1 CGICGI Common Gateway Interface Server-side Programming Lecture

Rich Internet Applications An RIA is a web application that provides the client with the features and functionality of desktop applications Requires transferring the processing from the server to the client Javascript is one enabling technology for a RIA

RIAs in the Internet client-server model Client (browser) Web server Client does all the processing (eg play videos as they come in) Data (eg multimedia) stay on the server HTTP request for resource Server sends code but keeps data

Some technologies that support RIA development Javascript (and associated ECMA dialects) Adobe Flash  Flash player and IDE Java Applets and Java Webstart (see later) AJAX  Asynchronous JavaScript and XML

Server-Side Programming Lots of programs/applications designed to run on the machines on which they are installed How can a remote client request access to these?

CGI programming CGI => Common Gateway Interface  A protocol for interfacing local applications with a web server Sequence of steps  Client sends URL request  Program runs at the server side  Output is collected and sent back to the client  Often the output is an HTML “built” by the server

CGI using HTML and C language Why do we need CGI?  To read the information on the forms (HTML)  To build a customised HTML response to users To understand the concept lets use C at first... CGI is completely independent of the language and OS CGI is implemented in (almost) all webservers

CGI programs can be written in any language supported by the server. This includes compiled programming languages, such as C and C++; interpreted languages, such as Perl, Python, Ruby, and languages, such as Java, that lie somewhere in between.

Hello World! #include using namespace std; int main(void) { cout << "Content-Type: text/html;charset=us-ascii\n\n"; /** Print the HTML response page to STDOUT. **/ cout \n"; cout CGI Output \n"; cout \n" ; cout Hello, world. \n"; cout << "this is my first CGI" << "\n"; cout \n"; return 0; } Compile, then place the executable inside cgi-bin directory of xitami Test using a browser, URL:

How to submit data using forms GET GET   Web server has a special directory called cgi-bin  Two variables: var1=1 var2=4 Special characters are encoded  ~ %7E  ~ would be encoded as %7E (% followed by ASCII code)

GET So variables from the forms go on URL The environment variable is:  $QUERY_STRING Most browsers limit the size of URLs (256 chars, some more, e.g., IE is 2083 chars) POST When you have too much data, use POST instead...

HTML Multiply example – the HTML file get <form method=" get " action=" Number 1: Number 2:

Multiply example Action=" multiply is an executable under:/var/www/cgi-bin/ with x permissions for all! Variables in URL:  After submission, URL becomes: 

Example SERVER-SIDE: Response CLIENT-SIDE

Multiply example – the C file #include #include //for Windows operating system – Sleep() int main(void) { char *data; long m,n; printf("%s%c%c\n","Content-Type:text/html;charset=iso ",13,10); printf(" Multiplication results \n"); data = getenv("QUERY_STRING");//here it is your data!!! if(data == NULL) printf(" Error!"); else if(sscanf(data,"m=%ld&n=%ld",&m,&n)!=2)//check for 2 inputs printf(" Error! Invalid data."); else printf(" %ld * %ld = %ld.",m,n,m*n); //Sleep(1000); // uncomment that to see who runs the process... return 0; } //from (July2010)

sscanf() Recall the sscanf() function in C On success, the function returns the number of items successfully read. This count can match the expected number of readings or fewer, even zero, if a matching failure happens. In the case of an input failure before any data could be successfully read, EOF is returned. int sscanf ( const char * str, const char * format,...); Read formatted data from string

char * getenv ( const char * name ); Get environment string Retrieves a C string containing the value of the environment variable whose name is specified as argument. If the requested variable is not part of the environment list, the function returns a NULL pointer. The string pointed by the pointer returned by this function shall not be modified by the program. The same memory location may be used in subsequent calls to getenv, overwriting the previous content. getenv() getenv() function in C

char * fgets ( char * str, int num, FILE * stream ); Get string from stream Reads characters from stream and stores them as a C string into str until (num-1) characters have been read or either a newline or a the End-of-File is reached, whichever comes first. A newline character makes fgets stop reading, but it is considered a valid character and therefore it is included in the string copied to str. A null character is automatically appended in str after the characters read to signal the end of the C string. fgets() fgets() function in C

POST (GET was originally used only to get data from server) data is passed via standard input stream (stdin) the length (in bytes) of the data passed via $CONTENT_LENGTH. If the program reads more than the length, ...unpredictable behaviour may happen!

