Aim and purpose

To enable understand and use web server scripting and investigate the common issues surrounding its use

Unit introduction

When designing and building websites, a key issue for developers is the amount of control they can exert over how tasks are carried out. Client-side scripting embedded in web pages can give additional functionality but, because the code is executed after the page has been loaded, there is little control and this approach can lead to hacking vulnerabilities and errors.

Web server scripting is code written ‘server-side’ and executed before the page is loaded. This means that complex tasks can be created and programming is generally more secure. The skills and knowledge developed in this unit are particularly valuable because security and reliability are common issues for businesses.

The types of operation that can be influenced include handling files on the server, security systems such as password protection, and accessing databases. Server scripting can be used for example to gather statistics about the website, including how many visitors have viewed each page. Data such as this can be used to generate revenue from people wishing to advertise on a popular website.

Another function that web server scripting can relate to is the use of environmental arguments. The user’s computer system is scanned to obtain their screen resolution, browser type and other information. Each web page in a website can be made several times to suit a variety of environments. The user is then automatically redirected to the page which best suits their environment. This facility can enhance user enjoyment but has ethical implications if used inappropriately.

Learners will understand the principles of server-side web scripting and be able to create functionality using a web server script. Learners should also understand the security and ethical issues surrounding this area of IT.

Learning outcomes

On completion of this unit a learner should:

1 Understand the principles of web server scripting

2 Be able to use web server scripting

3 Understand the issues affecting web server scripting.

Web server scripting languages:

server-side versus client-side;

What is server-side, and what is client side? 

Server-side scripting is a method where websites servers process or respond to user request an example of such a process would be the login of your favourite social media site, you enter your details on to a form within a webpage that is then sent to the server for it to verify your credentials are correct. Server-side scripts provide an interface to users, and, are used to limit access to coding and access to potential database connections.

Client Side Scripting is a method where the processing of scripts is done on the user's computer that is accessing the website. For example, you are about to purchase an item on Amazon, and you are required to login to your account, the form that you have been presented with is requesting your email address as part of the login, you mistakenly miss out your @ sign from your email, scripts that have been loaded as part of the webpage that is on the users computer will run a check to see if all the required symbols are present, if not a little message is displayed on the screen. No processing has happened on the server at this point this is purely client side. Once the user clicks submit the script could stop the details being sent until the issue is resolved, once it is then the details would be sent to the server.

Why should we do it on the client side?

The purpose of using client-side scripts, in this instance, would be to remove the potential load/burden of the server's resources (RAM, CPU) to process simple operations for it to then have to respond back to the users, this can also eat in to a servers bandwidth allocation that it has with an ISP.

web server scripting languages

ASP,  Active Server Pages. Classic ASP was introduced in 1998 as Microsoft's first server side scripting language, pages have the file extension .asp and are normally written in VBScript. In 2002 as a successor to Classic ASP was released named ASP.Net pages have the extension .aspx and are normally written in C# (C sharp).

For further examples to play with, refer to W3Schools, ASP W3Schools

JSP,

PHP:- A recursiveacronym for PHP: Hypertext Preprocessor, it is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. 

PHP was written in the C programming language by Rasmus Lerdorf in 1994 for use in monitoring his online resume and related personal information. For this reason, PHP originally stood for "Personal Home Page". Lerdorf combined PHP with his own Form Interpreter, releasing the combination publicly as PHP/FI (generally referred to as PHP 2.0) on June 8, 1995. Two programmers, Zeev Suraski and Andi Gutmans, rebuilt PHP's core, releasing the updated result as PHP/FI 2 in 1997. The acronym was formally changed to PHP: HyperText Preprocessor, at this time. Source: http://www.nusphere.com/php/php_history.htm

Cold Fusion,

Perl: - a general-purpose programming language originally developed for text manipulation and now used for a wide range of tasks including system administration, web development, network programming and  GUI development, it was released to usenet's alt.comp.sources in 1987. Perl is licensed under its Artistic License, or the GNU General Public License (GPL).

# Prints the message using two different delimeters.
print "Hello, world!
";
print qq=Did you say "Hello?"
=;

Ruby on Rails : - a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller(MVC) framework, providing default structures for a database, a web service, and web pages. It encourages and facilitates the use of web standards such as JSON or XML for data transfer, and HTML, CSS and JavaScript for display and user interfacing.  David Heinemeier Hansson extracted Ruby on Rails from his work on the project management tool Basecamp at the web application company also called Basecamp. First released Rails as open source in July 2004.

$ echo "hello, world"
hello, world

Django: - a free and open source web application framework, written in Python. A web framework is a set of components that help users to develop websites faster and easier. created in the fall of 2003, when the web programmers at the Lawrence Journal-World newspaper, Adrian Holovaty and Simon Willison, began using Python to build applications. It was released publicly under a BSD license (a family of permissive free software licenses, imposing minimal restrictions on the use and redistribution of covered software.) in July 2005. The framework was named after guitarist Django Reinhardt.

Create an information booklet on the different types of server-side scripting platforms that are available, you in this booklet should look to include examples where possible. Within your booklet, add a section that discusses the strength of using one over the other, in terms of usability and function.

