Announcement

Collapse
No announcement yet.

what language to use?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • what language to use?

    I have an associate who hosts websites- he is hosting mine. I have to the opportunity to work with him on some commercial uses of the web.
    What language is the best to create programs that run, if I do not use PB and CGI? Info from the web pages should be written to a file, to be processed and send info back to user and to user's clients.

    I have created a rudimentary program that extracts info from a web page, downloads to the user's computer, then rewrites a blank file back to the web site, waiting for more input. That works, but each new user of the web site would have to have a program (.exe & CGI) sent to him so all the data base info, etc. are stored on the user's computer.

    I understand that running .exe files, even in \cgi-bin\ is a problem with most hosting services.

    Any info would be much appreciated.

    John Tate

  • #2
    trustedwebhost.com will run "binary executables". They have a high following here. Personally, I wouldn't use anything besides PBCC with Ajax. I run my own webserver using IIS.

    If you had to use something else, it really is a matter of personal preference.
    PHP, ASP are all capable.

    Comment


    • #3
      John,

      Just about any web host will provide PHP as their primary web language. It was designed specifically as a web language, is very widely used and well documented, and is extremely easy to learn. While it is rapidly moving to an OOP model, it is perfectly acceptable to write procedural code in it. Interaction with databases, especially MySQL, is trivially easy.

      While it's possible to write CGIs in PB, you'll have a support group of about three, vs. thousands and thousands for PHP.

      Of course, if you tried to do desktop programming with PHP instead of PB, you'd be on your own...
      --pdf

      Comment


      • #4
        Most providers offers PHP on linux server, but even it is easy to use and connect to a SQL MySQL db, it is NOT easy to write secure code - even with PowerBasic (I use PBCC).

        What ever you do, don't forget that the program is not running on a local PC with one user, millions can use and attack you program. In the book I bought (a german one for PHP beginners) there was simple examples for connecting a DB, and 5 weeks later the nearly same code was offered as stupid solution, because the datainput was not filtert. I mean SQL injection was the name of this attack:

        Screen with inputfields for NAME and PASSWORD. The input was directly used into the folowing SQL statement.
        This should act as a secure User login with name and password, but some found out,
        that if you type in ADMIN ' (' is this the inline comment in SQL ?)
        and in the where clause was then WEHRE user=ADMIN ' and passwort=
        so the password was ignored.

        Those traps - no problem for a good PHP programmer, but for my as a PHP novice - let me think that my dayly used compiler is the best choice for me. But that means I need a Windows 32 Bit Server-Provider.

        And after several tests, I found an unwanted access to my program too,
        because I forgot a constellation and had no ELSE part.

        But I can't understand why you use one CGI Program per user, normaly you have one or more per application for all users.
        Last edited by Hubert Brandel; 12 Feb 2008, 10:18 AM.
        Regards,
        Hubert

        ------------------------------------
        http://familie-brandel.de/index_e.html

        Comment


        • #5
          Thanks, all for the replies.

          What is wanted is:
          client signs up to use the program on the web. It might be a calendar program.

          User puts his information out there.
          Web users sign up to to use the product being advertised.
          Based on clients requirements, the server side program will initiate response to client and to web users.
          The server side program needs to write information to a file on the server, to be accessed as needed.

          The reason I mentioned each client receiving a copy of the .exe file was to get around the web host not allowing the .exe run on the server.

          I have no problem writing the kind of program to do the job on a local computer. As I said, I can have the local program access a file specific to the client, and keep the database on the client's local computer. My orginal premise was that the client would receive the contact information from the web user, then client would run his local .exe program which would extract the infomation, write it to a file, then emails would go out to web user as necessary. That would be rather clumsy, I would think.

          You can see I know nothing about web based programming. It seems to be feasible to have my friend write the web page, and I would write the executable script in PHP.

          Thanks again for the good information.

          John Tate

          Comment


          • #6
            I have an associate who hosts websites- he is hosting mine. I have to the opportunity to work with him on some commercial uses of the web.
            What language is the best to create programs that run, if I do not use PB and CGI?
            Is your associate only using Linux? Is there a reason why he can't/won't support compiled executables?

            -- The short answer, if you don't want to use PB, is probably PHP, although PERL and Ruby are equally capable and "popular". In fact, PERL is probably more mature and complete.

            However, I am not sure you are asking the right question. While the Web is an excellent platform to use, it's not always the right choice. It might very well just be me, but based on your needs description, I can't visualize what it is you are trying to accomplish:
            What is wanted is:
            client signs up to use the program on the web. It might be a calendar program.

