Server-side Statistics Scripting in PHP

On the UCLA Statistics WWW server there are a large number of demos and calculators that can be used in statistics teaching and research. Some of these demos require substantial amounts of computation, others mainly use graphics. These calculators and demos are implemented in various different ways, reflecting developments in WWW based computing. As usual, one of the main choices is between doing the work on the client-side (i.e. in the browser) or on the server-side (i.e. on our WWW server). Obviously, client-side computation puts fewer demands on the server. On the other hand, it requires that the client downloads Java applets, or installs plugins and/or helpers. If JavaScript is used, client-side computations will generally be slow. We also have to assume that the client is installed properly, and has the required capabilities. Requiring too much on the client-side has caused browsing machines such as Netscape Communicator to grow beyond all reasonable bounds, both in size and RAM requirements. Moreover requiring Java and JavaScript rules out such excellent browsers as Lynx or Emacs W3. For server-side computing, we can configure the server and its resources ourselves, and we need not worry about browser capabilities and configuration. Nothing needs to be downloaded, except the usual HTML pages and graphics. In the same way as on the client side, there is a scripting solution, where code is interpreted, or a ob ject-code solution using compiled code. For the server-side scripting, we use embedded languages, such as PHP/FI. The scripts in the HTML pages are interpreted by a CGI program, and the output of the CGI program is send to the clients. Of course the CGI program is compiled, but the statistics procedures will usually be interpreted, because PHP/FI does not have the appropriate functions in its scripting language. This will tend to be slow, because embedded languages do not deal efficiently with loops and similar constructs. Thus a first step towards greater efficiency is to compile the necessary primitives into the PHP/FI executable. This is easy to do, because the API is quite simple. In the extensions below, we have added the complete ranlib and dcdflib to PHP, plus some additional useful functions. The source code for these extensions, plus Solaris binaries for libranlib.a and libdcdf.a can be obtained from our server. Interpreting a PHP script, even with our new primitives, still requires starting up a CGI process for each page that is read. Again, this can be improved upon. We could use FastCGI to keep the CGI process around on a permanent basis. Instead, we have chosen a more direct method. PHP can be compiled as an Apache module, i.e. it can be compiled into the Apache HTTPD server binary. This means that PHP scripts are interpreted by the WWW server, which is always around, and which will fork additional children if necessary. No CGI processes need to be started. The PHP install process creates a libphp.a and mod_php.c in the Apache source directories, which can be used to build an enhanced server. This has the additional advantage of security, because all security features of the server can be used, and none of the pitfalls of using CGI or Java apply. Using PHP, in combination with the WWW server, also has some disadvantages. Although we can make simple static plots, using the gd library, we cannot use any dynamics, and interaction between the user and the page is somewhat limited. Java, or scripts using a client-side Xlisp-Stat as a helper, are more flexible in this respect. As a consequence, the UCLA Statistics pages still use a combined approach, with server-side PHP and CGI and client-side Xlisp-Stat and Java/JavaScript. Sometime this year, server-side Java scripting will become available, and then it seems advisable to switch as much of the code as possible to the server-side.

SQL Injection - Threats to Medical Systems: The Issues and Countermeasures

A vast majority of medical information systems use Standard Query Language databases (SQL) as the underlying technology to deliver medical records in a timely and efficient manner. SQL is a standardised and well entrenched database technology, which allows for the development of robust, customised applications for information management. In recent years, SQL has been used as the back-end to many successful web client accessible applications. The use of SQL in this manner has been greatly enhanced through the development of server side scripting languages such as Microsoft ASP and open source systems such as PHP. These allow for the representation and extraction of data from a database and have a range of manipulation and display possibilities allowing a developer a rich tapestry of options. However, these scripting languages have enabled the ability for malicious users to directly modify, manipulate or destroy SQL databases. In addition to those server side scripting language problems there is also malicious software in the form of worms specifically targeting SQL databases

DESIGNING HTML HELPERS TO OPTIMIZE WEB APPLICATION DEVELOPMENT

Building a web application or a website can become difficult, just because so many technologies are involved. Generally companies tend to people that work in teams to develop web applications. These teams are made up of professionals that focus on different technologies, such as CGI, HTML, JavaScript, CSS and databases. When the work of many people gathers to make up a single document there is often a mismatch between parts of code written by different team members. This article focuses on improving this matter by bringing consistency in code through the use of HTML helpers in server-side scripting languages. The examples in this article use PHP as the server-side language, but the model can be applied in any other language a developer works with.HTML, CGI, Helper, OOP, code generation

Reducing Info-Exclusion of Mental Health Service Users Through Online Content Using Synchronised Multimedia Integration Language

This paper describes how the multimedia mark-up languages SMIL and HTML+TIME were used to publish three types of online presentations of multi-modal artwork by mental health service users. This technology has the potential to bring the work of artists working with mental health services to a wider audience, at low cost, with fuller participation and also offers a number of new creative possibilities. The presentations included artwork, biography and audio transcripts in static files with the aim of reducing the info-exclusion of multimedia service user artists. The potential of server-side scripting integrating MySQL database contents dynamically into SMIL templates was investigated for its capacity to generate random or topical art displays 'on the fly'. In two prototype server-side applications, PHP scripts used user input to activate multimedia file pointers contained in the database. The feasibility of server-side scripting in terms of browser/player support and other issues is discussed

