CGI::Lite - Process and decode WWW forms and cookies


    use CGI::Lite ();

    my $cgi = CGI::Lite->new ();

    $cgi->set_directory ('/some/dir') or die "Directory cannot be set.\n";
    $cgi->add_mime_type ('text/csv');

    my $cookies = $cgi->parse_cookies;
    my $form    = $cgi->parse_new_form_data;

    my $status  = $cgi->is_error;
    if ($status) {
        my $message = $cgi->get_error_message;
        die $message;


This module can be used to decode form data, query strings, file uploads and cookies in a very simple manner.

It has only one dependency and is therefore relatively fast to instantiate. This makes it well suited to a non-persistent CGI scenario.


Here are the methods used to process the forms and cookies:


The constructor takes no arguments and returns a new CGI::Lite object.


This handles the following types of requests: GET, HEAD and POST. By default, CGI::Lite uses the environment variable REQUEST_METHOD to determine the manner in which the query/form information should be decoded. However, it may also be passed a valid request method as a scalar string to force CGI::Lite to decode the information in a specific manner.

        my $params = $cgi->parse_form_data ('GET');

For multipart/form-data, uploaded files are stored in the user selected directory (see set_directory). If timestamp mode is on (see add_timestamp), the files are named in the following format:


where the filename is specified in the "Content-disposition" header. NOTE:, the browser URL encodes the name of the file. This module makes no effort to decode the information for security reasons. However, this can be achieved by creating a subroutine and then using the filter_filename method.

Returns either a hash or a reference to the hash, which contains all of the key/value pairs. For fields that contain file information, the value contains either the path to the file, or the filehandle (see the set_file_type method).


As for parse_form_data, but clears the CGI object state before processing the request. This is useful in persistent applications (e.g. FCGI), where the CGI object is reused for multiple requests. e.g.

    my $CGI = CGI::Lite->new ();
    while (FCGI::accept > 0)
        my $query = $CGI->parse_new_form_data ();
        # process query


Decodes and parses cookies passed by the browser. This method works in much the same manner as parse_form_data. As these two data sources are treated the same internally, users who wish to extract form and cookie data separately might find it easiest to call parse_cookies first and then parse_new_form_data in order to retrieve two distinct hashes (or hashrefs).


This method is used to check for any potential errors after calling either parse_form_data or parse_cookies.

    my $form = $cgi->parse_form_data ();
    my $went_wrong = $cgi->is_error ();

Returns 0 if there is no error, 1 otherwise.


If an error occurs when parsing form/query information or cookies, this method may be used to retrieve the error message. Remember, the presence of any errors can be checked by calling the is_error method.

    my $msg = $cgi->get_error_message ();

Returns the error message as a plain text string.


This method is used to set the platform on which the web server is running. CGI::Lite uses this information to translate end-of-line (EOL) characters for uploaded files (see the add_mime_type and remove_mime_type methods) so that they are accounted for properly on that platform.

    $cgi->set_platform ($platform);

$platform can be any of (case insensitive):

    Unix                                  EOL: \012      = \n
    Windows, Windows95, DOS, NT, PC       EOL: \015\012  = \r\n
    Mac or Macintosh                      EOL: \015      = \r

"Unix" is the default.

Returns undef.


To set a specific limit on the total size of the request (in bytes) call this method with that size as the sole argument. A size of zero effectively disables POST requests. To specify an unlimited size (the default) use an argument of -1.

    my $size_limit = $cgi->set_size_limit (10_000_000);

Returns the new value if provided, otherwise the existing value.


To prevent any file uploads simply call this method with an argument of 1. To enable them again, use an argument of zero.

    my $deny_uploads = $cgi->deny_uploads (1);

Returns the new value if provided, otherwise the existing value.


It is generally considered a mistake to send an HTTP request with multiple cookies of the same name. However, the RFC is somewhat vague regarding how servers are expected to handle such an eventuality. CGI::Lite has always allowed such multiple values and returned them as an arrayref to be entirely consistent with the same treatment of form/query data.

To override the default behaviour this method may be called with a single integer argument before the call to parse_cookies. An argument of 1 means that the first cookie value will be used and the others discarded. An argument of 2 means that the last cookie value will be used and the others discarded. An argument of 3 means that an arrayref will be returned as usual but an error raised to indicate the situation. An argument of 0 (or any other value) sets it back to the default.

