Direct CGI mode

Version 2.42 May2013

pl may be invoked from within an HTML <img> tag as a CGI program to create plots on the fly. Direct CGI mode can produce PNG, JPEG, and other web browser displayable formats. This is one of several possible ways to implement just-in-time charting.

Security concerns

Please be sure you understand the various CGI-related security concerns discussed below that come into play when using ploticus in direct CGI mode.

In particular, note that prefabs are unsafe in direct CGI mode (and in any other situation where unknown/untrusted users can directly or indirectly set or manipulate prefab parameters).

Quick start

Briefly, here's what you need to do to use ploticus in direct CGI mode:

1. be sure you understand the CGI-related security concerns

2. copy your pl executable to your cgi-bin (or perhaps create a soft link)

3. using a text editor, create a ploticus config file in your cgi-bin. This allows ploticus to get its bearings and find things (discussed below)

4. check file and directory permissions - be sure that your web server (which typically runs as a UID of nobody) can access your pl executable, config file, data file, and script file

5. place an <IMG> construct into your HTML page that uses an appropriate URL (discussed below)

6. point your web browser to the HTML page.. this will cause pl to be executed and if everything's working you will see the graphic result

7. If you're not getting the desired results, add the -debug option in your invoking URL, like this: /cgi-bin/pl&cgi=1&-debug&-gif .. This causes error messages to be logged to /tmp/plcgi_err and debug output to /tmp/plcgi_diag .

8. See the other troubleshooting tips below

Config file

Because CGI programs are invoked in a generic, bare-bones environment, you must provide some basic information so that ploticus can get its bearings and find necessary files. This is done by creating a config file (not the same thing as a script file). It can be created using a text editor. It must be located in your cgi-bin and named similarly to your pl executable.. eg. if your pl executable is named pl or pl.exe your config file must be named pl.cnf.

Here's an example of a minimal config file for ploticus in CGI mode:

	projectroot: /home/steve/proj1

projectroot specifies a directory where ploticus will execute and do its work. It must be a directory accessible by your local web server. Data file names and script file names should be expressed relative to projectroot. If you're using your own ploticus script it must reside within the projectroot directory or one of its subdirectories.

Don't set PLOTICUS_PREFABS here! See security concerns, below.

There are many other optional things that can be done as well ... more about config files.


In direct CGI mode you invoke ploticus using a URL instead of command line. Fortunately the two methods are similar, varying only in argument delimitation syntax. Here are two examples:

Example command: pl -png TITLE="Usage report" -scale 0.8
URL equivalent: <img src="/cgi-bin/pl?cgi=1&">

Here are the rules for URLs:

1. the first part of the URL locates your cgi-bin, eg. or just /cgi-bin (relative) and the program to execute (pl) .. of course this part is dependent on local configuration. A question mark (?) must follow the program name. This is all standard CGI practice.

2. The first argument after the question mark should be cgi=1. This helps make it clear to pl that it is operating as a CGI program.

3. Next come all the other pl arguments and parameters. Just about any set of ploticus command line arguments can be used, in the usual order. Each argument is delimited using an ampersand (&). Some command line arguments, such as -scale 0.8 are really two arguments, and must be treated as such for URL purposes (see examples above). Arguments that need to be quoted when used on the command line should not be quoted in URL usage. Standard URL encoding may be used to represent problematic characters such as spaces (%20), ampersands (%26), etc. Arguments are truncated to a length of 250 chars each.

Note: any settings that apply to all your invocations can be conveniently made in your config file using the option: or varvalue: directives. This also gets them out of the public eye.


pl senses that it is running as a CGI program automatically if it finds the environment variable QUERY_STRING (set by your web server), and there are no conventional command line arguments present. Command arguments are extracted from QUERY_STRING environment variable. Providing the cgi=1 dummy argument helps in cases where there are no other CGI user arguments.