Functionality:

functions

shopping cart,

reserve order,

manage user profile,

web content management,

upload files,

website analysis

Coding Time

Create a simple, or use a template webpage and include the below statement in the body area of the code. Note you are also able to just add the below code on its own without the HTML elements.

REMEMBER - as we are dealing with PHP files here we MUST save these as .php files

<?php
echo 'Welcome to my website'
<br/>
<strong>This is my first PHP page.</strong>;
?>

Things to note here are the new tags that you will not have covered in the prior units these are the 

<?php 

and 

?>

These will contain our server-side scripts.

Lets look now at the use of variables

<?php
$name = "James";
$surname = "Farrington";

echo 'Welcome to my website my name is $name $surname i hope you like my site';
?>

The code above allows us to use and create variables that we then call in our echo statement that we display to the user on the webpage

Remember that as with the Javascripting rules around naming conventions you cannot use a number to start a variable name. so $1name would not be allowed

Traffic Lights - Learners use green, amber and red traffic lights to indicate levels of understanding and to attract support from peers and the teacher.

P1 explain the principles of web server scripting

M1 compare server-side and client-side scripting

D1 evaluate the combined use of client and web server scripting

1 Understand the principles of web server scripting

Features:

To understand the advantages of web server scripts we must understand how this was done previously. Server-side processing used to be undertaken by using executable programs that had been created in languages like C and Perl. These programs would be run returning the results using a protocol created by NCSA (National Center for Supercomputing Applications) called CGI (Common Gateway Interface) this was located between the web browser and the executables.These CGI's had a number of disadvantages that meant they caused issues, such as platform dependencies problems, crashing due to poorly written code and a number of separate processes being required. 

However, newer scripting services have now resolved a number of these issues and have enabled a large amount of functionality to be provided to users. 

Advantages eg interpreted scripts as alternative to compiled code, run as lower overhead code inside web server plugins, hide web server interface inside economical APIs;

• Scripts are interpreted so they are processed line by line into machine code that in turn reduces the overhead processing.
• Any web developer creating scripts will not need to know or understand the web server interface most of these are now hidden in small API's (Application Programming Interfaces)
• Scripts can be run directly from the web server without the requirement of the operating system being required to call for the program to execute the operation.
• Content can be live, access data from databases.

Dis-advantages eg increased complexity, reduced performance, code is interpreted not compiled

As with most positives, there are inevitably the negatives, 

• Tools for debugging a limited to non-existent.
• Server scripts can be harder to create and develop.
• To test any scripts, all files are required to be uploaded to the server for testing as on a local area the files will not provide the expected output.

Accessibility: 

Accessibility is an area that must always be taken into serious consideration. In web development users to our web pages may have disabilities that could affect how they access the information on our sites. As developers, there are a number of quick wins that will enable the users to have access to all information and resources. The use of alt text or alternative text, this will enable users with assistive technology to have the information that is contained within them to be read to them. 

Resizeable text will provide an opportunity to users to scale text sizes higher so that they are able to read them

Screen readers are tools that are used by blind and visually impaired users, these tools will read the webpage to the users allowing them to have access to all the information on the website.

Adjustable fonts can provide users that may have learning difficulties to swap a font for an alternative that is easier to read.

The 4 Principle areas of web server scripting are;
Web server Scripting Languages,
Functionality,
Features,
Accessibility,

Coding Time:

The importance of understanding your code is vital to its and your success. Therefore making comments on the code that you have created is pivotal. 

Comments provide the opportunity to remind yourself what that area of code does, belongs too or just to separate chunks of code into segments.

The process of adding a comment is quite simple, we use the following tag

// This will provide a single line comment

/*This will provide a 

multiple line 

comment */

Let's begin to look at the coding.

Outputting

When we create a PHP page we can simply add the code to a document that is saved with a .php file extension. The example below is how we get the text in a document to display. This is different to how we have previously created web pages using simple HTML. The key words to look at here are the echo and the details inside the speech marks.

Variables.

Variables are able to store information that is either set by the developer or as a response to an event on the page. Inside of this example you can see that our variables have a special symbol at the beginning, the $ this declares that this is a variable and its name. WARNING: you CANNOT have a number or a symbol as the first character after the $ sign. GOOD PRACTICE: use lower case names.

Operators and Variables

Now we will look at the use of operators to create an output that is based on a result of an action or calculation.

Code time

PHP insert into a database

index.html

The insert page 

One-Minute Verbal Assessment - The teacher asks learners to prepare and deliver a one minute verbal summary of a forthcoming or completed activity, session or topic.

Programming:

functionality 

Web server scripts have the ability to provide a number of functions to developers and users of a website, these include;

• file manipulation such as uploading,
• security features such as login systems and error logging,
• accessing databases,
• generating statistics,
• environmental arguments

File manipulation - users of a dynamic website can have the ability to make changes to files and to upload files from within a webpage. A good example of this in operation would be the use of Moodle where you upload your assignments. This ability means that users can store files within servers. 

