Lec13WebDatabases

advertisement
Web Databases
CS263 Lecture 13
The Internet environment




Following Fig. Shows the basic environment needed to set
up both Intranet and Internet database-enabled connectivity
Network that connects client workstations, Web server, and
database server follows TCP (Transmission Control
Protocol)/IP (Internet Protocol) protocols. Both protocols
are required for Internet transmission to occur
Firewalls are used to limit external access to the data and
limit movement of the data outside the boundaries
A proxy server controls the passage of messages or files
through to the network. It can improve a site’s performance
by caching frequently requested pages
2
Database-enabled intranet-Internet environment
Communications technology



IP Address - 4 numbers that identify a node on the Internet,
e.g. 131.247.152.18. Each is mapped to a unique domain
name that has more meaning and is easier to remember
(such as www.surrey.ac.uk). Domain name servers
maintain an index of IP addresses and their matching
domain names
Hypertext Transfer Protocol (HTTP) – is a communication
protocol used to transfer pages from Web server to
browser. HTTPS is a more secure version
Uniform Resource Locator (URL)- is a mnemonic Web
address corresponding with IP address of Web server. It
also includes folder location and html file name
Communications technology


Static Web pages – Web pages whose content is established
at the time they are written. The same information is
displayed whenever the page is accessed
Dynamic Web pages – Web pages that display the data
requested or input by the client station. Generally require
that a database be attached to the page by an ODBC
connection
5
Server-side extensions


Basic Web servers only understand HTML
So we need programs that interact directly with Web
servers to handle requests, e.g. database-request handling
middleware (such as Coldfusion or ASP)
 Initially (following Fig.), a request for information is
submitted from a browser via the Web to a Web server
 The SQL query will be included in the script, but cannot be
directly interpreted by the Web server
 The middleware identifies the query and prepares it to be
passed to the DBMS
 Result set returned is then converted by middleware so that
it will display correctly on browser
6
Web-to-database middleware
Web server interfaces




Dynamic Web pages determine some of their content at the
time a client browser requests a page, so communication is
needed between the Web server and the client or the
database
Two common Web server interfaces are:
Common Gateway Interface (CGI) which specifies the
transfer of information between a Web server and a CGI
program. May be written in many languages
CGI scripts are stored on the Web server and must be
executed each time a user makes a request that uses a CGI
script (slow if many users)
8
Web server interfaces




Java servlets are an alternative to CGI
Allow a client program to upload additional program code
to a server, where it executes
Since they are small and cross-platform compatible, ideal
for small Internet applications accessible from a browser
Persistent – once started they remain in memory and can
fulfill multiple requests (CGI closes after it runs) – so more
efficient
9
Web servers





Provide HTTP service, Serve many clients at once,
accomplished using multithreading and multiprocessing
Popular websites receive more hits than can be managed
by a single server, therefore load balancing approaches are
needed.
Some use Domain Name Server (DNS) balancing, where
multiple copies of the site are placed on separate servers,
i.e. one DNS = multiple IP addresses. Does not guarantee
load on servers will be balanced
Software and hardware balancing – distributes requests
more evenly. Request at one IP address is distributed to
multiple servers. Resources can be allocated dynamically
Reverse proxying intercepts client request and caches
response
Web-to-database tools



