10: The Internet Programming Environment

Introduction

World Wide Web (WWW):

Electronic commerce (e-commerce):

Browser:

Electronic business (e-business):

Business to Consumer (B2C):

Business to Business (B2B):

The Internet Environment

The network that connects the client workstations, Web server, and database server follows TCP/IP protocols.

TCP (Transmission Control Protocol) breaks long messages into packets, which are smaller pieces of data that can be routed independently over the Web, reassembled, and displayed upon arrival at the destination browser.

Every computer that is connected to an intranet or extranet must have a distinct IP address.

...

... Internally, access to data is typically controlled by the DBMS, with the database administrator setting the permissions that determine employee access to data. Firewalls are used to limit external access to the company's data and to limit the movement of company data outside the company's boundaries.

Firewall: A hardware/software security component that limits external access to company data.

All communication is routed through a proxy server outside of the organization's network. The proxy server controls that passage of messages or files through to the organization's network. It can also be used to improve the site's performance by caching frequently requested pages.

Proxy Server: A firewall component that manages Internet traffic to and from a local area network. It can also handle access control and document caching.

Most intranets provide the following services:

• Web server
• Database-enabled services
• Directory, security, and authentication services
• Electronic mail
• File Transfer Protocol (FTP) server
• Firewall and proxy servers
• News or discussion groups
• Document search
• Load balancing and caching

Terminology

• IP Address
• Hypertext Transfer Protocol (HTTP); Secure HTTP (HTTP)
• Uniform Resource Locator (URL)
• Static vs. Dynamic Web pages
• World Wide Web Consortium (W3C)
• Hypertext Markup Language (HTML)
• Standard Generalized Markup Language (SGML)
• Extensible Markup Language (XML)
• XHTML
• Java
• JavaScript
• VBScript
• Cascading Style Sheet (CSS)

Server-Side Extensions

Server-side extensions: Software programs (like Web-to-database middleware) that interact directly with a Web server to handle requests. For example, the Web servers capabilities must be extended so that it can support database requests (that, invariably, include SQL).

Client-Side Extensions

Extensions to the client-side add functionality to the browser. We look at plug-ins, ActiveX controls, and cookies next.

Plug-ins: Hardware or software modules that extend the capabilities of browsers by adding features such as encryption, animation, or wireless access. Examples include RealAudio's RealPlayer, Macromedia Flash, Adobe Acrobat Reader, etc.

ActiveX: A loosely defined set of technologies (OLE/COM components) developed by Microsoft that extends browser capabilities and allows the manipulation of data inside the browser.

Cookie: A block of data stored at client by Web server, in order to be able to identify the client during a later Web session.

Web Server Interfaces

In order for a Web server to interact with an external program, a mechanism to establish the interface must be in place. Two common Web interfaces are:

• Common Gateway Interface (CGI)
• Application Program Interface (API)

Common Gateway Interface (CGI): A Web server interface that specifies the transfer of information between a Web server and a CGI program.

CGI programs are designed to accept and return data and may be written in any language that produces executable files (including C or C++, Perl, Java, or Visual Basic). CGI scripts are stored on the Web server and must be executed each time a user makes a request that uses the CGI script (like by submitting a form). The downside is that performance can be slowed noticeably if many users send simultaneous requests. To address this, some server-side solutions such as Java scripts and applets and ActiveX controls have been devised.

Java servelets are used as an alternative to CGI programs. Like applets,

Servlets are (small) programs that execute from within another application rather than from the operating system, but they are stored on the server rather than with an application on a client.

Java servlets are consistent; once started, they remain in active memory and can fulfill multiple requests. (A CGI program, by contrast, closes after it runs.

Application Programming Interfaces (APIs) are also more efficient than CGI scripts. They are implemented as shared code or dynamic link libraries (DLLs). This means that the code is resident in memory and can be called dynamically as needed; no external program need be executed for each request.

An API is a set of routines, protocols or tools that an application program used to direct the operating system's performance of procedures.

APIs can also use a shared connection to a database rather than having to establish a new link each time a connection is requested. API downside: (1) because they reside on the server, an API error can cause the server to crash (2) APIs are specific to the operating system and Web server on which they reside, and must be rewrittent o run with other systems.

