glog a CGI script for personal or group Weblogging by David M. Chess, http://www.davidchess.com/ covering the version of 1999/11/18 or so ---------------------------------------------- What is glog? glog is a CGI script that allows you (and anyone else that you give the posting password to) to maintain a Weblog. ---------------------------------------------- What's a Weblog? A Weblog is a list of links, generally with some commentary on each one, generally in reverse chronological order (newest first). Weblogs are a way for one person (or group) to let the rest of the world see what Web pages have attracted their attention lately. As of late 1999, Weblogs are Hot; everyone's got one! ---------------------------------------------- How does glog work? You take glog.cgi, tailor a few variables near the top to make it do what you want it to do, and put it onto your Web server. Then when you go to "http://your.host.name/some/path/glog.cgi" or whatever with your browser, you'll get a form that lets you enter your name, an optional link to your homepage, the posting password, the URL that you want to add to the Weblog, text for the link, and text for the paragraph describing it. You enter all that, press "post", and it updates an HTML file on the Web server. When you or anyone else load that HTML file in a browser, they get to see all the links that you've entered; that's your Weblog. You can probably try glog out for yourself, from the glog page at "http://www.davidchess.com/toys/glog.html". ---------------------------------------------- Is glog secure? Pretty much. Passwords are stored in the cgi script itself, so as long as your Web server doesn't have any bugs that allow reading the text of CGI scripts, the passwords are safe. You should choose good passwords, of course. All form input is via the POST method, so there's no danger of passwords being exposed via Referer: tags or anything like that. If you choose to store your name and homepage and password in a cookie, then the password will be available to anyone who can read your cookie file, so watch out for that. glog doesn't use any strings from the input form to construct filenames or anything like that, so that sort of common CGI security hole shouldn't exist. And since this is Perl there won't be any buffer-overflow bugs. *8) You should only turn off "$scrub_text" if you're the only one adding to the log, or if you have very strong trust in the other people who know the posting password. With $scrub_text set to zero, anyone with the posting password can add arbitrary HTML to your Weblog page, and that means they can do just about anything, including just messing up the whole page, adding annoying Javascript popups or exploits for browser bugs, and so on. So be careful with that. If you use glog for group logging, and give the posting password to some trusted friends, those friends will be able to trivially forge entries under each other's names, since glog does no authentication beyond the password. Either only give the password to people that you trust not to do that, or just realize that you can't tell who really added any given entry. Unless you really trust all the holders of the posting-password not to get into silly fights, keep the deletion/admin password to yourself. Most kingdoms should have only one king. ---------------------------------------------- Sounds good! What do I need in order to use it? You need a Web server that you can put a Perl 5 CGI script onto. You also need to be able to create two files (the database file and the HTML Weblog) that both you and the web server can read and write. Then of course you need a browser that supports forms to use the form. That's about all! And you need the CGI script itself, of course. You probably got a copy along with this file; if not, try "http://www.davidchess.com/toys/glog-cgi.txt". ---------------------------------------------- How do I install it? Modify glog.cgi as necessary (see below). Then put it onto the appropriate place on your Web server. Create zero-length versions of the database and Weblog files with appropriate permissions. Then you're all set! Load up the entry form in your browser, submit your first entry, and there you are. Advertise your new Weblog heavily, and become rich and famous. ---------------------------------------------- What modifications will I need to make to glog.cgi? This is the gory detail. There are a bunch of variables near the start of glog.cgi that you *must* fill in, and some that you can optionally fill in. Then there are two routines that you can mess with to tailor the look of the Weblog page itself. The required variables: $logurl must be set to the full URL of the Weblog page. For instance, "http://www.example.com/~xyz/weblog.html". $cgiurl must be set fo the full URL of the CGI script itself. For instance, "http://www.example.com/~xyz/cgi-local/glog.cgi". $password must be set to the posting password. I won't give a for-instance, because someone might use it! $logfile must be set to the name of the file in the local filesystem that corresponds to $logurl; the Weblog. For instance, "/u/xyz/www/weblog.html". Note that the web server must be able to read and write this file, so set the permissions accordingly. $itmfile must be set to the name of the file glog will use for the database of entries. You can use any filename you want, for instance "/u/xyz/weblog.dat", as long