1 CGI, SSI, ASP and PHP The Common Gateway Interface E-Commerce Prof. Sheizaf Rafaeli.

1E-Busainess, Sheizaf Rafaeli

CGI, SSI, ASP CGI, SSI, ASP and PHPand PHP

The Common Gateway InterfaceThe Common Gateway Interface

E-CommerceE-Commerce

Prof. Sheizaf RafaeliProf. Sheizaf Rafaeli


CGICGI


How CGI WorksHow CGI Works Recall discussion of clients vs. servers The Common Gateway Interface (CGI)

– is an agreement between HTTP server implementors about how to integrate such gateway scripts and programs

CGI programs are scripts written for the CGI programs are scripts written for the http server (httpd)http server (httpd)

The specs for CGI (1.1 and 1.2) are at The specs for CGI (1.1 and 1.2) are at http://www.w3.org/hypertext/WWW/CGI/http://www.w3.org/hypertext/WWW/CGI/


Normal HTML vs. CGINormal HTML vs. CGI

With Normal HTML, your browser receives With Normal HTML, your browser receives HTML, and decodes it for presentation. HTML, and decodes it for presentation. Your browser also sends regular URL Your browser also sends regular URL (pointer requests).(pointer requests).

With CGI, your browser sends With CGI, your browser sends – PUT or GETPUT or GET– something else, not regular URL, something else, not regular URL, – call for a programcall for a program


How CGI scripts work (2) How CGI scripts work (2)

Your browser decodes the first part of the URL and contacts the server.

Your browser supplies the remainder of the URL to the server.

The server translates the URL into a path and file name.

The server realizes that the URL points to a program instead of a static file.


How CGI scripts work (3) How CGI scripts work (3)

The server prepares the environment and launches the script.

The script executes and reads the environment variables and STDIN.

The script sends the proper MIME headers to STDOUT for the forthcoming content.

The script sends the rest of its output to STDOUT and terminates.


How CGI scripts work (4)How CGI scripts work (4)

Non-parsed Header (nph) scripts can bypass the server, sending stuff directly back to the browser

The server notices that the script has finished and closes the connection to your browser. NOTE: stateless, connectionless

Your browser displays the output from the script.


Where CGI scripts liveWhere CGI scripts live

CGI programs can reside anywhere, CGI programs can reside anywhere, provided the location is recognized by the provided the location is recognized by the http server http server

““Anywhere” means on same machine or Anywhere” means on same machine or other, same directories or otherother, same directories or other

Best if set apart from document structureBest if set apart from document structure Usually should be better protected, for fame, Usually should be better protected, for fame,

security, property reasonssecurity, property reasons


Programming Languages in CGIProgramming Languages in CGI Perl and C, C++ are the most commonPerl and C, C++ are the most common Visual Basic and Java rapidly catching upVisual Basic and Java rapidly catching up Many others used tooMany others used too ASP, PHP, SSIASP, PHP, SSI Tension (choice) between compiled vs. interpretedTension (choice) between compiled vs. interpreted Dimensions:Dimensions:

– Portability, Portability,

– Ease of learning, debuggingEase of learning, debugging

– Speed, efficiencySpeed, efficiency


CGI vs. API and server specific CGI vs. API and server specific technologiestechnologies

API is emerging as one alternative to CGIAPI is emerging as one alternative to CGI Less portable (not “Less portable (not “commoncommon”)”) ““BehindBehind” the server (httpd)” the server (httpd) API more efficient, less compliantAPI more efficient, less compliant Examples: Examples: Netscape ONE, Microsoft Netscape ONE, Microsoft

WindowsDNA, Oracle and othersWindowsDNA, Oracle and others

Calling a CGI scriptCalling a CGI script CGI scripts can be invoked in a variety of ways. CGI scripts can be invoked in a variety of ways.

They can be called fromThey can be called from– The <FORM> tagThe <FORM> tag

» <FORM METHOD=POST ACTION="/cgi-bin/myprogram.cgi">

– The anchor <A> tagThe anchor <A> tag» <A HREF="/cgi-bin/clicked.pl">Click Here</A>

– The image <IMG> tagThe image <IMG> tag» <IMG SRC="/cgi-bin/cgi-image">

– As server side includesAs server side includes»


ASP, SSI and PHP alternativesASP, SSI and PHP alternatives

SSI (Server Side Includes): SSI lets you embed a number of special 'commands' into the HTML itself. When the server reads an SSI document, it looks for these commands and performs the necessary action.

