Helping ordinary people create extraordinary websites!

Choosing The Right Server-Side Scripting Language

By Craig McElwee
2004-01-06

So, Which One Should You Use?
Beware of data tainting

You might ask the user for the name of the directory to list expecting input like "~" or "..". This is then sent to the shell with the ls command as "ls ~". Innocuous enough, but what if a hacker put in "~; rm *"? The shell would happily carry out the commands, first doing "ls ~" and then "rm *".

Prepare for the worst by assuming all input may be tainted: it may have been entered by someone trying to hack your system by embedding system commands in the data. For example, you could allow users to start programs on your machine remotely via server scripting. I'm not for a moment suggesting you do this, but even in an innocent request such as getting a directory listing, there is potential danger.

This is not the sort of behavior you intended, but is completely possible unless you take care of such data tainting. In Perl, for example, you may want to strip out anything not alphanumeric or any underscores/asterisks/tildes. In this case, the command "ls ~;rm *" would become "ls ~rm *", which would probably result in a simple error instead of a major system corruption.
I would also like to point out that contrary to some popular sentiment, Java servlets and/or PHP scripts are not inherently significantly faster than their "scripting language" brethren. Their engine runs as part of the Web server, the argument goes, and doesn't require the resources to start a new process for each request as is required of CGI scripts. This is only true if you run your programs in the "CGI way" and don't put the Perl or Python or Tcl engine on the server. There are modules to do this and anyone utilizing these languages should look into these.

If you are new to the CGI game, hopefully some of these possibilities have whetted your appetite. Which language should you choose to start with? Look over all the programs and see which one makes the most sense. How easily can you figure out what is going on intuitively or from context? Which would you feel comfortable trying to compose from scratch? Which would seem least obtrusive in your dreams and speech? They are all free, so cost isn't an issue. Toss a Web server on your system and have a go!

Finally, if it seems that I'm bashing Java servlets as a server-side solution, I don't mean to. Most server-side applications are relatively small (in the other languages), and the overhead of Java's object-oriented syntax and packaging may not always be worth the development time and effort. Quite frankly, there are only two reasons I can see for writing Java servlets instead of using the others. One, your company is a Java shop and Java programmers are required to do server-side programming; or two, your server-side programming needs require large, complex programs, and it has been determined that you need the "power of Java." If this requirement was determined by your pointy-haired boss, use one of the other languages, surf for a few weeks, then tell him you did it in Java.



Tutorial pages:

First published by IBM developerWorks
 1 Votes

You might also want to check these out:


Leave a Comment on "Choosing The Right Server-Side Scripting Language"
You must be logged in to post a comment.

Link to This Tutorial Page!
GET OUR NEWSLETTERS