.htm">CGI Programming with Perl</a></td><td width="172" valign="top" align="right"><a href="ch06_03.htm"><img src="../gifs/txtnexta.gif" alt="Next" border="0" /></a></td></tr></table></div><hr align="left" width="515" /><h2 class="sect1">6.2. Server Side Includes</h2><p>Many times we want to create a web page that contains very littledynamic information. It seems like a lot of work to go through thetrouble of writing a full-fledged application in order to display asingle piece of <a name="INDEX-1241" />dynamic information such as the currentdate and time, file modification time, or the user's IPaddress, in an otherwise static document. Fortunately, there is atool included with most web servers called <em class="firstterm">Server SideIncludes</em><a name="INDEX-1242" />, or <em class="firstterm">SSI</em>.</p><p>SSI allows us to embed special directives in our HTML documents toexecute other programs or insert various pieces of data such asenvironment variables and file statistics. While SSI has technicallynothing to do with CGI, it is an important tool for incorporatingdynamic information, as well as output from CGI programs, intootherwise static documents, and you should definitely be aware of itsabilities and limitations because in some cases it can provide asimpler and more efficient solution than a CGI script.</p><p>For example, say you want to have a web page display the<a name="INDEX-1243" /> <a name="INDEX-1,244" />last date it was modified. You couldcreate a CGI script to display the file and use Perl's<tt class="literal">-M</tt><a name="INDEX-1245" /><a name="INDEX-1246" /> operator to determine the age of thefile. However, it's much simpler to enable SSI and include thefollowing line:</p><blockquote><pre class="code">Last modified: &lt;!--#echo var="LAST_MODIFIED" --&gt;</pre></blockquote><p>The terms within the HTML comment are an SSI command. When thebrowser requests this document from a web server, the server parsesit and returns the result (see <a href="ch06_02.htm#ch06-69027">Figure 6-1</a>). In thiscase, it replaces the SSI command with a timestamp reflecting thelast time this document was modified. The server does notautomatically parse all files looking for SSI directives, but onlydocuments that are associated with SSI. We will look at how toconfigure this in the next section.</p><a name="ch06-2-fm2xml" /><blockquote><h4 class="objtitle">NOTE</h4><p>Note that <a name="INDEX-1247" /> <a name="INDEX-1,248" /><a name="INDEX-1249" /><a name="INDEX-1250" />SSI cannot parse CGI output; it onlyparses otherwise static HTML files. The new architecture in Apache2.0 should eventually support SSI parsing of CGI output if the CGIoutputs a particular <em class="emphasis">Content-type</em> header. Otherweb servers do not support this.</p></blockquote><p>Because the SSI engine is compiled into the web server, it is manytimes more efficient than a CGI script. However,<a name="INDEX-1251" /><a name="INDEX-1252" />SSIcommands are limited and can only handle basic tasks; in one sensethis simplicity is good because SSI is very easy to learn. HTMLdesigners with no programming experience can easily add SSI commandsto their documents. Later in this chapter we'll see how othertemplate solutions provide more powerful alternatives aimed atdevelopers.</p><a name="ch06-69027" /><div class="figure"><img width="460" src="figs/cgi2.0601.gif" height="267" alt="Figure 6-1" /></div><h4 class="objtitle">Figure 6-1. Server side includes</h4><a name="ch06-14723" /><div class="sect2"><h3 class="sect2">6.2.1. Configuration</h3><p>The <a name="INDEX-1253" /> <a name="INDEX-1,254" />server must know which files toparse for SSI commands. We'll see how to configure the Apacheweb server in this section. If you are using another web server, itshould be equally easy to configure; refer to its documentation.</p><p>You have the following options with SSI:</p><ul><li><p>You may configure the web server to only recognize SSI documents in aparticular directory or directories or throughout the entire site.