PHP is a server-side scripting language. Like ASP, PHP script is processed by the Web server. After the server plays with the PHP code, it returns plain old HTML back to the browser.


SSI and PHP alternativesSSI and PHP alternatives

PHP HTML Embedding

SGML style: <? code ?>

XML style: <?php code ?>

ASP style: <% code %>

Javascript style: <script language="php">code</script> <HTML><HEAD><TITLE>Search results for "<?php print $query; ?>"</TITLE></HEAD><BODY>

The simplest (and available)The simplest (and available)Server-Side includeServer-Side include

The basic format for the server-side include is as follows: – 

Possible SSI commands : config, echo, include, exec , fsize , flastmod 





Depends on server configuration BEWARE!!!

SSI exampleSSI example<HTML><BODY>hello<BR>

<BR>This file is pretty big! it isbytes

<BR>or, in shortbytes

<BR>ò</BODY></HTML>

hello ssi.html This file is pretty big! it is 326 bytes or, in short 1k bytes hello again!

http://www-personal.umich.edu/~sheizaf/ssi.html


Some ASP examplesSome ASP examples

Hello world (see next slide)Hello world (see next slide) Greeting, Session and TimeGreeting, Session and Time

http://elab-nt1.bus.umich.edu/sheizaf/Session_variables.asphttp://elab-nt1.bus.umich.edu/sheizaf/Session_variables.asp

Environment VariablesEnvironment Variableshttp://elab-nt1.bus.umich.edu/sheizaf/aspenvironment.asphttp://elab-nt1.bus.umich.edu/sheizaf/aspenvironment.asp(see slide)(see slide)

Database ExampleDatabase Examplehttp://elab-nt1.bus.umich.edu/sheizaf/ASPDatabase.asphttp://elab-nt1.bus.umich.edu/sheizaf/ASPDatabase.asp


Hello, ASP World!My first script was created 7/24/00


The FormThe Form The <FORM> tag is used to define the HTML to be

used for user input Most HTML calls CGI using forms The tag's attributes specify

– the program's name and location either locally or as a full URL

– the type of encoding being used,

– what method is being used to transfer the data <FORM ACTION="url" METHOD=[POST|GET] ENCTYPE="...">


Elements in a formElements in a formsee see

http://www.umich.edu/~cisdept/Grad/CIS742/cgi.forms.htmlhttp://www.umich.edu/~cisdept/Grad/CIS742/cgi.forms.html

Each <INPUT> tag identifies TYPE of area, has a NAME, and could have a VALUE.

Types include:– text, checkbox, password

– reset and submit

– Textarea and Select are special cases

For example:For example:

– <INPUT TYPE="text" <INPUT TYPE="text" NAME="user" NAME="user" VALUE="Donald" VALUE="Donald" SIZE=30>SIZE=30>


Elements in a form (2)Elements in a form (2) Text areas are invoked using :Text areas are invoked using :

– <TEXTAREA NAME=”yourwords" <TEXTAREA NAME=”yourwords" ROWS=10 COLS=50>ROWS=10 COLS=50>

Selection menus are invoked usingSelection menus are invoked using

<SELECT NAME="Toppings" SIZE=4 MULTIPLE><OPTION SELECTED>Cinnamon<OPTION>Cocoa<OPTION>Nutmeg<OPTION>Cloves<OPTION>Allspice<OPTION>Shaved Dark Chocolate<OPTION>Paprika</SELECT>


Environment VariablesEnvironment Variablesavailable to the CGI programavailable to the CGI program

Remember that this is sessionless or Remember that this is sessionless or “connectionless”“connectionless”

But: various pieces of information about:– the browser (type, what it can view, the remote host name etc)

– the server (name and version, the port its running on, and so on)

– and the CGI program itself (the program name and where it's located).

The server provides all of this information to the CGI program through environment variables.


