Why another online web programming tutorial?

This tutorial is brought to you courtesy of PerlMonks, an online community of Perl programmers and aficionados. It was originally authored by Archbishop Ovid as a way of giving back to the community, and is now collaboratively maintained.

One of the things people frequently go to PerlMonks looking for is a good online CGI tutorial. This course was written to fulfill that need. If you are interested in CGI programming and you know a little Perl, you probably know that there are a lot of Perl/CGI tutorials out there. Unfortunately, they tend to have various problems:

If you ever have a question about anything in this tutorial, please consider asking on PerlMonks. In particular, see the FAQ I want to ask a question of the Perl Monks; where do I start? Further information is found in Understanding and Using PerlMonks.

If you're looking for a deeper, more comprehensive tutorial, we recommend the book CGI Programming with Perl, 2nd Ed., from O'Reilly.

The Ideas Behind this Course

There are certain basic things which help to maximize the impact of this course:


Security Checkpoint

First and foremost, every lesson in this course discusses security at least once, because security is the single biggest failure of most online CGI courses. You will be encountering "Security Checkpoints" throughout this course to help reinforce these concepts. Each "Security Checkpoint" paragraph is marked by the icon you see to the left of this paragraph. It signifies that you should pay special attention to the content of that paragraph.

Perhaps you are just going to run these scripts on your own box and have nothing important there. Who cares if someone breaks in? This is just a toy for you, right? Wrong. Someone breaking into your box can use it to stage attacks on other sites. One individual we know didn't lock down his box "because it was just a toy" and discovered that not only did someone break in, they were doing a lot bad stuff there. He wrote the following in an e-mail:

A friend found I had been running the server for a few months, and asked what kind of security I was using. I chuckled and told him there was no need, since the computer had no valuable information on it.

He gave me a funny look, and he started port-scanning my machine. As you would expect, just about everything was open. As we looked further and further in to it, things starting looking bad. There was evidence that someone else had been in my system.

The clincher came when we found a SQL server database of news groups on my server. Chances are I was used to spam these news groups.

Indeed, it could have been much worse. Remember those huge distributed denial-of-service attacks on Yahoo! and other large web sites? The attackers needed to break into other people's machines to install programs that would allow them to stage these assaults. Poor security on CGI scripts can be just the opening they need.

More details on this will follow, including some explicit details of simple exploits. Some people may object that this is a "hacker handbook", but the truth is, hackers are already out there and they're going to learn anyway. Better you know what you're up against than to wonder what they can do to you.


This course assumes that you already have some basic knowledge of Perl. You don't need to be an expert, but you should at least be fairly comfortable writing simple programs. For resources on learning Perl, check out the Getting Started with Perl tutorials on PerlMonks.


You should know basic HTML. There's no point in trying to learn CGI without knowing basic HTML. Webmonkey's web basics tutorials should bring you up to speed fairly quickly.

Practice, not Theory

If you are going to get serious about CGI programming, you had better learn how to deconstruct a HTTP/1.1 header. You need to understand MIME types and what different HTTP request methods are. However, the emphasis in this course is on learning fast, so it will skip Why It Works (when practical) and will focus on How It Works. This is how most programmers learn anyway. But make no mistake: sooner or later you should learn what's going on under the hood. The first time a browser sends you malformed headers, you'll be glad you did (or wish you had).

Platform Independent

This course has been designed to be platform neutral to the extent possible. When differences between operating environments (e.g. Windows, Linux, Mac, etc.) are significant, these are pointed out. When non-standard Perl modules are used, this will be noted. You will definitely need to know how to install modules.


A Perl/CGI web programming course could easily be ten times this size; this one just covers the high points. Advanced topics are touched on only briefly, if at all. Enjoy!

First Lesson: What is CGI?