            User puts his information out there.
            What information? Calendar entries? What is "out there"? On the web server? In the calendar? Someplace else?
            Web users sign up to to use the product being advertised.
            What product, the calendar? Are they buying the calendar program, or the data "user put his information" on? In this context, is User = Web user?
            Based on clients requirements, the server side program will initiate response to client and to web users.
            Who is the client, and what type of requirements would he/she have? Is this response something like: "ALERT! Someone wants to buy your (calendar/information/whatever). Here is the buyer's contact info (and then list it below)?"
            The server side program needs to write information to a file on the server, to be accessed as needed.
            What information? Purchasing information?
            Who is accessing "as needed"? If the server 'initiates a response', is the response different from what the server is saving in this database?
            The reason I mentioned each client receiving a copy of the .exe file was to get around the web host not allowing the .exe run on the server.
            What .exe file? I'm totally confused here.
            It seems to be feasible to have my friend write the web page, and I would write the executable script in PHP.
            Possibly, but you will have to add HTML code (output) in your application so you can't ignore HTML completely. There are lots of ways to do this, but you need at least some basic HTML knowledge.
            Software makes Hardware Happen

            Comment


            • #7
              Joe and all:
              You can see that I do not the proper way to express what I need.
              I will try again.

              1. I have a web site out there that allows a person to sign up to use the services I have on the site. Let's call him the client.

              2. The client then posts his information on the site. Let's say he has a hunting lodge in Alaska. He puts out the dates of the various hunts he is going to guide.

              3. Some one browsing the internet sees this site, and signs up for one of the hunts. Let's call him the client's customer. At this point a resonse is sent to the client. A response is also sent to the clients's customer. The client's customer information is stored in a file on the server.

              4. Again, a second customer signs up for the same hunt. Another response is sent to the client. The second customer's information is written to the file on the server, then the file is read and both the first customer and the second customer are sent a response informing them of all who are registered for this hunt.

              This is basically what was proposed to me some time ago.

              I will get more information from my web host about his own capabilities.

              Thanks for putting up with my completely neophyte questions.

              John Tate

              Comment


              • #8
                John,

                Ok, that is much clearer.

                Is there a reason you don't want to/can't use PB? The main reason I can think of is wide ranging compatibility. If you are selling the 'schedule' web site for people to host on their own (or at their own hosting company), then I can see how a PB exe could be a problem. If you are thinking of selling the site with hosting, then PB would be a natural for this.

                Lets assume that you can't use PB. In that case, what you are looking to do is relatively easy enough to do. If it were me, I would probably use PHP and MySQL. Most hosting company's will have both of these installed so you'll get the widest range of compatibility.

                There is another option too. The CGI application does not have to reside on the same physical server that the web page does. It wouldn't be difficult at all for you to write this in PB, sell the HTML pages, and simply link the CGI stuff back to your server. The 'web visitor' would never notice (unless they were very curious) that the program isn't "part of" the current web page. You could then sell the database portion of this project as a service and generate some reoccurring revenue.
                Software makes Hardware Happen

                Comment


                • #9
                  John,

                  A Web-application is a chain of programs and forms connected by TCPIP / HTTP.

                  On Clientside:

                  a WWW-browser (IE or Firefox)

                  On Serverside:

                  a WWW-server (IIS or Apache ...)
                  + HTML pages and forms
                  + CGI programs to act with the forms.

                  The browser asks for a service with the url

                  http://www.xyz-server.zz
                  -> this will show normaly index.htm
                  http://www.xyz-server.zz/myside.htm
                  -> this will show myside.htm

                  this only show fixed pages, but in this
                  pages there could be INPUT fields in a form.
                  -> this can start a cgi program with submit

                  http://www.xyz-server.zz/cgi-bin/myservice.php or
                  http://www.xyz-server.zz/cgi-bin/myservice.exe
                  -> you can call the cgi program direkt too.

                  the browser will transport the URL-request to the server,
                  the server sends back the htm page, the browser will
                  show what he think that the htm code should look like.

                  If you submit data over a form to a cgi program, the
                  www-server will put the data into SET Variables or stdout,
                  depends on GET or POST Method.
                  POST is better, because the data could be bigger.

                  In the CGI programm (running on the server) there are infos about the calling code over the environment SET Variables (IP Adress, names ...) and the data (send to STDIN). The CGI program now checks the data and have to give back a over STDOUT a correct header and HTML page or a other file if you want to make a file download (SERVER sends a file to the browser).

                  The www-server will send the data from the CGI back to the browser and he will show it.

                  The programmer have to know whats going on at the server and the client side.
                  I think I saw some CGI examples in PBCC ...