A simple environment variables A simple environment variables programprogram

ENVIRONMENT.PL:

#!/usr/local/bin/perlprint "Content-type: text/html\n\n";print "<html> <head>\n";print "<title>CGI Environment</title>\n"; print "</head>\n";print "<body>\n";print "<h1>CGI Environment</h1>\n"; foreach $env_var (keys %ENV) { print "<B>$env_var</B> = $ENV{$env_var}<BR>\n"; }print "</body> </html>\n";


A simple environment variables A simple environment variables program (2)program (2)

Try running directlyTry running directly– http://cis519.bus.umich.edu/cgi-bin/environment.plhttp://cis519.bus.umich.edu/cgi-bin/environment.pl

And try submitting from a form:And try submitting from a form:– http://www.umich.edu/~cisdept/Grad/CIS742/try.env.htmlhttp://www.umich.edu/~cisdept/Grad/CIS742/try.env.html


The FORM HTML The FORM HTML <HTML> <BODY><H3>Here is a post button</H3><FORM ACTION="http://cobb.bus.umich.edu:443/cgi-bin/cis742/environment.pl" METHOD=POST><INPUT TYPE="submit" NAME="action" VALUE="POST the command to get environment variables"></FORM> <P><H3>And here is a Get button</H3><FORM ACTION="http://cobb.bus.umich.edu:443/cgi-bin/cis742/environment.pl” METHOD=GET><INPUT TYPE="submit" NAME="action" Value="GET environment variables"></FORM> </BODY> </HTML>


CGI and SecurityCGI and Security

Secure the machine (telnet and other access)Secure the machine (telnet and other access) Secure the Web-server (daemon)Secure the Web-server (daemon) Secure the location of the cgi scripts (write and Secure the location of the cgi scripts (write and

read access)read access) Then:Then:

Your program should do what you want and nothing more.

Don't give client more information than it needs to know.

Don't trust the client to give you the proper information.

Minimize potential damage if break-in does occur


CGI and Security (2)CGI and Security (2)

Generally, compiled preferable over Generally, compiled preferable over interpretedinterpreted

Beware of buffer flow (pointer after-effect)Beware of buffer flow (pointer after-effect) Encrypting incoming and / or outgoing Encrypting incoming and / or outgoing

messages:messages:– SSLSSL– SHTTPSHTTP


CGI and SecurityCGI and Securityhopefully…hopefully…


CGI and client side processingCGI and client side processing


““Packaged” CGI scripts (1)Packaged” CGI scripts (1)

There are thousands of scripts availableThere are thousands of scripts available Try, for instance: Try, for instance:

– http://www.scriptsearch.comhttp://www.scriptsearch.com– http://bignosebird.comhttp://bignosebird.com– http://www.tucows.comhttp://www.tucows.com

CGI programming libraries are important for :CGI programming libraries are important for :– parsing parsing – outputoutput


““Packaged” CGI scripts (2) Packaged” CGI scripts (2) “ready made”“ready made”

Like other providers, the UofM denies most Like other providers, the UofM denies most users access to CGI directories users access to CGI directories

However, like many providers, UofM allows However, like many providers, UofM allows use of “prepackaged” applications. These use of “prepackaged” applications. These include:include:– Finger, HtMail (forms-to-email), Imagemap, Finger, HtMail (forms-to-email), Imagemap,

Swishgate, Counter, Survey, Guestbook (and Swishgate, Counter, Survey, Guestbook (and loggate)loggate)

See See http://www.umich.edu/~websvcs/umweb/wwwcgi.htmlhttp://www.umich.edu/~websvcs/umweb/wwwcgi.html


““Hosted”, remotely hosted Hosted”, remotely hosted CGI servicesCGI services

Often as simple as cutting and pasting some html into your pages. Sometimes require registration. Ranging from quizzes, "quote of the day" programs, to advanced affiliate programs and advertising systems.

See, e.g., at:See, e.g., at:– http://www.hostedscripts.comhttp://www.hostedscripts.com– http://www.remotelyhosted.comhttp://www.remotelyhosted.com

1 CGI, SSI, ASP and PHP The Common Gateway Interface E-Commerce Prof. Sheizaf Rafaeli.

Documents

Transcript of 1 CGI, SSI, ASP and PHP The Common Gateway Interface E-Commerce Prof. Sheizaf Rafaeli.