|Dynamic Content Methods Compared|
There are many ways to create dynamic content for a web server, and CGI programming is just one of them. Each of these methods has their own advantages and disadvantages. A developer needs to choose the method that best suits their needs, and skills.
Dynamic content methods can be divided into two main categories, server side programming, and client side programing. (Though a given web site may use a mix of these methods even on a single page). With server side programming, the programs that generate the content execute on the web server itself, with client side programming, the programs are downloaded to the web browser, and execute on the client computer.
|Summary of Common Dynamic Content Methods|
|Method||Client or Server Side||Portability||Highlights:||Security|
|Java Applets||Client side execution||Good. Supported in Netscape and IE.
Standards still evolving, but well accepted.
|Java Applets are Java code written using the "applet"
class library. Java applets can use Java class libraries that allow for
complex user interfaces and good code reuse.
Commonly used by software vendors to create portable user interfaces for networking equipment, or to control server based software. (For example: Veritas, EMC, Netscape iPlanet, etc
Learning curve can be high. Used more often for complex interfaces and programs than for short programs.
|The "applet" class library enhances security
by running applications in a "sandbox", isolating them from
direct access to the client system's resources.
Security is good in theory, but bugs in different Java VM implementations have led to exploits.
|Java Script||Client side execution||Fair.
Supported in modern versions of both Netscape and IE.
Seems to be more subject to browser specific problems than Java.
|Java Script, in spite of it's name, has very little
relationship with Java. Their syntaxes are similar, and both are object
oriented. The biggest thing they have in common is the word Java in
Commonly used in conjunction with server side processing to improve user interfaces or to add some zest to otherwise static content.
|Security is good in theory, since Java Script is prevented from accessing local client resources, but bugs in different browsers have led to exploits.|
|Active X||Client side executions.||Poor.
Natively supported only in IE, though plug-ins for some versions of Netscape running on some platforms (but not for Unix) are available.
|Active X was Microsoft's original answer to Java and
Active X can be used to replicate MS-Windows interfaces. Active X can also have full access to local client resources. This allows for powerful web based applications, but can be a major security problem.
Active X security is poor from both a theoretical and de-facto point of view.
Active X's ability to access local resources can be limited, but the same behavior that makes users click on executable email attachments makes them likely to click "OK" when encountering unknown ActiveX applications.
The nature of ActiveX also has allowed for more security related bugs even when using supposedly safe ActiveX features.
ActiveX code has placed an "active" part in many security exploits and email viruses.
|ASP||Server side execution.||Poor. natively supported only in the MS IIS web server. A plug in from ChilliSoft allows for ASP execution on other web server platforms.||ASP is a powerful server side technology well supported
by Microsoft. The technology can have a steep learning curve, which
makes it more commonly used for large scale or complex applications.
However, it's integration with other Microsoft products and APIs makes
for an easier transition for many experienced Windows developers.
ASP applications can be written in Visual C++ or Visual Basic.
Creates no greater risk to client side of the connection than standard HTML.
Server side security is dependant on the quality of code written by the developers and on the configurations done by the web master/administrator.
Flaws in default IIS configurations and in ASP utilities have resulted in server security breaches.
|Lotus Notes/Domino||Server Side Execution||Fair. Notes/Domino web applications can only run on Domino web servers. However, Domino is available on a wide variety of platforms, including NT, Unix, and OS/400.||Lotus /IBM have expanded the capabilities of
Notes/Domino over the years. It was originally a conventional 2 tier
client server technology. The client software is Lotus Notes, and the
server side back end software is called Domino.
Domino is now a web enabled server, and server side programs can be written that work within either a Notes client or web browser client.
It's integration with Domino can make for rapid software development and powerful group collaboration tools.
|Good. Security is dependant on the quality of code
written by developers and on the configurations done by the web
|PHP||Server side execution||Good.
Supported as a plug in for all major (and most minor) web servers.
|PHP most commonly competes with CGI in developer mind
share. Both are open standards, supported on a variety of platforms.
Some server side execution methods take the approach of embedding HTML inside of programs. PHP however takes the approach of embedding PHP code into HTML.
This approach can make it easier to use PHP for adding dynamic content to mostly static pages, but PHP is also suited for more complex applications.
One strong point of PHP is its ability to easily interact with back end databases. It also can have high performance
Security is dependant on the quality of code written by developers
and on the configurations done by the web master/administrator.
|Java Servelets||Server side execution||Good.
Supported in a variety of web servers, and supported with several application server frameworks.
These include IBM's Web Sphere, BEA Web Logic, and Netscape/iPlanet application server.
|Java coding for Servelets is just a different flavor of
Java coding than coding for Java Applets. Java Servelets are not
instances of the applet class, so they are not limited by the
sandbox/security features of an applet.
They have full access to the resources of the server as any other server side process does.
Java application server frameworks provide libraries of code that allow for easier development using standard interfaces. These libraries typically include pre-coded objects such as data base interfaces, shopping carts, and catalogs.
Application security dependant on the the quality of code written by developers and on the configurations done by the web master/administrator.
|CGI Bin||Server side execution||Excellent
Supported natively in all major web servers (and most minor ones) on all major platforms.
|CGI Programming can be done using a wide variety of
languages, which helps give it one of the lowest learning curves of the
different dynamic content methods. Developers can typically use any
language that they are familiar with, though some are better suited to
CGI than others.
Because of it's popularity and wide support, expertise, example code, and freely available code libraries are widely available.
|Very poor to Good.
Security is dependant on the quality of code written by developers and on the configurations done by the web master/administrator.
If standard security practices are followed, security can be very good, but if they are not followed, security can be very poor.
Copyright 2001 - Andy Welter