</p></li><li><p>You can configure the web server to parse all HTML documents for SSIcommands or just documents with a particular extension (typically<em class="filename">.shtml </em><a name="INDEX-1255" />).</p></li><li><p>You can set whether SSI commands have the ability to execute externalprograms in order to generate their output. This can be useful, butit can also be a security risk.</p></li></ul><p>To enable SSI for a particular directory or<a name="INDEX-1256" />directories, add<tt class="literal">Includes</tt> as an option in each directory. If youwish to enable SSI throughout your <a name="INDEX-1257" />web site for all files ending in<em class="filename">.shtml</em>, then add the following to<em class="filename">httpd.conf</em> (or <em class="filename">access.conf</em>if used):</p><blockquote><pre class="code">&lt;Location /&gt;...Options     IncludesAddHandler  server-parsed .shtml...	&lt;/Location&gt;</pre></blockquote><p>Note that your configuration files probably have other lines betweenthe &lt;Location /&gt; and &lt;/Location&gt; tags as well as otherentries for <tt class="literal">Options</tt>; you can leave these as theyare.</p><p>You are not restricted to using the <em class="firstterm">.shtml</em>extension; you can have the<a name="INDEX-1258" />serverparse all HTML documents with this directive:</p><blockquote><pre class="code">AddHandler server-parsed .html</pre></blockquote><p>However, you should do this only if all of your pages are dynamicbecause parsing each HTML document increases the amount of work theweb server must do and reduces performance.</p><p>You should also add the following lines to<em class="filename">httpd.conf</em><a name="INDEX-1259" /><a name="INDEX-1260" /> <a name="INDEX-1,261" /> outside any<tt class="literal">Location</tt> or <tt class="literal">Directory</tt> tags (or<em class="filename">srm.conf,</em> if used):</p><blockquote><pre class="code">DirectoryIndex   index.html index.shtmlAddType          text/html     .shtml</pre></blockquote><p>The <tt class="literal">DirectoryIndex</tt> directive tells the server thatif the URL refers to a directory and that directory contains<em class="filename">index.shtml</em>, then it should display it if<em class="filename">index.html</em> is not found. The<tt class="literal">AddType</tt> server directive tells the server that themedia type of parsed files is HTML instead of the default, which istypically plain text.</p><p>We'll look at the syntax of SSI commands in a moment, but oneparticular <a name="INDEX-1262" /> <a name="INDEX-1,263" />SSI command,<tt class="command">exec</tt>, allows you to execute<a name="INDEX-1264" /><a name="INDEX-1265" /><a name="INDEX-1266" /><a name="INDEX-1267" />externalapplications and include the output in your document. You may notwish to enable thisfor<a name="INDEX-1268" /> security reasons;you may not wish to give HTML authors the same level of trust in thisregard that you give to CGI developers. Also, if you do enable<tt class="command">exec</tt> and you have a CGI script on your site thatcreates static HTML files from users' input (as some popularguestbook and message board CGI scripts do), make sure that SSI isnot enabled for files created by this CGI script. If someone usingthis CGI script enters the following and SSI tags are not removed bythe CGI application, then their malicious command will be executedthe first time their comment is read:</p><blockquote><pre class="code">&lt;!--#exec cmd="/bin/rm -rf *" --&gt;</pre></blockquote><p>This would remove all the files from all the directories the servercan write to. The following could be just as disastrous on a Windowsserver:</p><blockquote><pre class="code">&lt;!--#exec cmd="del /f /s /q c:\" --&gt;</pre></blockquote><p>Most CGI scripts that generate files such as this create them with a<em class="filename">.html</em> extension, so you would not want to enable<tt class="command">exec</tt> and configure the web server to parse all<em class="filename">.html</em> files. Note that this is not as much of aconcern if CGI scripts are not allowed to generate<em class="filename">.html</em> files.