                  THE BEST is, that the CGI programs don't have to know anything of secure (HTTPS) sides, this is the job of the WWW-server. He will transmit secure sites with the same CGI.

                  If you want you can have a look at my CGIs on my home server, let me know over private message and I will give you the adress and let him run overnight.
                  Last edited by Hubert Brandel; 12 Feb 2008, 07:21 PM.
                  Regards,
                  Hubert

                  ------------------------------------
                  http://familie-brandel.de/index_e.html

                  Comment


                  • #10
                    Hi,

                    here is a sample which use Xbase++ with Xb2.NET for the CGI stuff. To be correct, the made there own WWW-Server, but this is not relevant for the sample program:

                    http://live.xb2.net/

                    if you have a webpage, try to use 'show source code' (i have only the german version, so the name is not exact) in the 'display' menu (? - Files, Edit, Display ???).

                    The client can read what the server sends, but sometimes the forget the new line ;-)
                    Regards,
                    Hubert

                    ------------------------------------
                    http://familie-brandel.de/index_e.html

                    Comment


                    • #11
                      Originally posted by Hubert Brandel View Post
                      What ever you do, don't forget that the program is not running on a local PC with one user, millions can use and attack you program. In the book I bought (a german one for PHP beginners) there was simple examples for connecting a DB, and 5 weeks later the nearly same code was offered as stupid solution, because the datainput was not filtert. I mean SQL injection was the name of this attack:

                      Screen with inputfields for NAME and PASSWORD. The input was directly used into the folowing SQL statement.
                      This should act as a secure User login with name and password, but some found out,
                      that if you type in ADMIN ' (' is this the inline comment in SQL ?)
                      and in the where clause was then WEHRE user=ADMIN ' and passwort=
                      so the password was ignored.

                      Those traps - no problem for a good PHP programmer, but for my as a PHP novice
                      Yes, that's called SQL Injection. And the workaround is quite easy (and not dependend from the language), therefore it has nothing to do with you being a PHP novice, but more with (still) being a database novice.

                      Don't build SQL statements with string concatenation. Instead use parameterized queries. The DB engine itself will take care for you on validating the values passed towards the database column's data type. In the scenario above, the value ADMIN' would have been passed to the query and would have returned no record, because - most likely - there's no user called ADMIN'

                      Comment


                      • #12
                        I cannot thank you all enough for taking the time to post all this information. As I have said before, the PB family of programmers is the best!

                        I am beginning to get the basice ideas.

                        I am having a meeting with my web host person next week. I will see exactly what he has in mind.

                        I would be glad to take on the challenge of writing a web application, but I would be completely a newbie. I will get whatever books I can find, and maybe even take some courses at the local Community College, which is about 1 mile from my house if they have something I think would help.

                        Again I really appreciate this discussion on the basics. Thanks to all.

                        John Tate

                        Comment


                        • #13
                          I guess I'll float a trial balloon here...

                          A while back, for my own purposes, I hired a consultant to port some code to PB/Win. The end result is that I have the ability compile DLLs that work as "php extensions". That means that my web pages can call my PB/Win functions with no more php coding than...
                          Code:
                          <p>
                             <?php echo MyPBFunction('Param1','Param2','Param3',[etc]); ?>
                          </p>
                          It works with both PHP4 and PHP5, but it (probably) requires a Windows web server. (Does anybody know whether or not the *nix flavors of php support Win32 DLLs?) I have used it with both WIMP and WAMP.

                          Let me be clear up front, as much as I love this community I'm not likely to donate the code to the public domain. It's more likely to be an addition to my company's "Development Tools" product line.

                          Does this technology sound interesting?

                          -- Eric Pearson, Perfect Sync, Inc.
                          "Not my circus, not my monkeys."

                          Comment


                          • #14
                            Let me be clear up front, as much as I love this community I'm not likely to donate the code to the public domain. It's more likely to be an addition to my company's "Development Tools" product line.

                            Does this technology sound interesting?
                            Darn!

                            I've spent more time than I should trying to get PHP to 'play nice' with a PB DLL. There is a depreciated function in PHP 4x but it was never very stable and caused more problems than it was worth.

                            Needless to say, if you have something that works, I'd be more than interested. Any reasonable price would be fine with me
                            Software makes Hardware Happen

                            Comment


                            • #15
                              Originally posted by Knuth Konrad View Post
                              therefore it has nothing to do with you being a PHP novice, but more with (still) being a database novice.
                              SQL and PHP - novice ... This is true too ;-)

                              I normaly don't have enought data to use SQL Servers in my Apps (normaly I use Xbase++ with DBF Files). I have played with SQL-Server for my Web-CGI program, using SQLtools (with PB) and SQLExpress (with Xbase++) both with parametric call. At that time I spend some hours (and money for the PHP-book) with PHP. I thought a beginners book should beware the beginners from such errors, but they used the simple way ...

