An Introduction to CGI - The Common Gateway Interface

Choosing a language

The language used to write gateway programs may be any language that can be run on the host machine and operating system; the language must also be able to read from the standard input stream, output to the standard output stream, and read environment variables. Almost all programming and scripting languages provide this minimal functionality. The most common languages used for CGI include Perl, C, C++, and various Unix shells. Other languages that are also well suited to CGI programming include Basic, Pascal, Fortran, Tcl/Tk, Python, etc. Some people have successfully written CGI gateway programs in other languages including Server-Side JavaScript (LiveScript or Livewire), Visual Basic, VBScript, and AppleScript. The list is endless.

The choice of language used to write your CGI programs can be based on a number of factors:

1. Performance: As most experienced developers know, most compiled languages are faster than interpreted script languages. Part of this has to do with the overhead involved in initiating a copy of the interpreter necessary to execute programs written in scripting languages like Perl. If you have a lot of traffic on a site, then continually starting new instances of the script interpreter can take its toll on the server; it's not an efficient process. Many sites, however, do not have enough traffic for this to be a real concern. Another part of this reality is the fact that compilers can create optimized native code for the platform on which it is compiling. Most of the time, this difference in performance is not the make-or-break issue for the developer in choosing a language.
2. Security: In general, the bulk of security problems come from programming errors and a lack of understanding of the environment in which a CGI exists and runs. Generally it is said that a compiled language is inherently more secure. A compiled language program is compiled into a binary file which can be placed in the cgi-bin or other world-readable directory - the source goes into a private directory. With an interpreted language, you run the risk of the source being retrieved since it in fact resides in a world-readable directory. A properly configured web server helps with this problem, but the risk will always exist. Also, scripting languages require the use of an interpreter program, and this interpreter may actually contain bugs that are security holes. Compiled languages can also have built-in security risks, though. One such risk is buffer overflow - a crafty hacker can take advantage of overflows to cause problems on your machine. In C and C++ you must always check to make sure you are not assigning more data to a buffer than it can hold. Perl, on the other hand, automatically checks buffer sizes and dynamically allocates more space as needed, thus eliminating this problem. Also, Perl contains a feature called taint-checking that catches many potential security problems in a script. If security is an issue (and it should be), you should concentrate more on logical errors in your programming opening security holes than you should about the built-in problems of the language.
3. Reliability: You should use a language that has proven stability on the platform that you are using. Perl is in its 5^th version and is very stable on Unix platforms. A port has been made to Win32 and is being proven very stable and well-designed, but it still may have some bugs to work out. The Macintosh port of Perl 5 is, however, a newer product and has incompatibilities with other versions of Perl and does not implement all of the Perl specification. Thus, a single programming language is shown to have varying degrees of stability on 3 different platforms. The best decision to make in terms of stability is to use a language with which you as a programmer are comfortable and confident. If you have used MacPerl for several projects, tested and used them thoroughly, and never had a problem, then you should feel confident using MacPerl for your CGI programs. However, if you're writing on UNIX, then AppleScript probably isn't a good choice for you, even if some obscure port of the AppleScript interpreter exists for UNIX.
4. Maintainability, etc.: This is often the main concern for CGI developers. Many programmers use interpreted languages for CGI gateway programs because they are easier to read, understand, maintain, test, and debug. However, others like to use compiled languages like C and C++ because they have development tools for them; MSVC++ and Borland C++ are examples of IDE's that make developing and maintaining programs easy. Choose a language that you believe will be the easiest to work with.
5. Portability: Portable code is a fundamental of good CGI program design. The reasons are varied but compelling: you may move your web server to a different platform in the future, you may distribute your program, you may have to port your program to an upgraded version of your OS, etc. Interpreted scripting languages are often a very good choice in this respect because the interpreter will probably be ported to several different platforms (i.e. Perl). CGI programs written in compiled languages will at the very least have to be recompiled every time they are moved to a different platform. If any system-specific functions or libraries are used, the parts of the code utilizing them will have to be redesigned and/or rewritten.

You must choose your language based on the problem at hand. The best advise "in a nutshell" is to just use the language with which you are most familiar and comfortable. Decide what factors are most important to you before you begin development, and choose a language accordingly.

[Contents] [Next] [Previous]

If you have any questions or would like to contact me for any reason, please email me at j.eckles@computer.org.