</p><p>To enable <a name="INDEX-1269" />SSI without enabling the<tt class="literal">exec</tt> tag, use the following option instead of<tt class="literal">Includes</tt>:</p><blockquote><pre class="code">Options     IncludesNoExec</pre></blockquote><p>Older versions of Apache and other web <a name="INDEX-1270" />servers actuallyrequired that the CGI script execution also be enabled in order touse the <tt class="command">exec</tt> command:</p><blockquote><pre class="code">Options     Includes ExecCGI</pre></blockquote><p>As you'll recall from <a href="ch01_01.htm">Chapter 1, "Getting Started "</a>, there aregood reasons to restrict CGI scripts to particular directories.Previously you had to choose between enabling CGI script executionand disallowing the <tt class="command">exec</tt> command. Fortunately,this restriction has been lifted: you can now<a name="INDEX-1271" /> <a name="INDEX-1,272" />enable the<tt class="command">exec</tt> command while disallowing <a name="INDEX-1273" /> <a name="INDEX-1,274" />CGI execution.</p></div><a name="ch06-3-fm2xml" /><div class="sect2"><h3 class="sect2">6.2.2. Format</h3><p>Now let's see what <a name="INDEX-1275" /><a name="INDEX-1276" /><a name="INDEX-1277" />SSI can do for us. All SSI directiveshave the following syntax:</p><blockquote><pre class="code">&lt;!--#element attribute="value" attribute="value" ... --&gt;</pre></blockquote><p><a href="ch06_02.htm#ch06-63191">Table 6-1</a> lists the available SSI commands. Inthis chapter, we will discuss each of these directives in detail.</p><a name="ch06-63191" /><h4 class="objtitle">Table 6-1. Server Side Include Commands </h4><table border="1"><tr><th><p>Element</p></th><th><p><a name="INDEX-1278" />Attribute</p></th><th><p>Description</p></th></tr><tr><td><p><tt class="command">echo</tt><a name="INDEX-1279" /></p></td><td><p><tt class="command">var</tt></p></td><td><p>Displays the value of environment variables, special SSI variablesand any user-defined variables.</p></td></tr><tr><td><p><tt class="command">include</tt><a name="INDEX-1280" /></p></td><td /><td><p>Inserts the contents of a particular file into the current document</p></td></tr><tr><td /><td><p><tt class="command">file</tt></p></td><td><p>Path of the file relative to the current directory, you cannot use anabsolute path or reference files outside the document root; the filecontents are included directly into the page with no additionalprocessing.</p></td></tr><tr><td /><td><p><tt class="command">virtual</tt></p></td><td><p>Virtual path (URL) relative to the document root; the serverinterprets the path just as if it were another HTTP request, so youcan use this attribute to insert the results of a CGI program oranother SSI document.</p></td></tr><tr><td><p><tt class="command">fsize</tt><a name="INDEX-1281" /></p></td><td /><td><p>Inserts the size of a file.</p></td></tr><tr><td /><td><p><tt class="command">file</tt></p></td><td><p>Path of the file relative to the current directory.</p></td></tr><tr><td /><td><p><tt class="command">virtual</tt></p></td><td><p>Virtual path (URL) relative to the document root.</p></td></tr><tr><td><p><tt class="command">flastmod</tt><a name="INDEX-1282" /></p></td><td><p><tt class="command">file</tt></p></td><td><p>Inserts the last modification date and time for a specified file.</p></td></tr><tr><td><p><tt class="command">exec</tt><a name="INDEX-1283" /></p></td><td /><td><p>Executes external programs and inserts the output in current document(unless SSI has been configured with<tt class="literal">IncludesNoExec</tt>).</p></td></tr><tr><td /><td><p><tt class="command">cmd</tt></p></td><td><p>Path to any executable application relative to the current directory.</p></td></tr><tr><td /><td><p><tt class="command">cgi</tt></p></td><td><p>Virtual path to a CGI program; however, you<em class="emphasis">cannot</em> pass a query string -- if you want topass a query string, use <tt class="literal">#include</tt><tt class="literal">virtual="..."</tt> instead.</p></td></tr><tr><td>