    $cgi->force_unique_cookies (1);

Note that if there is already an item of data in the CGI::Lite object which matches the name of a cookie then the subsequent parse_cookies call will treat the new cookie value as another data item and the resulting behaviour will be affected by this method. This is another reason to call parse_cookies before parse_form_data.

Returns the new value if provided, otherwise the existing value.


Used to set the directory where the uploaded files will be stored (only applies to the multipart/form-data encoding scheme).

    my $tmpdir = '/some/dir';
    $cgi->set_directory ($tmpdir) or
        die "Directory $tmpdir cannot be used.\n";

This function should be called before parse_form_data, or else the directory defaults to "/tmp". If the application cannot write to the directory for whatever reason, an error status is returned.

Returns 0 on error, 1 otherwise.



All uploaded files that are opened as a result of calling set_file_type with the "handle" argument can be closed in one shot by calling this method which takes no arguments and returns undef.


By default, EOL characters are translated for all uploaded files with specific MIME types (i.e. text/plain, text/html, etc.). This method can be used to add to the list of MIME types. For example, if you want CGI::Lite to translate EOL characters for uploaded files of application/mac-binhex40, then you would do this:

    $cgi->add_mime_type ('application/mac-binhex40');

Returns 1 if this MIME type is newly added, 0 otherwise.


This method is the converse of add_mime_type. It allows for the removal of a particular MIME type. For example, if you do not want CGI::Lite to translate EOL characters for uploaded files of type text/html, then you would do this:

    $cgi->remove_mime_type ('text/html');

Returns 1 if this MIME type is newly deleted, 0 otherwise.


Returns the list of the MIME types for which EOL translation is performed.

    my @mimelist = $cgi->get_mime_types ();


Returns the MIME type of uploaded data. Takes the field name as a scalar argument. This previously undocumented function was named print_mime_type prior to version 3.0.

    my $this_type = $cgi->get_upload_type ($field);

Returns the MIME type as a scalar string if single valued, an arrayref if multi-valued or undef if the argument does not exist or has no type.


The names of uploaded files are returned by default when the parse_form_data method is called . But if this method is passed the string "handle" as its argument beforehand then the handles to the files are returned instead. However, the name of each handle still corresponds to the filename.

    # $fh has been set to one of 'handle' or 'file'
    $cgi->set_file_type ($fh);

This function should be called before any call to parse_form_data, or else it will have no effect.


By default, a timestamp is added to the front of uploaded files. However, there is the option of completely turning off timestamp mode (value 0), or adding a timestamp only for existing files (value 2).

    $cgi->add_timestamp ($tsflag);      
    # where $tsflag takes one of these values
    #       0 = no timestamp
    #       1 = timestamp all files (default)
    #       2 = timestamp only if file exists


This method is used to change the manner in which uploaded files are named. For example, if you want uploaded filenames to be all upper case, you can use the following code:

    $cgi->filter_filename (\&make_uppercase);

    # ...

    sub make_uppercase
        my $file = shift;

        $file =~ tr/a-z/A-Z/;
        return $file;

This method is perhaps best used to sanitise filenames for a specific O/S or filesystem e.g. by removing spaces or leading hyphens, etc.


This method allows fine-grained control of the buffer size used internally when dealing with multipart form data. However, the actual buffer size that the algorithm uses can be up to 3x the value specified as the argument. This ensures that boundary strings are not "split" between multiple reads. So, take this into consideration when setting the buffer size.

    my $size = $cgi->set_buffer_size (4096);

The buffer size may not be set below 256 bytes nor above the total amount of multipart form data. The default value is 1024 bytes.

Returns the buffer size.


Returns either a reference to an array or an array itself consisting of the form fields/cookies in the order they were parsed.

    my $keys = $cgi->get_ordered_keys;
    my @keys = $cgi->get_ordered_keys;

Displays all the key/value pairs (either form data or cookie information) in an ordered fashion to standard output. It is mainly useful for debugging. There are no arguments and no return values.


This is a method to wrap a long string into one that is separated by EOL characters (see set_platform) at fixed lengths. The two arguments to be passed to this method are the string and the length at which the line separator is to be added.

    my $new_string = $cgi->wrap_textarea ($string, $length);

Returns the modified string.