Web Servers

Originally, a new HTTP connection had to be established to the Web server for each object to be downloaded to a browser. Newer versions of HTTP support a persistent connection so that multiple objects can be transmitted in packets over a single TCP connection.

Further, a Web server must be able to serve many users at a time, and this is accomplished by multithreading or multiprocessing (or a hybrid or multithreading and multiprocessing).

Some sites use DNS (domain name server) balancing to handle large traffic, by placing multiple copies of the site on separate but identical physical servers. The DNS server for the hostname of the site returns multiple IP addresses for the site, either by returning more than one IP address for the hostname, or by returning a different IP address for each DNS request received.

DNS (domain name server) balancing: A load-balancing approach where the DNS server for the host-name of the site returns multiple address for the site.

Software and hardware load balancing can distribute the requests more evenly across the Web servers. Only one IP address is published for the site, with requests to that one IP address distributed among the multiple servers hosting the Web site at the TCP/IP routing level. (This method of load balancing is usually better than that achieved by the DNS method; for example, some load balancers detect Web servers in the pool that are down, and dynamically redirect the request to another server.

Software and hardware load balancing: A load-balancing approach where requests to one IP address are distributed among the multiple servers hosting the Web site at the TCP/IP routing level.

A third method called reverse proxy reduces the load on a Web site by intercepting requests from clients and caching the response on the Web server that responds to the client. (So that the proxy can often serve a request from its own local cache rather than contacting the Web server.

Reverse proxy: a load-balancing approach that intercepts requests from clients and caches the response on the Web server that responds to the client.

Web-to-Database Tools: ColdFusion and ASP

ASP

ASP consists of text files that contain text, HTML, and scripting language commands, typically JavaScript or VBScript. The request of an ASP file results in the server processing any script commangs that have been embedded in the page, generation of an HTML document, and transmission of that HTML document back to the client to be displayed.

Our sample ASP shopping cart consists of the follow files:

1. global.asa -- every ASP application must have one (and only one) global.asa file; it is generally used to manage both the application and any sessions that are started from a client; it must be stored in the root directory of the ASP application
2. cart.asp -- displays the shopping cart contents and allows addition and removal of items from the shopping cart
3. checkout.asp -- accepts shopper information and completes the order (but does not store the order or process the card card)
4. item.asp -- displays information about a particular item and provides an option to link to the search box and the main area
5. line.asp -- displays a list of products that are available in a certain variation (color, finish, etc.) and gives access to the search box
6. search.asp -- displays a list of all products that match in Product_t.Product_Description the search parameter specified from the FormField searchval.
7. store.asp -- Home page; provides access to a search tool to search for a specific item; also lists all the different variations (lines) available for purchase

In our example, starting a new session will start a shopping card for the client requesting a session and a variable in which to keep track of the quantity ordered.

See ASP code on pages 374 through 376.

ColdFusion

ColdFusion requires the use of a server-side markup language, ColdFusion Markup Language (CFML), to create application page scripts (identified by extension .cfm).

ColdFusion Markup Language (CFML): The language used to create ColdFusion applications page scripts. The language is modeled after HTML and indicates tags for performing operations such as reading and updating database tables, generating e-mail messages, performing HTTP and FTP operations, credit card verifications and authorizations, and reading and writing client-side cookies.

When a client browser requests a .cfm page from the Web server, it is passed to the ColdFusion application server where the script is executed, the result formatted in HTML and returned to the Web server. The Web server returns that result to the client where it is displayed.

Our sample ColdFusion shopping cart has seven .cfm files:

1. application.cfm -- which sets the status of an application, client, and session scope variables, and how long they are active. This file is automatically included by the ColdFusion server at the top of each page.
2. cart.cfm -- displays the shopping cart content and allows addition and removal of items from the shopping cart
3. checkout.cfm -- accepts shopper information and completes the order, but is incomplete with regard to storing the order and processing the credit card.
4. item.cfm -- displays information about a particular item and provides an option to link to the search box and the main area
5. line.cfm -- displays a list of products that are available in a certain variation (color, finish, etc.) and gives access to the search box
6. search.cfm -- displays a list of all products that match in Product_t.Product_Description the search parameter specified from the FormField searchval.
7. store.cfm -- Home page; provides access to a search tool to search for a specific item; also lists all the different variations (lines) available for purchase

See code for ColdFusion demo store on pages 379 through 380.

