Web Databases CS263 Lecture 13 The Internet environment Following Fig. Shows the basic environment needed to set up both Intranet and Internet database-enabled connectivity Network that connects client workstations, Web server, and database server follows TCP (Transmission Control Protocol)/IP (Internet Protocol) protocols. Both protocols are required for Internet transmission to occur Firewalls are used to limit external access to the data and limit movement of the data outside the boundaries A proxy server controls the passage of messages or files through to the network. It can improve a site’s performance by caching frequently requested pages 2 Database-enabled intranet-Internet environment Communications technology IP Address - 4 numbers that identify a node on the Internet, e.g. 131.247.152.18. Each is mapped to a unique domain name that has more meaning and is easier to remember (such as www.surrey.ac.uk). Domain name servers maintain an index of IP addresses and their matching domain names Hypertext Transfer Protocol (HTTP) – is a communication protocol used to transfer pages from Web server to browser. HTTPS is a more secure version Uniform Resource Locator (URL)- is a mnemonic Web address corresponding with IP address of Web server. It also includes folder location and html file name Communications technology Static Web pages – Web pages whose content is established at the time they are written. The same information is displayed whenever the page is accessed Dynamic Web pages – Web pages that display the data requested or input by the client station. Generally require that a database be attached to the page by an ODBC connection 5 Server-side extensions Basic Web servers only understand HTML So we need programs that interact directly with Web servers to handle requests, e.g. database-request handling middleware (such as Coldfusion or ASP) Initially (following Fig.), a request for information is submitted from a browser via the Web to a Web server The SQL query will be included in the script, but cannot be directly interpreted by the Web server The middleware identifies the query and prepares it to be passed to the DBMS Result set returned is then converted by middleware so that it will display correctly on browser 6 Web-to-database middleware Web server interfaces Dynamic Web pages determine some of their content at the time a client browser requests a page, so communication is needed between the Web server and the client or the database Two common Web server interfaces are: Common Gateway Interface (CGI) which specifies the transfer of information between a Web server and a CGI program. May be written in many languages CGI scripts are stored on the Web server and must be executed each time a user makes a request that uses a CGI script (slow if many users) 8 Web server interfaces Java servlets are an alternative to CGI Allow a client program to upload additional program code to a server, where it executes Since they are small and cross-platform compatible, ideal for small Internet applications accessible from a browser Persistent – once started they remain in memory and can fulfill multiple requests (CGI closes after it runs) – so more efficient 9 Web servers Provide HTTP service, Serve many clients at once, accomplished using multithreading and multiprocessing Popular websites receive more hits than can be managed by a single server, therefore load balancing approaches are needed. Some use Domain Name Server (DNS) balancing, where multiple copies of the site are placed on separate servers, i.e. one DNS = multiple IP addresses. Does not guarantee load on servers will be balanced Software and hardware balancing – distributes requests more evenly. Request at one IP address is distributed to multiple servers. Resources can be allocated dynamically Reverse proxying intercepts client request and caches response Web-to-database tools Active Server Pages (ASP) consist of text files containing text, HTML and scripting language commands (JavaScript, VBScript) Because these files are executed on the server, programmer need not be concerned about client platform Interface to databases in MS Windows-based Web servers A global.asa file for an ASP application ASP applications include HTML extensions and additional scripting (usually in VBScript, or in JavaScript) ASP code embedded in <% %> tags are executed on the server, instead of the client. This is how dynamic Web pages can be created Sample ASP Code <% REM Get list of Finishes strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;” Set rsRes = con.Execute(strSQL) %> <TABLE> <% REM Display the list of finishes While not rsRes.EOF %> <TR> <TD align=center valign=top> <%=rsRes(“Product Finish”>)%></TD> <TD> <FORM method=post action=“line.asp”> <INPUT type=Hidden name=line value=“<%=rsRes(“Product_Finish”))%> <INPUT type=submit Value=GO!> </TD> </TR> <% rsRes.MoveNext Wend %> </TABLE> Sample ASP Code <% REM Get list of Finishes strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;” Set rsRes = con.Execute(strSQL) %> <TABLE> <% Code is within the <% %> REM Display the list of finishes tags are executed on the While not rsRes.EOF server, not the client…these %> <TR> are interacting with the <TD align=center valign=top> database and creating <%=rsRes(“Product Finish”>)%></TD> dynamic Web content <TD> <FORM method=post action=“line.asp”> <INPUT type=Hidden name=line value=“<%=rsRes(“Product_Finish”))%> <INPUT type=submit Value=GO!