previous lessons have focused on client-side scripts programs embedded in the page’s html code ...

SERVER-SIDE SCRIPTING

USNA SI110

LT BRIAN KIEHLLEAHY 103 | 410.293.0938

KIEHL@USNA.EDU

Server-Side Scripting 2

Server-side Scripts

Previous lessons have focused on client-side scripts Programs embedded in the page’s HTML code

Can also execute scripts on the server Server-side scripts

Programs that the web server runs in response to something done by a web client (browser)

Common server-side languages and extensions Perl Common Gateway Interface (CGI) – .pl, .cgi PHP – .php Active Server Pages (ASP) – .asp ASP.NET – .aspx JavaServer Pages (JSP) – .jsp ColdFusion – .cfm

Server-Side Scripting 3

Client-side Execution Client requests a page containing JavaScript code

GET ex0.html HTTP/1.1 Server returns an HTML file containing embedded JavaScript

<html><body>

<script type="text/javascript“>var iter = 0; while(iter < 1000) {

document.write("G O N A V Y ! ");iter = iter + 1;

}</script>

</body></html>

Client renders the page Includes executing the embedded JavaScript

Server-Side Scripting 4

Server-side Execution

Client requests a page containing JavaScript code GET ex0.jsx? HTTP/1.1

Server executes the JavaScript code and generates the HTML content 

Client receives HTML and renders it

Server-Side Scripting 5

Sending Data with Forms

Two mechanisms for sending arguments to server-side scripts GET POST

GET provides inputs to the server as part of the URL Simpler

POST provides inputs to the server “behind the scenes”

Server-Side Scripting 6

Using the GET Method

Example URLhttp://.../f2c.jsx?fahrenheit=78

URL for script ends with “?” Designates the start of the querystring

Querystring consists of name=value pairs name=value pairs are parameters the server-side script will use

as inputs Multiple name=value pairs separated by “&”

arg1=value1&arg2=value2 Specify the action and method attributes in the form

element action specifies the script to use method specifies either GET or POST <form name=“myForm" action="http://.../f2c.jsx" method="get">

Server-Side Scripting 7

Input Validation & Sanitization

Server-side scripts execute on the remote server Uses server resources Can cause problems for a server administrator

Performance Security

Validation and sanitization help ensure valid input is supplied to a program

Validation: checks if the input meets a set of criteria

Sanitization: modifies the input to ensure that it is valid

Server-Side Scripting 8

Validation Checks

Testing for the length Format Range Allowable characters

Example Program expects positive integer input

Validate that any string input consists only of the digits 0 through 9

Server-Side Scripting 9

Input Sanitization

Attempt to parse a valid value from the provided input

Strip the invalid content from the input Re-format the input

Escape characters so they cannot be interpreted as code

Use a default value

Server-Side Scripting 10

Validation & Sanitization Example

Assume a script that writes “GO NAVY!” a user-specified number of times gonavy.jsx?n=800

What if the user wants to print “GO NAVY” 100,000,000 times? What if multiple users want to do so?

Server-Side Scripting 11

Validation & Sanitization Example (cont.)

For performance reasons, we may want to limit users to N=5000

Validate the user input A number

If not a number, set to a default value of 100 Less than 0

If < 0, set value to 0 Greater than (or equal to) 5000

If > 5000, set value to 5000