...

We have seen instances of SQL being embedded in ASP and ColdFusion code; in each case, the SQL code is passed to the database server by either the ASP server or the ColdFusion server where it is interpreted and a result returned. These forms of "embedded SQL" do not involve the more complicated generally associated with embedded SQL within a 3rd-generation language like C, which we look at next.

Embedded SQL

In Ch7 and 8, we used the interactive, or direct, form of SQL, in which one SQL command is entered and executed at a time. We saw a logical unit of work, or transaction, and the commands (such as COMMIT or ROLLBACK) necessary to maintain a valid database.

Another form of SQL is widely used in creating applications on both client and severs: embedded SQL. SQL commands are embedded into 3GLs such as Ada, COBOL, C, FORTRAN, Pascal, PL/I, by placing them at appropriate locations in the 3GL host program. Oracle also offers PL/SQL (Procedural Language SQL), a propreitary language that extends SQL by adding some procedural language features such as variables, types, control structures, functions, and procedures. PL/SQL block of code can also be embedded in a 3GL.

Several reasons to consider embedding SQL in a 3GL are expounded on pages 381 through 383.

Managing Website Data

• Web security issues

Router: an intermediate device on a communications network used to transmit packets and forward them to the correct destination over the most efficient pathway.

Intrusion dectection system (IDS): A system that tries to identify attempts to hack or break into a computer system or to misuse it. IDSs may monitor packets passing over the network, monitor system files, monitor log files, or set up deception systems that attempt to trap hackers.

• • Planning for Web security
    • perform a formal written risk assessment; consider:
      1. the nature of the risk
      2. the likelihood of the risk
      3. potential operational, financial, and legal impact on the organization
      4. existing circumstances that might lead someone to attempt to breach security
  • Network level security
    • the Web server and the database server should be on a separate LAN from other business systems, and there should be a firewall between them and the business system if there must be a connection to the internal systems. Also, the database servers should be separated from the Web server, and there should be a firewall set up between them.
    • sharing of hard disks among the networked servers should be kept to a minimum
    • network and firewall logs, permitted so that modifications are not easy to accomplish, should be regularly monitored to discover any unauthorized or unusual activity.
    • Software that monitor probes and attacks from outside sources should be installed and regularly monitored; also check the vendor site regularly so that newly discovered vulnerabilities can be patched as soon as possible.
  • Operating system level security
    • patch all know OS vulnerabilities, again check the vendor site regularly so that newly discovered vulnerabilities can be patched as soon as possible.
    • install anti-virus software that automatically checks for viruses whenever the machine is booted, a file is downloaded, or e-mail is received
    • Monitor server logs; install IDS software
    • disable any services that are no longer required
  • Web server security
    • restrict the number of users of a Web server as much as possible; of those users give as few as possible supervisor or administrative rights
    • restrict access to the Web server, keeping a minimum number of ports open, and preferably only http and https.
    • remove any unneeded program that loads automatically when setting up the server; compilers and interpreters should not be on a path that is directly accessible from the Internet; CGI scripts should restricted to one subdirectory and should be run only if necessary
    • (on UNIX), ensure that the default OS install as root was no used; instead, install from a user's account that has only minimum access necessary to run the Web server software
  • DBMS/database level security
    • Discussed in Ch 12.

• Privacy issues
  • Cookies
  • Encryption
  • Anonymous remailers
  • Platform for Privacy Preferences (P3P): standard created by W3C that will result in the communication of a Website's stated privacy policies and a comparison of that statement with the user's own policy preferences.
    • Uses XML code on Website servers that can be fetched automatically by any browser or plug-in equipped for P3P; the client brower or plug in can then compare the site's privacy policy with the user's privacy preferences and inform the user of any discrepancies.
• Internet technology rate-of-change issues