Why Server-Side?
Client-side code runs in a browser where code and data are visible to the user. Sensitive work — authentication, payment, database queries, business rules — must run on a server, away from the user's machine.
Popular Server-Side Languages
- PHP — embedded in HTML, easy to deploy, runs most of the world's CMS sites (WordPress).
- Node.js (JavaScript) — fast event loop, huge npm ecosystem.
- Python (Django, Flask, FastAPI) — clean syntax, strong for data and AI.
- Ruby on Rails — convention over configuration.
- Java (Spring), C# (.NET) — enterprise-scale.
Web Server Flow
A typical request-response cycle:
- Browser sends HTTP request.
- Web server (Nginx/Apache) routes to application.
- Application code queries database, renders template.
- Response returns to browser.
PHP Example
<?php
$name = htmlspecialchars($_POST['name']);
echo "Hello, $name";
?>PHP files mix HTML and code. Always escape output with htmlspecialchars to prevent XSS.
Node.js with Express
const express = require('express');
const app = express();
app.get('/hello', (req, res) => {
res.send('Hi ' + req.query.name);
});
app.listen(3000);Python with Flask
from flask import Flask
app = Flask(__name__)
@app.route('/hello')
def hello():
return 'Hello'Databases
Server-side apps almost always talk to a database:
- Relational (SQL): MySQL, PostgreSQL, Oracle, SQL Server. Schema-based, support joins and transactions.
- NoSQL: MongoDB (document), Redis (key-value), Cassandra (wide-column), Neo4j (graph).
SQL Basics
CREATE TABLE users (
id INT PRIMARY KEY AUTO_INCREMENT,
name VARCHAR(50),
email VARCHAR(100) UNIQUE
);
INSERT INTO users (name, email) VALUES ('Alice','[email protected]');
SELECT * FROM users WHERE name = 'Alice';
UPDATE users SET name = 'Bob' WHERE id = 1;
DELETE FROM users WHERE id = 1;Connecting from Code
Always use prepared statements to avoid SQL injection.
// PHP (PDO)
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?');
$stmt->execute([$email]);
// Node.js (mysql2)
conn.query('SELECT * FROM users WHERE email = ?', [email], cb);Sessions and Cookies
HTTP is stateless. Sessions give continuity across requests. On login, the server stores session data and sends a session-ID cookie; the browser returns the cookie on each request. In PHP: session_start() / $_SESSION['user'].
Authentication
Typical login flow:
- User submits email + password.
- Server hashes the password (bcrypt, argon2) and compares against the stored hash.
- On match, create session or JWT and return a cookie.
- On each request, verify the session/JWT.
Authorization and Access Control
Roles (admin, editor, user) or permissions drive what each user can do. Always check on the server; never trust the client.
Templating
Server-side frameworks render HTML from templates: PHP has Blade/Twig, Node uses EJS/Handlebars/Pug, Python uses Jinja2.
REST APIs
Modern apps expose APIs using HTTP + JSON. A RESTful endpoint maps HTTP methods to CRUD:
| Method | Action |
|---|---|
| GET /users | List |
| GET /users/1 | Read |
| POST /users | Create |
| PUT /users/1 | Replace |
| PATCH /users/1 | Update |
| DELETE /users/1 | Remove |
Security Checklist
- Prepared statements against SQL injection.
- Hash passwords (bcrypt/argon2).
- Escape output against XSS.
- HTTPS everywhere.
- CSRF tokens on forms.
- Principle of least privilege for DB users.
Summary
Server-side code safeguards data, enforces rules, and integrates with databases. Choose a language and framework that match your team's skill, connect safely to a database, manage sessions, and expose REST APIs for client applications.
Important Questions
- Why is server-side scripting needed?
- Compare PHP, Node.js, and Python for web development.
- Write the steps of an HTTP request-response cycle.
- Write SQL to create a users table and insert one row.
- What is SQL injection? How is it prevented?
- Explain session-based authentication.
- What is a REST API? Map HTTP methods to CRUD.
- List five server-side security practices.