Security features - The use of web server scripts and files enables users to be able to login to set pages on a web server based on the details that they enter into a webpage. An example of this could be a social media login. Most of these will refer to a database to ensure that the usernames and passwords correspond and are correct.

Generating Statistics - Dynamic web server pages are able to store details and update details to enable the recording of statistics such as users logging on to a system and for how long.

Coding Time

If statements

If and Else

Comparisons

Database delete record example

The following is an example of the delete file that is used to remove the record from the database

Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.

2 Be able to use web server scripting

Documentation:

requirements specification;

internally documented code

Testing and debugging:

test plan structure eg test, date, expected result, actual result, corrective action;

error messages;

PHP error messages can vary

other eg specialist software debugging tools

Coding Time

Logic

Arrays

How to obtain the screen resolution.

Download file

Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.

Security 

specific problems that we will discuss are,

• coding vulnerabilities,
• bad scripting leaving backdoors,
• SSL,
• password liabilities

Coding vulnerabilities

These issues occur when developers have created scripts and coding that can be changed/edited to enable operations that had not been intended to be used or created to be run. For example where strings of data have not been sanitised to remove any invalid characters that could make an operation fail or display sensitive data and even grant access to restricted areas.  

Bad scripting leaving backdoors

When creating PHP pages, developers have use error reporting to enable them to get PHP error messages to potential areas of the problem so that they can update, change and edit the scripts to enable them to work, however, these codes can provide links to folders and file locations that can provide backdoors in to a system.

SSL

SSL commonly know as Secure Sockets Layer is a secure link between a server and a client machine. This connection uses encryption to ensure that the information that is sent be the server is protected (to a certain degree) from malicious attack, alteration or interception. Websites that use SSL will have URL's that have padlocks and https:// protocols in action. The image below demonstrates this in process.

Password liabilities

Access to login pages on a PHP driven website or the database backend will have passwords and username entries. The use and creation of these systems come with an automatic issue, what is hidden becomes a target to those that want to know whats behind the door. It is therefore highly important to ensure that appropriate password measures are in place. Most common issues and liabilities within any system are simple text only passwords. These can be broken quickly by high powered computers.

Coding Time

Loop

For loop

Get

.

Download file

Function
the role language plays to express ideas or attitudes

Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.

3 Understand the issues affecting web server scripting

Using Numbers: Counting, Place value, adding and subtracting, multiplying and dividing.

Ethical Issues

Cookies - These are small files that are stored on client PC's once they visit a website that has some dynamic content within them (for the most part). These files are highly useful to the developers of the website as they can store information on the user's computer relating to their visit. This can be illustrated be by discussing the shopping cart of an e-commerce website. These sites allow users to place goods inside a virtual basket, these details are recorded inside a cookie, so, if the user navigates of to another website then returns all the elements are still inside the basket, all thanks to the cookie.

However, there is an issue here as these files can send information back to the server about lots of different things. An EU directive called the COOKIE LAW has guided all web developers where cookies are stored to present to the users the fact that cookies are used on the site and for the user to be able to make the choice to stay and accept the cookie or to navigate away.

Scanning PCs without consent,

faking statistics to obtain advertising deals based on visitor numbers.

Websites are able to generate advertising revenue and the number of views a webpage receive can generate false indications to the popularity of a site. Users can use small amounts of code to run scripts multiple times to give false data. Companies can employ tactics to use proxy servers to hide ip addresses to that they can generate multiple hits to a site to generate further revenue.

Coding Time

Post

Functions

Time

explode

Download file

dataset

Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.

Simple Login

Coding time

In this week we will look at the process of creating a simple PHP login system. Please remember that this is a simple example and if used outside of a classroom setting (live) you may need to make changes to ensure that the database connections are safe and that your coding is rigorous to reduce hacking and unwanted access to your data.

Login.php 

This part of our login page enables the page to check if an active cookie is available, this would then indicate that the user has already logged in to the website area, if a cookie is not present, or the cookie has timed out (a time to live is set in the cookie, so that after a period of time the cookie will expire and require the user to re-login) then the user will be directed to the login.php page.

The following section of code reviews the information that has been sent by the user once they have clicked on the submit button with the values of their username and password. The first if statements perform a check to see if any values have been entered into the form (this could be done with javascript on the client side to save processing) 

The script will then connect to the database and run the query using the values in username and password against the selected database table.

The section of code above is the creation of the form using HTML. The form action is telling the page that when the user clicks submit to send the information to itself, or, to the top part of the page where the PHP is looking for the information

Logout.php

The logout script will look for the created cookie that will have been made when the user successfully logs in, and change its values so that it is destroyed/no longer valid. Once this has happened the user is then redirected to the login page.

members.php

Mysql (Database creation sql script)

 CREATE TABLE users (ID MEDIUMINT NOT NULL AUTO_INCREMENT PRIMARY KEY, username VARCHAR(60), password VARCHAR(60)) 

The above tells the mysql database to create a table called "users" within the database, the fields created are a primary key of ID, and username field that is limited to 60 characters and a password field that is limited to 60 characters.

Anonymous Assessment - Learners assess an anonymous piece of work containing deliberate mistakes against given success criteria.