                              Could you write a simple line of code using the parametric call in PHP ?
                              Regards,
                              Hubert

                              ------------------------------------
                              http://familie-brandel.de/index_e.html

                              Comment


                              • #16
                                Originally posted by Hubert Brandel View Post
                                I normaly don't have enought data to use SQL Servers in my Apps (normaly I use Xbase++ with DBF Files).
                                Parameterized queries are not limited to SQL servers. Access provides those as well. For SQL servers, this is typically a Stored Procedure. In Access its called a Query. My guess would be that Alaska provides a similar technique (whatever its name might be that the marketing department slapped onto it).

                                Could you write a simple line of code using the parametric call in PHP ?
                                Unfortunately not, as I don't "speak" PHP.

                                Here's a ASP example, using VBScript and Access

                                Access Query, named "spGetCustomerByID":
                                Code:
                                PARAMETERS prmID Long;
                                SELECT ID, FirstName, LastName
                                FROM tCustomers
                                WHERE ID=[prmID];
                                ASP/VBScript:
                                Code:
                                Public Function GetCustomerByID(ByVal cn, ByVal lID, ByRef sFirstName, ByRef sLastName)
                                '------------------------------------------------------------------------------
                                'Name     : GetCustomerByID
                                'Funktion : Retrieves customer names by DB ID
                                '
                                'Vorauss. : -
                                'Parameter:
                                ' cn - Active, opened ADO Connection object
                                ' lID - DB ID of customer to retrieve from DB
                                ' sFirstName, sLastName - gets filled with data from DB
                                '------------------------------------------------------------------------------
                                
                                Dim rs, cmd
                                Dim sSP
                                
                                ' Create needed ADO objects
                                sSP = ""spGetCustomerByID""
                                
                                Set cmd = Server.CreateObject("ADODB.Command")
                                Set rs = Server.CreateObject("ADODB.Recordset")
                                
                                ' Fill query parameter prmID and attach it to the Command object
                                With cmd
                                	Set .ActiveConnection = cn
                                	.CommandText = sSP
                                	.CommandType = adCmdStoredProc
                                	.Parameters.Append .CreateParameter("prmID", adInteger, adParamInput, ,lID)
                                End With
                                
                                Call rs.Open(cmd)
                                
                                ' See if query returned a record ...
                                If Not (rs.BOF And rs.EOF) Then
                                ' Yes -> retrieve values and set success return value
                                	sLastName = "" & rs.Fields("LastName").Value
                                	sFirstName = "" & rs.Fields("FirstName").Value
                                        ' Signal success of query
                                        GetCustomerByID = True
                                Else
                                ' No records present
                                        GetCustomerByID = False
                                End If
                                
                                Call rs.Close
                                Set rs = Nothing
                                Set cmd = Nothing
                                
                                End Function
                                This function then gets called like
                                Code:
                                ' Somwhere in an ASP page, retrieve form input
                                
                                Dim lID
                                Dim sFirst, sLast
                                
                                ' Get user input from web page
                                On Error Resume Next
                                lID = CLng(Request.Form("txtID"))
                                If Err Then
                                ' Error happened, ID might be empty or not numerical, set safe default
                                   lID = -1
                                   Err.Clear
                                End If
                                
                                ' Search for customer upon ID
                                
                                If Not GetCustomerByID(appADOConnection, lID, sFirst, sLast) Then
                                   Response.Write "No customer for ID " & CStr(lID) & " found."
                                Else
                                   Response.Write "ID: " & CStr(lID) & "<br />"
                                   Response.Write "Last name: " & sLast & "<br />"
                                   Response.Write "First name: " & sFirst
                                End If
                                You see, no SQL statement anywhere in the code, therefore no chance for an attacker to slip in a SQL comment, "break" your SQL query into pieces and inject his own SQL code.

                                If I didn't check the passed ID to be numerical within the page itself, but simply passed it to the query, the ADO engine would have raised an error if ID wasn't a (long) integer. Depending on how much parameters you pass to a query from a form, it's sometimes easier to do validation this way. The more parameters you pass, it's easier to catch the ADO engine error and act upon that accordingly.

                                Comment


                                • #17
                                  Joe --

                                  Send me an email and we'll see what we can work out.

                                  -- Eric
                                  "Not my circus, not my monkeys."

                                  Comment

                                  Working...
                                  X