> </TD> </TR> <% rsRes.MoveNext Wend %> </TABLE> Sample ASP Code <% REM Get list of Finishes strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;” Set rsRes = con.Execute(strSQL) %> These lines are executing a query on the database server using a middleware called Active Data Objects (ADO). The con variable is a connection to the database, which was established in the code of Box C. The rsRes variable contains the result set of the query (the rows returned from the query) <TABLE> <% REM Display the list of finishes While not rsRes.EOF %> <TR> <TD align=center valign=top> <%=rsRes(“Product Finish”>)%></TD> <TD> <FORM method=post action=“line.asp”> <INPUT type=Hidden name=line value=“<%=rsRes(“Product_Finish”))%> <INPUT type=submit Value=GO!> </TD> </TR> <% rsRes.MoveNext Wend %> </TABLE> Sample ASP Code <% REM Get list of Finishes strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;” Set rsRes = con.Execute(strSQL) %> These lines of code cause the ASP application to loop through the rows returned by the query until they reach the end <TABLE> <% REM Display the list of finishes While not rsRes.EOF %> <TR> <TD align=center valign=top> <%=rsRes(“Product Finish”>)%></TD> <TD> <FORM method=post action=“line.asp”> <INPUT type=Hidden name=line value=“<%=rsRes(“Product_Finish”))%> <INPUT type=submit Value=GO!> </TD> </TR> <% rsRes.MoveNext Wend %> </TABLE> Sample ASP Code <% REM Get list of Finishes strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;” Set rsRes = con.Execute(strSQL) %> These lines of code are retrieving the values of the specified field from the current row of the query result <TABLE> <% REM Display the list of finishes While not rsRes.EOF %> <TR> <TD align=center valign=top> <%=rsRes(“Product Finish”>)%></TD> <TD> <FORM method=post action=“line.asp”> <INPUT type=Hidden name=line value=“<%=rsRes(“Product_Finish”))%> <INPUT type=submit Value=GO!> </TD> </TR> <% rsRes.MoveNext Wend %> </TABLE> Sample ASP Code <% REM Get list of Finishes strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;” Set rsRes = con.Execute(strSQL) %> The Web page is being dynamically created, with one HTML table row for each record obtained from the query. Also, each Web table row includes a button that will link to another ASP page <TABLE> <% REM Display the list of finishes While not rsRes.EOF %> <TR> <TD align=center valign=top> <%=rsRes(“Product Finish”>)%></TD> <TD> <FORM method=post action=“line.asp”> <INPUT type=Hidden name=line value=“<%=rsRes(“Product_Finish”))%> <INPUT type=submit Value=GO!> </TD> </TR> <% rsRes.MoveNext Wend %> </TABLE> Web-to-database tools ColdFusion uses special server-side markup language CFML (modelled after HTML) When a client browser requests a *.cfm page page from the Web server, it is passed to the ColdFusion application server, where the script is executed, the result formatted in HTML and returned to the Web server, which returns the result to the client where it is displayed 19 Web-to-database tools Embedded SQL is another alternative Previously we have looked at the interactive (direct) form of SQL, where one command is entered and executed at a time SQL can be embedded in 3GL programs (Cobol, C etc.) SQL commands placed at appropriate locations in the programs Provides easier more flexible interface than standard SQL 20 Web-to-database tools Can improve performance compared to interactive variant as using interactive SQL requires that each query be converted to machine code each time the query is processed Improves database security, as additional GRANT and REVOKE permissions can be invoked in the embedded code Need a separate pre-compiler for each host language used Following Fig. Shows processing an embedded SQL program 21 Processing an embedded SQL program Embedded SQL statement begins with EXEC SQL Precompiler translates embedded SQL into host program language Compiler and linker generate executable code Managing website data Web Security Issues - prevent unauthorized access and malicious destruction Privacy Issues - protect users’ privacy rights Internet Technology Rate-of-Change Issues - deal with rapid advances in technology Website security Network Level Security – Web server and DB server on separate LAN from other business systems – Minimize sharing of hard disks among network servers – Regular monitoring of network and firewall logs – Install probe-monitor software Website security Operating System Level Security – Patch all known OS vulnerabilities – Install anti-virus software with boot-time, file download time, and email reception time virus detection – Monitor server logs for unauthorized activity – Disable unrequired services to reduce risk of unauthorized access Web security Web Server Security – Restrict number of users on Web server – Restrict access (minimize number of open ports) http and https only, if possible – Remove unneeded programs Restrict CGI scripts to one subdirectory – For Unix, only install minimum software for Web server Website security Firewall – hardware/software security component that limits external access to company’s data Proxy server – firewall component that manages Internet traffic to and from a LAN Router – intermediate device that transmits message packets to correct destination over most efficient pathway Intrusion detection system (IDS) – system that identifies attempt to hack or break into a system Establishing Internet security Routers to transmit message packets to correct destination Firewall to limit external access to data IDS to monitor and recognize security breach attempts