as the web server can read and write that file. Optional variables: $logtitle should be set to the name of your Weblog; it's used in various places in the HTML that glog generates. The default is the boring "Web log". You could set this to, for instance "Reptile Club Weblog". $logtoken should be set to some short and reasonably unique string; it will be used as the name of the cookie, if any, that glog sets. The default is "glog". You could set it to, for instance, "iguanas". $pass2 should be set to another password, one that will be required to do anything but just post. If it's not set, anyone who knows the posting password will also be able to delete and so on. $maxtext is the maximum amount of text that can be entered into the description field; trying to submit an entry with more text than this will get an error message. If you don't like the default, you can change it. $maxlink is used when someone adding a new entry doesn't give any text for the link. In that case, the URL itself is used as link text, but if the URL is longer than $maxlink, only the start and end of the URL, with dots in the middle, is used (as in "http://www.example.com/news/.../11/12/x.html"). $scrub_text controls whether or not posters can use HTML markup and special symbols in entries. If $scrub_text is set to 1 (the default), all ampersands in entered text are converted to "&", less-than signs to "<", and greater-than signs to ">", so it's not possible to use any HTML markup (new paragraphs can be created by just leaving a blank line). If you change this to zero, posters can enter arbitrary HTML. Do this only if you are the only one posting, and/or you have great trust in everyone who knows the posting password. $bgcolor $textcolor $errorcolor $linkcolor $vlinkcolor are used in generating various HTML pages, and you can fiddle with them to change the colors of those pages. Their values should be valid HTML color strings, like "red", "white", or "#ff33cc". Oh, and of course you need to make sure that the very first line points to the right Perl interpreter! ---------------------------------------------- What about them routines to tailor the look of the Web log page? Oh, yeah. I think I'll just send you to the comments in the code for this one, since you'll be altering the code anyway. Basically what you do is replace the body of custom_log_template() with a copy of the body of default_log_template(), replace the body of custom_entry_template() with a copy of the body of default_entry_template(), and then mess with custom_log_template() and custom_entry_template() until the generated HTML looks the way you want. Read the code and the existing template routines to see how to use the special symbols &body; &from; &via; and so on. And while you're in there, you can read the implementation comments to find out all about how the database works, how deletion works, and so on. ---------------------------------------------- How *does* deletion work? Oh, all right. To delete an item from the Web log, use "view source" to find out its item number (it's in an HTML comment right above the item itself), then go to the input form, fill in the item number in the obvious place, and the admin password if you have one set, and press "delete". The Web log will be generated without that item. (Note that the item is still in the database, it's just marked "deleted". We could have an "undelete" function if we wanted to, but I haven't coded it.) ---------------------------------------------- Do I have to make the database and Web log world-writable? That depends on how your Web server is set up. You need to do whatever's necessary to allow the server to read and write those two files. On some systems, that may mean making them world r/w, or r/w by "nobody", or by some particular group. If you can use cgiwrap (talk to your host admin if you don't know), you may only have to make them r/w to yourself. That's about all I know. ---------------------------------------------- What's all this about cookies? Oh, right. If you check the "Save in a cookie for later" box when you post, glog will set a cookie (assuming your browser is accepting cookies and so on) so that next time you go to the input form, the name and homepage-URL and posting-password fields will be already filled in. This can be very handy! Of course it can also be dangerous, in that it causes the posting password (in an only-slightly-obfuscated form) to be stored on your machine. If you don't want that to happen, don't check that box. ---------------------------------------------- I can't make glog work! Sure you can! Give it another try. If it still doesn't work, send your problems to me at glog@davidchess.com and I'll see if I can help. ---------------------------------------------- It would be better if... Suggestions are very welcome; send them to glog@davidchess.com. ---------------------------------------------- Do you have a Weblog? Well, only sort of. As of this writing, I have a combination Weblog, diary, and journal at "http://www.davidchess.com/words/log.html". But it's not maintained by glog! The glog-maintained Weblog that I sometimes stick things into is the glog Demo Weblog, probably available from "http://www.davidchess.com/toys/glog.html". ---------------------------------------------- Is that all? Yep! ---------------------------------------------- David M. Chess, chess@theogeny.com, 1999/11/18