Default output format will be PNG, JPEG, or GIF depending on the pl build. An appropriate HTTP Content-type header is generated (based on output format type) and written to standard output.

HTTP POST method is not supported.

You can only generate one image per invocation in direct CGI mode.

Clickmaps generally cannot be done in direct CGI mode, since the map and the image content require two separate streams.

Command line options that are inappropriate in direct CGI mode, such as -diagfile, -errfile, -viewer, and -o, are automatically disabled.

I noticed some flakiness with SVG in direct CGI mode.


Getting direct CGI mode to work can be tricky... and certain details depend on your local web server configuration. Ploticus direct CGI mode should work on any server that supports the CGI standard (almost all do).

The first thing to try is to use the -debug option in your invoking URL, like this: This will cause error messages to be logged to /tmp/plcgi_err and additional diagnostic output to be logged to /tmp/plcgi_diag .

Things to check:

    Be sure that at least one of the above files exists. If not, then pl probably was never invoked by your web server.. indicating an incorrect URL, or a problem where your web server is not able to get or execute pl. Try invoking pl (or better yet, some other program in your cgi-bin) directly by typing a URL into your web browser. Your local webmaster or sysadmin team can help. For example, on some installations the web server can't access any file located outside of the web tree. (Note: Win32 uses c:\\temp. Also, if you specified a different temp directory in your ploticus config file, diagnostic files may be placed there, if pl was able to read your config file).

    File permissions are important. On Unix systems, be sure that your pl executable file mode is readable & executable by world (use command chmod 755 pl) so that your web server (which typically executes as a generic UID such as nobody) can get and execute pl. Be sure that all other necessary files and directories (your config file, data file, and script file) If you're using symbolic links, file permissions generally must be set on the actual file, not the link.

    Another thing to try is to simulate CGI invocation from the command line. To do this, cd to your cgi bin, deploy a new term window, and in the new window manually set the QUERY_STRING environment variable, eg:
    export QUERY_STRING=""
    Then, in the new window, invoke pl by hand, with no command line arguments, similarly to this:
    /data/htdocs/cgi-bin/pl > out
    Any error messages should be visible on screen. (The output file will generally not be displayable because it contains a mime-type header.)

    If you built ploticus with both GIF and PNG enabled, and want your CGI to generate PNG, you may need to place plpng into your cgi-bin and execute it instead of pl.

CGI security

Prefabs are unsafe in direct CGI mode and in any other situation where unknown/untrusted users can directly or indirectly set or manipulate prefab parameters.

When operating in direct cgi mode and similar situations script writers should be sure that prefabs are disabled. In version 2.32 and later prefabs should be automatically disabled in direct cgi mode. Do not set the PLOTICUS_PREFABS environment variable in the config file. Prefabs may also be disabled by simply renaming the prefabs directory to some other name, or removing it.

You should be fully familiar with CGI security issues and how they relate to your platform and project, before putting pl into service as a CGI program. Some things to keep in mind:

    Anyone can easily view your HTML, including your invocation of CGI programs. It is also very easy for users to submit modified CGI invocations (especially altered arguments).

    Avoid building filenames from user-supplied values such as CGI user variables. Where there's no alternative, proper measures including the following should be used to guard against hacks on the file name:
     #if @DATAFILE inlike /*,.*,*..*

    Avoid using #shell in your scripts that will run in direct CGI mode.

    If you build a shell command using CGI user variables and execute it using the #shell directive, ploticus has a feature where it automatically removes embedded metacharacters that could be used to carry out malicious activity. The developer should verify that this is working as expected.

    It is possible that undiscovered security holes exist with ploticus in direct CGI mode. If you will lose sleep over this, consider one of the other methods for just-in-time charting.

Using ploticus CGI with ASP/VBS

This is discussed here: ploticus newsgroup message# 1358

data display engine  
Copyright Steve Grubb

Ploticus is hosted at   Get ploticus data display engine at Fast, secure and Free Open Source software downloads