The values returned by the parsing methods in this module for multiple fields with the same name are given as array references. This utility method exists to convert either a scalar value or an array reference into a list thus removing the need for the user to determine whether the returned value for any field is a reference or a scalar.

    @all_values = $cgi->get_multiple_values ($reference);

It is only provided as a convenience to the user and is not used internally by the module itself.

Returns a list consisting of the multiple values.


Certain characters have special significance within HTML. These characters are: <, >, &, ", # and %. To display these "special" characters, they can be escaped using the following notation "&#NNN;" where NNN is their ASCII code. This utility method does just that.

    $escaped_string = $cgi->browser_escape ($string);

Returns the escaped string.


This method will URL-encode a string passed as its argument. It may be used to encode any data to be passed as a query string to a CGI application, for example.

    $encoded_string = $cgi->url_encode ($string);

Returns the URL-encoded string.


This method is used to URL-decode a string.

    $decoded_string = $cgi->url_decode ($string);

Returns the URL-decoded string.


This method checks for the existence of dangerous meta-characters.

    $status = $cgi->is_dangerous ($string);

Returns 1 if such characters are found, 0 otherwise.


The following methods and subroutines are deprecated. Please do not use them in new code and consider excising them from old code. They will be removed in a future release.

    $cgi->return_error ('error 1', 'error 2', 'error 3');

You can use this method to print errors to standard output (ie. as part of the HTTP response) and exit. This method is deprecated as of version 3.0. The same functionality can be achieved with:

    print ('error 1', 'error 2', 'error 3');
    exit 1;

This method is deprecated as of version 3.0. It runs contrary to the principles of structured programming and has really nothing to do with CGI form or cookie handling. It is retained here for backwards compatibility but will be removed entirely in later versions.

    %form = ('name'   => 'alan wells',
             'sport'  => 'track and field',
             'events' => '100m');

    $cgi->create_variables (\%hash);

This converts a hash ref into scalars named for its keys and this example will create three scalar variables: $name, $sport and $events.


The following methods and subroutines were deprecated in the 2.x branch and have now been removed entirely from the module.


The use of this subroutine had been strongly discouraged for more than a decade (See and for an advisory by Ronald F. Guilmette.) It has been removed as of version 3.0.

Use print_data instead.

Use print_data instead.

Compatibility note: in 2.x and older versions the following were to be used as subroutines rather than methods:


They will still work as such and are still exported by default. Users are encouraged to migrate to the new method calls instead as both the export and subroutine interface will be retired in future. Non-method use currently triggers a warning.


This module maintained backwards compatibility with versions of Perl back to 5.002 for a very long time. Such stability is a welcome attribute but it restricts the code by disallowing access to features introduced into the language since 1996.

With this in mind, there are two maintained branches of this module going forwards. The 2.x branch will retain the backwards compatibility but will not have any new features introduced. Changes to this legacy branch will be bug fixes only. The new 3.x branch will be the main release and will require a more modern perl (5.6.0 is now the bare minimum). The 3.x branch has new features and has removed some of the legacy code including some methods which had been deprecated for more than a decade. The attention of users wishing to upgrade from 2.x to 3.x is drawn to the "DEPRECATED METHODS" and "OBSOLETE METHODS/SUBROUTINES" sections of this document.

Requests for new features in the 3.x branch should be made via the request tracker at


If you're looking for more comprehensive CGI modules, you can either use the CGI::* modules or

CGI::Lite::Request uses some similar method names to thus allowing easy transition between the two. It uses CGI::Lite as a dependency.

CGI::Simple, CGI::Minimal and CGI::Thin are alternative lightweight CGI implementations.



Maintenance of this module as of May 2014 has been taken over by Pete Houston <>.


The author (Shishir) thanks the following for finding bugs and offering suggestions:

Eric D. Friedman
Thomas Winzig
Len Charest
Achim Bohnet
John E. Townsend
Andrew McRae
Dennis Grant
Scott Neufeld
Raul Almquist
and many others!

The present maintainer wishes to thank the previous maintainers: Smylers, Andreas, Ben and Shishir.


Copyright (c) 1995, 1996, 1997 by Shishir Gundavaram. All Rights Reserved.

Changes in versions 2.03 onwards are copyright 2014, 2015, 2017, 2018, 2021 by Pete Houston.

Permission to use, copy, and distribute is hereby granted, providing that the above copyright notice and this permission appear in all copies and in supporting documentation.


This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.