note on hw grades:
	stars is a good thing
	stars - is a good thing, just not as good (design flaw, incorrectness)
	if you didn't make stars, you still get credit
	if you are late, you can't make stars, but you can get credit
	infer:  if you didn't make stars, you might as well have been late

start thinking about final projects
	email me with your ideas
	you don't HAVE to do part-U, even if we agree on a project
	you don't HAVE to have ok on a project in order to do it,
	but i can tell you what isn't going to be an A, or what is too ambitious

congratulations, you probably can cgi in gawk on unix right now,
	which is very fast if you think about it

vim processes?

cookies (spec)

input type=image (image)

mulipart file enc (upfile, upfile2)

general character conversion (unsafe)

dense forms:  raq/reb sim
meta-tag refresh:  warner
plotting:  pp
rewriting the interface:  mebay

safety:
	attacks on server:

	don't let people see the source of your scripts
	don't translate more characters than you need to
	use two different clean functions if textarea vs. text
	enclose user data in '' when composing shell commands
	ask yourself if there is an attack on shell commands by inserting:
		; " ' >> & echo << >& | \ 
		there is almost always an attack with \ and '
		so don't translate them!
	don't make your cgi directory public-writeable!
	your cgi must be a+x, but the directory does not have to be
	if you must, create a temp or tmp subdir with a+w permissions
	it is better to create the tempfiles you will need in advance
	don't let them write too much data to your file system

	runaway cgi:

	make sure you use kernighan syntax: (getline < foo > 0) 
		if the file might not exist (getline returns -1)
	it is sometimes necessary to write a kill-apache-script daemon
	it is reasonable to put hard limits in loops so requests can't saturate

	multi-user access:

	use lockfile
		but make sure you can release your locks
	use append-only files for transaction logging
		then read this file to see who wrote first (2-stage request-commit)
	use a serialized service, such as requesting commitment thru another cgi

	ideas:

	use cgi to control CLINET IP address access/times/session id's/passwords
	ue cgi to log accesses
	use cgi to hide file names (serve the file thru cgi/decode-URL, nor raw URL)
	use cgi on an exposed machine to request data behind firewall

	remember:

	cgi is essentially a "come in and let my machine work for you" proposition
	denial of service now includes cpu attack, file system attacks
		(attack /tmp or available-bytes), vm attack, i/o attack
	
	but cgi is powerful because your program runs in its proper environment, 
		and you get to script the client's browser in a non-invasive way