Dynamic Content Methods Compared

There are many ways to create dynamic content for a web server, and CGI programming is just one of them.  Each of these methods has their own advantages and disadvantages.  A developer needs to choose the method that best suits their needs, and skills.

Dynamic content methods can be divided into two main categories, server side programming, and client side programing.  (Though a given web site may use a mix of these methods even on a single page).  With server side programming, the programs that generate the content execute on the web server itself, with client side programming, the programs are downloaded to the web browser, and execute on the client computer.

Advantages of Server Side Programming:

Disadvantages of Server Side Programming:

Advantages of Client Side Programming:

Disadvantages of Client Side Programming:

Summary of Common Dynamic Content Methods    
Method Client or Server Side Portability Highlights: Security
Java Applets Client side execution Good. Supported in Netscape and IE.

Standards still evolving, but well accepted.

Java Applets are Java code written using the "applet" class library. Java applets can use Java class libraries that allow for complex user interfaces and good code reuse.

Commonly used by software vendors to create portable user interfaces for networking equipment, or to control server based software. (For example: Veritas, EMC, Netscape iPlanet, etc

Learning curve can be high. Used more often for complex interfaces and programs than for short programs.
The "applet" class library enhances security by running applications in a "sandbox", isolating them from direct access to the client system's resources.

Security is good in theory, but bugs in different Java VM implementations have led to exploits.
Java Script Client side execution Fair.

Supported in modern versions of both Netscape and IE.

Seems to be more subject to browser specific problems than Java.
Java Script, in spite of it's name, has very little relationship with Java. Their syntaxes are similar, and both are object oriented. The biggest thing they have in common is the word Java in their names.

Commonly used in conjunction with server side processing to improve user interfaces or to add some zest to otherwise static content.
Security is good in theory, since Java Script is prevented from accessing local client resources, but bugs in different browsers have led to exploits.
Active X Client side executions. Poor.

Natively supported only in IE, though plug-ins for some versions of Netscape running on some platforms (but not for Unix) are available.
Active X was Microsoft's original answer to Java and Java Script.

Active X can be used to replicate MS-Windows interfaces. Active X can also have full access to local client resources. This allows for powerful web based applications, but can be a major security problem.

Active X security is poor from both a theoretical and de-facto point of view.

Active X's ability to access local resources can be limited, but the same behavior that makes users click on executable email attachments makes them likely to click "OK" when encountering unknown ActiveX applications.

The nature of ActiveX also has allowed for more security related bugs even when using supposedly safe ActiveX features.
ActiveX code has placed an "active" part in many security exploits and email viruses.
ASP Server side execution. Poor. natively supported only in the MS IIS web server. A plug in from ChilliSoft allows for ASP execution on other web server platforms. ASP is a powerful server side technology well supported by Microsoft. The technology can have a steep learning curve, which makes it more commonly used for large scale or complex applications. However, it's integration with other Microsoft products and APIs makes for an easier transition for many experienced Windows developers.
ASP applications can be written in Visual C++ or Visual Basic.


Creates no greater risk to client side of the connection than standard HTML.

Server side security is dependant on the quality of code written by the developers and on the configurations done by the web master/administrator.

Flaws in default IIS configurations and in ASP utilities have resulted in server security breaches.
Lotus Notes/Domino Server Side Execution Fair. Notes/Domino web applications can only run on Domino web servers. However, Domino is available on a wide variety of platforms, including NT, Unix, and OS/400. Lotus /IBM have expanded the capabilities of Notes/Domino over the years. It was originally a conventional 2 tier client server technology. The client software is Lotus Notes, and the server side back end software is called Domino.

Domino is now a web enabled server, and server side programs can be written that work within either a Notes client or web browser client.

It's integration with Domino can make for rapid software development and powerful group collaboration tools.
Good. Security is dependant on the quality of code written by developers and on the configurations done by the web master/administrator.
PHP Server side execution Good.

Supported as a plug in for all major (and most minor) web servers.
PHP most commonly competes with CGI in developer mind share. Both are open standards, supported on a variety of platforms.

Some server side execution methods take the approach of embedding HTML inside of programs. PHP however takes the approach of embedding PHP code into HTML.

This approach can make it easier to use PHP for adding dynamic content to mostly static pages, but PHP is also suited for more complex applications.

One strong point of PHP is its ability to easily interact with back end databases. It also can have high performance

Security is dependant on the quality of code written by developers and on the configurations done by the web master/administrator.

Java Servelets Server side execution Good.

Supported in a variety of web servers, and supported with several application server frameworks.
These include IBM's Web Sphere, BEA Web Logic, and Netscape/iPlanet application server.
Java coding for Servelets is just a different flavor of Java coding than coding for Java Applets. Java Servelets are not instances of the applet class, so they are not limited by the sandbox/security features of an applet.

They have full access to the resources of the server as any other server side process does.

Java application server frameworks provide libraries of code that allow for easier development using standard interfaces. These libraries typically include pre-coded objects such as data base interfaces, shopping carts, and catalogs.

Application security dependant on the the quality of code written by developers and on the configurations done by the web master/administrator.
CGI Bin Server side execution Excellent

Supported natively in all major web servers (and most minor ones) on all major platforms.

CGI Programming can be done using a wide variety of languages, which helps give it one of the lowest learning curves of the different dynamic content methods. Developers can typically use any language that they are familiar with, though some are better suited to CGI than others.

Because of it's popularity and wide support, expertise, example code, and freely available code libraries are widely available.

Very poor to Good.

Security is dependant on the quality of code written by developers and on the configurations done by the web master/administrator.

If standard security practices are followed, security can be very good, but if they are not followed, security can be very poor.

Next Previous Overview

Copyright 2001 - Andy Welter