Go to the U of M home page
School of Physics & Astronomy
Physics & Astronomy Wiki

computing:web:web_publishing:dynamic_content

Dynamic Web Content

While simple websites are just a collection of .html files which are sent to browsers directly when they ask for a webpage, it is possible to make more advanced sites which execute a program when someone asks for a page, and the output of the program is sent instead of a simple html file. This is handy for processing web forms, adapting output for each user, and creating full blown applications on the web. Many pages you use every day work this way, such as search engines, content management systems, comment engines, and anything else interactive on the web.

Because dynamic websites are taking input from anonymous users on the internet, and executing code, there is a very strong need to focus on security and safety. Please make sure you don't inadvertently allow access to private data or files. If you plan to use a 3rd party application you are responsible for checking regularly for security updates for it.

This environment is provided only for writing your own, relatively simple, web applications and scripts. We strongly discourage you from installing any large applications such as your own copies of dokuwiki drupal, wordpress, etc, as we cannot guarantee that the system dependencies for such packages will remain available over time.

PHP

PHP is a popular programming language designed specifically for serving dynamic websites. PHP is available on the physics web servers, although it is not enabled by default - contact us if you need it. After enabling it, any files which end in the .php extension will be processed by the PHP engine.

You can learn more about using PHP from the PHP website: http://www.php.net/manual/en/

For security reasons, all PHP code is executed under your user account (or the group service account, for group pages), so it will have access to anything you yourself do when logged into one of our Unix/Linux boxes.

Our server will also refuse to execute any php files which are not owned by your account, or which are writable by anyone other than yourself.

Besides that, you need to give due attention to keeping your php code secure. We'll have to disable php on any parts of the server which demonstrate insecure behavior. You can find one decent quick introduction to php security here: http://www.phpfreaks.com/tutorial/php-security

Other content

Execution of CGI programs is possible from personal web areas, provided certain fairly stringent conditions are followed. CGI programs are executed via the Apache suEXEC feature. The documentation at the Apache site details the conditions under which suEXEC will run a user-supplied CGI program. The main things to watch for are:

  • CGIs must be run from a directory named cgi-bin (within your public_html directory).
  • The cgi-bin directory must not be writable by anyone other than yourself.
  • The program file itself must not be writable by anyone other than yourself.
  • The program file must be owned by you.
  • The program file can't be setuid or setgid.
  • The program filename must end in .cgi

Note that we do not support basic cgi on the groups.physics.umn.edu webserver.

computing/web/web_publishing/dynamic_content.txt · Last modified: 2015/01/29 14:43 by allan