- HTML/XHTML content is static
- Dynamic content
- Pages that look differently depending on the user who visits, status,
processing requests, etc.
- E.g. Search engines, web mails, etc.
- Web applications (hotel booking, web search applications, …) is not
possible using only HTML/XHTML, CSS and JS; why?
Typical Web based Application
We need server side active code to perform actions & generate (dynamic)
Common Gateway Interface
- We need code beside web servers
- Web server by itself is not designed for data processing
- Initial idea
- An external program can perform the processing
- How can client ask server to run an external program?!
- New HTTP Method to run (e.g. HTTP RUN)?!! 🤔
- How does web server exchange information with the external program?
- Sending input data & Getting the output
- The mechanism should be standard
Common Gateway Interface (Cont.)
- The Standard protocol for interfacing external application software with
the web server
- CGI 1.1 specified in RFC 3875, 2004
- The external program runs by the
standard HTTP requests & proper server
- Information is passed from external software to the web server as the
output on stdout
- HTTP response is the
output of the external program on the
- Information can passed from the web server to the executable program
according to HTTP request method
CGI Example: Server Config
ScriptAlias /cgi-bin/ /var/www/html/IE/cgi-enabled/
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Require all granted
CGI Example: Source Code
// http header
// http body
CGI Example: Compile
> ~# cd /var/www/html/IE/cgi-enabled
> /var/www/html/IE/cgi-enabled# gcc -o hello_c.cgi hello_c.c
> /var/www/html/IE/cgi-enabled# ./hello_c.cgi
CGI Example: Test
The “Hello World” CGI in Bash Script
# http headers
echo "Content-Type: text/html"
# http body
echo "Hello world."
echo "<br />"
echo "Bye Bye"
Getting parameters from the client
- Parameters can be passed from the user to the CGI script through an html
fetch or ...
<form action="script.cgi" method="GET">
<input type="…" name="input1" />
<input type="…" name="input2" />
<input type="…" name="inputN" />
- The script.cgi will get the parameters as:
The mechanism depends on the HTTP Method
input1=val1&input2=val2& ... &inputN=valN
Getting parameters from the client
- Parameters can be sent through the
- CGI script will receive the parameters from the web server in an
- In C: You can access it by
- Parameters can be passed through the
POST method (in the body of the HTTP
- The CGI script will receive the parameters from the web server in the
standard input (
CGI Environment Variables
|CONTENT_TYPE||The data type of the content. Used when the client is sending attached
content to the server. For example, file upload.|
|CONTENT_LENGTH||The length of the query information. It is available only for POST
|HTTP_COOKIE||Returns the set cookies in the form of key & value pair.|
|HTTP_USER_AGENT||The User-Agent request-header field contains information about the
user agent originating the request. It is name of the web browser.|
|PATH_INFO||The path for the CGI script.|
|QUERY_STRING||The URL-encoded information that is sent with GET method request.|
|REMOTE_ADDR||The IP address of the remote host making the request. This is useful
logging or for authentication.|
|REMOTE_HOST||The fully qualified name of the host making the request. If this
information is not available, then REMOTE_ADDR can be used to get IR
|REQUEST_METHOD||The method used to make the request. The most common methods are GET
|SCRIPT_FILENAME||The full path to the CGI script.|
|SCRIPT_NAME||The name of the CGI script.|
CGI Pros & Cons
- What is the main advantage(s) of CGI?
- Any programming language can be used
- What the main drawback(s) of CGI?
- We should generate whole HTML document in CGI
- For each request, a new process is created
- Process creation & termination & Inter-process communication
- Security is another major issue
- Any other way to run code in server side?
Solving CGI Problems
- Empower the server to run code
- But, Which programming language? HTML?!!!
- Should we compile & debug web-pages?
- Should web server interpret/compile the code?
Web servers are not build to be compiler!!
- How to mix code & HTML?
- Answer: Interpreter as a web server plugin is
- Use any scripting language that its interpreter is available for web
server, e.g., PHP runtime environment
- Configure web server to use interpreter for a specific file types that
contain mixed code & HTML, e.g., .php files
- Web server run the interpreter for codes and uses the output
Overview of Server-Side Scripting
- Web client sends a HTTP request to server
- Web server determines how to retrieve the requested resource according
Runtime environment does for example
- .html, .jpg, ... To be retrieve directly
- .php To be handled by the PHP module
- Parses incoming request, generate outgoing response
- Interpreting/executing the server-side scripts
- Maintaining sessions
- Runtime environment runs the requested script
The HTTP response is sent to the web client by web server
- Identifies the code sections inside HTML
- Runs the code and grabs the output
- Provides session & other status information
- Generated output and HTML are assembled together which is the response
Embed vs. External Server Side Code
- External code
- A separated program: C, C++, …
- Server runs it and sends its output back to client
- Embed code
- Scripting inside the HTML
- Embed programming interface within server
- Which is called when server see the scripting directions
- Perl: Apache mod_perl module to embed
- Java Server Pages (JSP): Compiled and served by a JSP server
- PHP (the most common language)
Server Side Scripting Benefits
- How does server side scripting solve CGI problems?
- We don’t need to generate whole HTML by code
- Only dynamic parts are coded
- A process is not created per request
- All requests are processed by the interpreter
- Which is implemented as a library for web server process
- Each request = A thread
- Low creation & termination & inter-communication overhead
- The run-time environment control the code
Major differences w.r.t client side programming
- Each server side program (cgi, php, …) can (and usually) runs multiple
- A process/thread per request
- Be very very careful about shared resources (files)
- Each server side program allows client (including the hackers) to run
code on your server
- Vulnerable code = Hacker access
- Be very very careful about input from the client