Active Server Pages (ASP) consist of text files containing text,
HTML and scripting language commands (JavaScript, VBScript)
Because these files are executed on the server, programmer need
not be concerned about client platform
Interface to databases in MS Windows-based Web servers
A global.asa file
for an ASP
application
ASP applications include HTML extensions and additional scripting
(usually in VBScript, or in JavaScript)
ASP code embedded in <% %> tags are executed on the server,
instead of the client. This is how dynamic Web pages can be created
Sample ASP Code
<%
REM Get list of Finishes
strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;”
Set rsRes = con.Execute(strSQL)
%>
<TABLE>
<%
REM Display the list of finishes
While not rsRes.EOF
%>
<TR>
<TD align=center valign=top>
<%=rsRes(“Product Finish”>)%></TD>
<TD>
<FORM method=post action=“line.asp”>
<INPUT type=Hidden name=line
value=“<%=rsRes(“Product_Finish”))%>
<INPUT type=submit Value=GO!>
</TD>
</TR>
<%
rsRes.MoveNext
Wend
%>
</TABLE>
Sample ASP Code
<%
REM Get list of Finishes
strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;”
Set rsRes = con.Execute(strSQL)
%>
<TABLE>
<%
Code is within the <% %>
REM Display the list of finishes
tags are executed on the
While not rsRes.EOF
server, not the client…these
%>
<TR>
are interacting with the
<TD align=center valign=top>
database and creating
<%=rsRes(“Product Finish”>)%></TD>
dynamic Web content
<TD>
<FORM method=post action=“line.asp”>
<INPUT type=Hidden name=line
value=“<%=rsRes(“Product_Finish”))%>
<INPUT type=submit Value=GO!>
</TD>
</TR>
<%
rsRes.MoveNext
Wend
%>
</TABLE>
Sample ASP Code
<%
REM Get list of Finishes
strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;”
Set rsRes = con.Execute(strSQL)
%>
These lines are executing a query on the database server
using a middleware called Active Data Objects (ADO).
The con variable is a connection to the database, which
was established in the code of Box C. The rsRes variable
contains the result set of the query (the rows returned
from the query)
<TABLE>
<%
REM Display the list of finishes
While not rsRes.EOF
%>
<TR>
<TD align=center valign=top>
<%=rsRes(“Product Finish”>)%></TD>
<TD>
<FORM method=post action=“line.asp”>
<INPUT type=Hidden name=line
value=“<%=rsRes(“Product_Finish”))%>
<INPUT type=submit Value=GO!>
</TD>
</TR>
<%
rsRes.MoveNext
Wend
%>
</TABLE>
Sample ASP Code
<%
REM Get list of Finishes
strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;”
Set rsRes = con.Execute(strSQL)
%>
These lines of code cause the ASP application to loop
through the rows returned by the query until they reach
the end
<TABLE>
<%
REM Display the list of finishes
While not rsRes.EOF
%>
<TR>
<TD align=center valign=top>
<%=rsRes(“Product Finish”>)%></TD>
<TD>
<FORM method=post action=“line.asp”>
<INPUT type=Hidden name=line
value=“<%=rsRes(“Product_Finish”))%>
<INPUT type=submit Value=GO!>
</TD>
</TR>
<%
rsRes.MoveNext
Wend
%>
</TABLE>
Sample ASP Code
<%
REM Get list of Finishes
strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;”
Set rsRes = con.Execute(strSQL)
%>
These lines of code are retrieving the values of the
specified field from the current row of the query result
<TABLE>
<%
REM Display the list of finishes
While not rsRes.EOF
%>
<TR>
<TD align=center valign=top>
<%=rsRes(“Product Finish”>)%></TD>
<TD>
<FORM method=post action=“line.asp”>
<INPUT type=Hidden name=line
value=“<%=rsRes(“Product_Finish”))%>
<INPUT type=submit Value=GO!>
</TD>
</TR>
<%
rsRes.MoveNext
Wend
%>
</TABLE>
Sample ASP Code
<%
REM Get list of Finishes
strSQL = “SELECT Product_Finish FROM PRODUCT_t GROUP BY Product_Finish;”
Set rsRes = con.Execute(strSQL)
%>
The Web page is being dynamically created, with one
HTML table row for each record obtained from the query.
Also, each Web table row includes a button that will link
to another ASP page
<TABLE>
<%
REM Display the list of finishes
While not rsRes.EOF
%>
<TR>
<TD align=center valign=top>
<%=rsRes(“Product Finish”>)%></TD>
<TD>
<FORM method=post action=“line.asp”>
<INPUT type=Hidden name=line
value=“<%=rsRes(“Product_Finish”))%>
<INPUT type=submit Value=GO!>
</TD>
</TR>
<%
rsRes.MoveNext
Wend
%>
</TABLE>
Web-to-database tools


ColdFusion uses special server-side markup language
CFML (modelled after HTML)
When a client browser requests a *.cfm page page from the
Web server, it is passed to the ColdFusion application
server, where the script is executed, the result formatted in
HTML and returned to the Web server, which returns the
result to the client where it is displayed
19
Web-to-database tools





Embedded SQL is another alternative
Previously we have looked at the interactive (direct) form
of SQL, where one command is entered and executed at a
time
SQL can be embedded in 3GL programs (Cobol, C etc.)
SQL commands placed at appropriate locations in the
programs
Provides easier more flexible interface than standard SQL
20
Web-to-database tools




Can improve performance compared to interactive variant
as using interactive SQL requires that each query be
converted to machine code each time the query is
processed
Improves database security, as additional GRANT and
REVOKE permissions can be invoked in the embedded
code
Need a separate pre-compiler for each host language used
Following Fig. Shows processing an embedded SQL
program
21
Processing an embedded SQL program
Embedded SQL
statement begins
with EXEC SQL
Precompiler
translates
embedded SQL
into host program
language
Compiler and
linker generate
executable code
Managing website data



Web Security Issues - prevent unauthorized access and
malicious destruction
Privacy Issues - protect users’ privacy rights
Internet Technology Rate-of-Change Issues - deal with
rapid advances in technology
Website security

Network Level Security
– Web server and DB server on separate LAN from other
business systems
– Minimize sharing of hard disks among network servers
– Regular monitoring of network and firewall logs
– Install probe-monitor software
Website security

Operating System Level Security
– Patch all known OS vulnerabilities
– Install anti-virus software with boot-time, file download
time, and email reception time virus detection
– Monitor server logs for unauthorized activity
– Disable unrequired services to reduce risk of
unauthorized access
Web security

Web Server Security
– Restrict number of users on Web server
– Restrict access (minimize number of open ports)
 http and https only, if possible
– Remove unneeded programs
 Restrict CGI scripts to one subdirectory
– For Unix, only install minimum software for Web
server
Website security




Firewall – hardware/software security component that
limits external access to company’s data
Proxy server – firewall component that manages Internet
traffic to and from a LAN
Router – intermediate device that transmits message
packets to correct destination over most efficient pathway
Intrusion detection system (IDS) – system that identifies
attempt to hack or break into a system
Establishing Internet security
Routers to transmit
message packets to
correct destination
Firewall to limit
external access to
data
IDS to monitor and
recognize security
breach attempts
Download