Server-side Statistics Scripting in PHP

On the UCLA Statistics WWW server there are a large number of demos and calculators that can be used in statistics teaching and research. Some of these demos require substantial amounts of computation, others mainly use graphics. These calculators and demos are implemented in various different ways, reflecting developments in WWW based computing. As usual, one of the main choices is between doing the work on the client-side (i.e. in the browser) or on the server-side (i.e. on our WWW server). Obviously, client-side computation puts fewer demands on the server. On the other hand, it requires that the client downloads Java applets, or installs plugins and/or helpers. If JavaScript is used, client-side computations will generally be slow. We also have to assume that the client is installed properly, and has the required capabilities. Requiring too much on the client-side has caused browsing machines such as Netscape Communicator to grow beyond all reasonable bounds, both in size and RAM requirements. Moreover requiring Java and JavaScript rules out such excellent browsers as Lynx or Emacs W3. For server-side computing, we can configure the server and its resources ourselves, and we need not worry about browser capabilities and configuration. Nothing needs to be downloaded, except the usual HTML pages and graphics. In the same way as on the client side, there is a scripting solution, where code is interpreted, or a ob ject-code solution using compiled code. For the server-side scripting, we use embedded languages, such as PHP/FI. The scripts in the HTML pages are interpreted by a CGI program, and the output of the CGI program is send to the clients. Of course the CGI program is compiled, but the statistics procedures will usually be interpreted, because PHP/FI does not have the appropriate functions in its scripting language. This will tend to be slow, because embedded languages do not deal efficiently with loops and similar constructs. Thus a first step towards greater efficiency is to compile the necessary primitives into the PHP/FI executable. This is easy to do, because the API is quite simple. In the extensions below, we have added the complete ranlib and dcdflib to PHP, plus some additional useful functions. The source code for these extensions, plus Solaris binaries for libranlib.a and libdcdf.a can be obtained from our server. Interpreting a PHP script, even with our new primitives, still requires starting up a CGI process for each page that is read. Again, this can be improved upon. We could use FastCGI to keep the CGI process around on a permanent basis. Instead, we have chosen a more direct method. PHP can be compiled as an Apache module, i.e. it can be compiled into the Apache HTTPD server binary. This means that PHP scripts are interpreted by the WWW server, which is always around, and which will fork additional children if necessary. No CGI processes need to be started. The PHP install process creates a libphp.a and mod_php.c in the Apache source directories, which can be used to build an enhanced server. This has the additional advantage of security, because all security features of the server can be used, and none of the pitfalls of using CGI or Java apply. Using PHP, in combination with the WWW server, also has some disadvantages. Although we can make simple static plots, using the gd library, we cannot use any dynamics, and interaction between the user and the page is somewhat limited. Java, or scripts using a client-side Xlisp-Stat as a helper, are more flexible in this respect. As a consequence, the UCLA Statistics pages still use a combined approach, with server-side PHP and CGI and client-side Xlisp-Stat and Java/JavaScript. Sometime this year, server-side Java scripting will become available, and then it seems advisable to switch as much of the code as possible to the server-side

Automated server-side model for recognition of security vulnerabilities in scripting languages

With the increase of global accessibility of web applications, maintaining a reasonable security level for both user data and server resources has become an extremely challenging issue. Therefore, static code analysis systems can help web developers to reduce time and cost. In this paper, a new static analysis model is proposed. This model is designed to discover the security problems in scripting languages. The proposed model is implemented in a prototype SCAT, which is a static code analysis Tool. SCAT applies the phases of the proposed model to catch security vulnerabilities in PHP 5.3. Empirical results attest that the proposed prototype is feasible and is able to contribute to the security of real-world web applications. SCAT managed to detect 94% of security vulnerabilities found in the testing benchmarks; this clearly indicates that the proposed model is able to provide an effective solution to complicated web systems by offering benefits of securing private data for users and maintaining web application stability for web applications providers

Adaptive Hypermedia made simple using HTML/XML Style Sheet Selectors

This paper addresses enhancing HTML and XML with adaptation functionalities. The approach consists in using the path selectors of the HTML and XML style sheet languages CSS and XSLT for expressing content and navigation adaptation. Thus, the necessary extensions of the selector languages are minimal (a few additional constructs suffice), the processors of these languages can be kept almost unchanged, and no new algorithms are needed. In addition, XML is used for expressing the user model data like browsing history, browsing environment (such as device, location, time, etc.), and application data (such as user performances on exercises). The goal of the research presented here is not to propose novel forms or applications of adaptation, but instead to extend widespread web standards with adaptation functionalities. Essential features of the proposed approach are its simplicity and both the upwards and downwards compatibility of the extension

Slisp: A Flexible Software Toolkit for Hybrid, Embedded and Distributed Applications

We describe Slisp (pronounced ‘Ess-Lisp’), a hybrid Lisp–C programming toolkit for the development of scriptable and distributed applications. Computationally expensive operations implemented as separate C-coded modules are selectively compiled into a small Xlisp interpreter, then called as Lisp functions in a Lisp-coded program. The resulting hybrid program may run in several modes: as a stand-alone executable, embedded in a different C program, as a networked server accessed from another Slisp client, or as a networked server accessed from a C-coded client. Five years of experience with Slisp, as well experience with other scripting languages such as Tcl and Perl, are summarized. These experiences suggest that Slisp will be most useful for mid-sized applications in which the kinds of scripting and embeddability features provided by Tcl and Perl can be extended in an efficient manner to larger applications, while maintaining a well-defined standard (Common Lisp) for these extensions. In addition, the generality of Lisp makes Lisp a good candidate for an application-level communication language in distributed environments