Multiply example – the HTML file post <form method=" post " action=" Number 1: Number 2:

Multiply with POST – C file...#define MAXLEN 80 int main(void) { char *lenstr; char input[MAXLEN]; long m,n, len; printf("%s%c%c\n","Content-Type:text/html;charset=iso ",13,10); lenstr = getenv("CONTENT_LENGTH"); if(lenstr == NULL || sscanf(lenstr,"%ld",&len)!=1 || len > MAXLEN) printf(" There was an error in the content sent to Apache."); else { fgets(input, len+1, stdin); printf(" Form received by Apache. "); printf("The form contains %ld bytes. ",len); printf(" Apache received this: %s ",input); if(sscanf(input,"m=%ld&n=%ld",&m,&n)!=2) printf(" An error occurred, both variables must be numeric."); else printf(" %ld * %ld = %ld. ",m,n,m*n); } return 0; } //adapted from (July2010)

Self-generating form in C #include int main(void) { char *data; long m,n; printf("%s%c%c\n","Content-Type:text/html;charset=iso ",13,10); printf(" Multiplicand 1: Multiplicand 2: "); printf(" Multiplication results "); data = getenv("QUERY_STRING"); if(data == NULL) printf(" Error! Error in passing data from form to script."); else if(sscanf(data,"m=%ld&n=%ld",&m,&n)!=2) printf(" Error! Invalid data. Data must be numeric."); else printf(" The product of %ld and %ld is %ld.",m,n,m*n); return 0; }

Self-generating form in C #include int main(void) { char *data; long m,n; static int flag=0; printf("%s%c%c\n","Content-Type:text/html;charset=utf-8",13,10); getmultiply2_utf8 printf(" Multiplicand 1: Multiplicand 2: "); printf(" Multiplication results "); getenv data = getenv("QUERY_STRING"); if(data == NULL) { if( !flag ){ printf(" nothing to compute yet."); } else { printf(" Error! Error in passing data from form to script."); } sscanf } else if(sscanf(data,"m=%ld&n=%ld",&m,&n)!=2) { printf(" Error! Invalid data. Data must be numeric."); } else { printf(" The product of %ld and %ld is %ld.",m,n,m*n); flag = 1; } return 0; }

Handling Special Characters decode void decode(char *src, char *last, char *dest){ for(; src != last; src++, dest++) if(*src == '+') *dest = ' '; else if(*src == '%') { int code; if(sscanf(src+1, "%2x", &code) != 1) code = '?'; *dest = code; src +=2; } else *dest = *src; *dest = '\n'; *++dest = '\0'; }

Problems with CGI Each a time request is made, a new process is spawned on the server This can quickly overwhelm sites that get a large number of hits One solution is to install libraries directly callable by the web server mod_perl mod_python

CGI can be inefficient... The executable is loaded in the server's memory every time it is called Multiple copies API would be more efficient...  Bad idea to do that using C/C++  Unstable environment (crash the entire server) Apache offers modules with Perl and Python APIs Scripting languages such as ASP and PHP

Security problems with CGI Program is running in your server... Suppose you want the user to run:  system "whois $username" ; But what if the user actually sends:  "john; rm -rf "  system "whois john; rm -rf " ; The administrator: “Oh dear!Where are all my files?” In Linux For Windows,

Extra Windows

Sample Result

Server-side programming Better to use a language specially designed for server-side programming See PHP programming next...

References