SAN 285 - Client Server Systems - CGI Programming in Perl

Dynamic Content Methods Compared

There are many ways to create dynamic content for a web server, and CGI programming is just one of them. Each of these methods has their own advantages and disadvantages. A developer needs to choose the method that best suits their needs, and skills.

Dynamic content methods can be divided into two main categories, server side programming, and client side programing. (Though a given web site may use a mix of these methods even on a single page). With server side programming, the programs that generate the content execute on the web server itself, with client side programming, the programs are downloaded to the web browser, and execute on the client computer.

Advantages of Server Side Programming:

Server side programming does not generally depend on browser versions or browser plug-ins.
Server side programs can more easily interact with databases since the server side program can be located on the same network as the database server.
Server side programs can be faster to start up since only the output needs to be downloaded to the browser instead of the entire program.

Disadvantages of Server Side Programming:

Server side programs can use more resources on the web server than client side programs do.
Server side programs have less access to resources such as files and data on the client platform than client side programs sometimes have.
The user interface for server side programs is limited to what is available in HTML such as forms and buttons. Sometimes a mix of client side programs and server side programs are used to overcome this limitation.

Advantages of Client Side Programming:

Client side programs can have more sophisticated user interfaces, and can take better advantage of graphics.
Client side programs take advantage of the CPU power on the client platforms, and may scale better as use grows.

Disadvantages of Client Side Programming:

Client side programs have more portability problems between different web browsers and between different versions of the same web browser. A program may behave differently between different clients running the same version of a browser if a user has disabled or restricted options such as Java Script, Active X, or Java.
Client side programs may pose security risks to the client platform (Particularly ActiveX), and are often disabled. And because client side programs can be modified by malicious users, input to the server from client side programs can not be trusted 100%.

Summary of Common Dynamic Content Methods
Method	Client or Server Side	Portability	Highlights:	Security
Java Applets	Client side execution	Good. Supported in Netscape and IE. Standards still evolving, but well accepted.	Java Applets are Java code written using the "applet" class library. Java applets can use Java class libraries that allow for complex user interfaces and good code reuse. Commonly used by software vendors to create portable user interfaces for networking equipment, or to control server based software. (For example: Veritas, EMC, Netscape iPlanet, etc Learning curve can be high. Used more often for complex interfaces and programs than for short programs.	The "applet" class library enhances security by running applications in a "sandbox", isolating them from direct access to the client system's resources. Security is good in theory, but bugs in different Java VM implementations have led to exploits.
Java Script	Client side execution	Fair. Supported in modern versions of both Netscape and IE. Seems to be more subject to browser specific problems than Java.	Java Script, in spite of it's name, has very little relationship with Java. Their syntaxes are similar, and both are object oriented. The biggest thing they have in common is the word Java in their names. Commonly used in conjunction with server side processing to improve user interfaces or to add some zest to otherwise static content.	Security is good in theory, since Java Script is prevented from accessing local client resources, but bugs in different browsers have led to exploits.
Active X	Client side executions.	Poor. Natively supported only in IE, though plug-ins for some versions of Netscape running on some platforms (but not for Unix) are available.	Active X was Microsoft's original answer to Java and Java Script. Active X can be used to replicate MS-Windows interfaces. Active X can also have full access to local client resources. This allows for powerful web based applications, but can be a major security problem.	Poor. Active X security is poor from both a theoretical and de-facto point of view. Active X's ability to access local resources can be limited, but the same behavior that makes users click on executable email attachments makes them likely to click "OK" when encountering unknown ActiveX applications. The nature of ActiveX also has allowed for more security related bugs even when using supposedly safe ActiveX features. ActiveX code has placed an "active" part in many security exploits and email viruses.
ASP	Server side execution.	Poor. natively supported only in the MS IIS web server. A plug in from ChilliSoft allows for ASP execution on other web server platforms.	ASP is a powerful server side technology well supported by Microsoft. The technology can have a steep learning curve, which makes it more commonly used for large scale or complex applications. However, it's integration with other Microsoft products and APIs makes for an easier transition for many experienced Windows developers. ASP applications can be written in Visual C++ or Visual Basic.	Good. Creates no greater risk to client side of the connection than standard HTML. Server side security is dependant on the quality of code written by the developers and on the configurations done by the web master/administrator. Flaws in default IIS configurations and in ASP utilities have resulted in server security breaches.
Lotus Notes/Domino	Server Side Execution	Fair. Notes/Domino web applications can only run on Domino web servers. However, Domino is available on a wide variety of platforms, including NT, Unix, and OS/400.	Lotus /IBM have expanded the capabilities of Notes/Domino over the years. It was originally a conventional 2 tier client server technology. The client software is Lotus Notes, and the server side back end software is called Domino. Domino is now a web enabled server, and server side programs can be written that work within either a Notes client or web browser client. It's integration with Domino can make for rapid software development and powerful group collaboration tools.	Good. Security is dependant on the quality of code written by developers and on the configurations done by the web master/administrator.
PHP	Server side execution	Good. Supported as a plug in for all major (and most minor) web servers.	PHP most commonly competes with CGI in developer mind share. Both are open standards, supported on a variety of platforms. Some server side execution methods take the approach of embedding HTML inside of programs. PHP however takes the approach of embedding PHP code into HTML. This approach can make it easier to use PHP for adding dynamic content to mostly static pages, but PHP is also suited for more complex applications. One strong point of PHP is its ability to easily interact with back end databases. It also can have high performance	Good. Security is dependant on the quality of code written by developers and on the configurations done by the web master/administrator.
Java Servelets	Server side execution	Good. Supported in a variety of web servers, and supported with several application server frameworks. These include IBM's Web Sphere, BEA Web Logic, and Netscape/iPlanet application server.	Java coding for Servelets is just a different flavor of Java coding than coding for Java Applets. Java Servelets are not instances of the applet class, so they are not limited by the sandbox/security features of an applet. They have full access to the resources of the server as any other server side process does. Java application server frameworks provide libraries of code that allow for easier development using standard interfaces. These libraries typically include pre-coded objects such as data base interfaces, shopping carts, and catalogs.	Good. Application security dependant on the the quality of code written by developers and on the configurations done by the web master/administrator.
CGI Bin	Server side execution	Excellent Supported natively in all major web servers (and most minor ones) on all major platforms.	CGI Programming can be done using a wide variety of languages, which helps give it one of the lowest learning curves of the different dynamic content methods. Developers can typically use any language that they are familiar with, though some are better suited to CGI than others. Because of it's popularity and wide support, expertise, example code, and freely available code libraries are widely available.	Very poor to Good. Security is dependant on the quality of code written by developers and on the configurations done by the web master/administrator. If standard security practices are followed, security can be very good, but if they are not followed, security can be very poor.

Next

Previous

Overview