How can I run a script/subroutine on a Web Server and have that subroutine remain private (eg. Key Generator)?

Question

My Problem: I have been tasked with re-implementing a software key generator routine on an external web server running cPanel v.11.44.1.18. Currently, the key generator is implemented using a proprietary Database Management System (DBMS) which we run on a local server.

We want to relegate the key generator functionality to an external web server so that we can use our local server some something entirely different. So essentially, I have the algorithm written in a proprietary language, and I need to choose a cPanel supported environment on our external webserver to re-implement the algorithm in such a way that it can be called by the client's browser, updating a database, without the client being able to download the subroutine and view the code.

Our cPanel Hosting Package Offers Support For:

• MySQL Databases
• Ruby on Rails
• Ruby Gems
• Perl
• CGI
• PHP

My Research Shows:

I can create a Perl script and execute it as (or through) a CGI file. My (unsure) Idea for Implementation:

• Implement the database back-end using MySQL Implement the keygen subroutine and database update subroutine using a custom Perl module(s)
• Make the Perl module readable/executable by the web server, but hidden from everyone else
• Use a CGI script as an interface between the client browser and the keygen Perl module

What I would really appreciate is someone with some expertise on this kind of arrangement to tell me:

• If what I am thinking is possible (i.e. am I on the right track)
• If there are any errors in my logic
• If there is a better way to do this
• What permissions I should use to make the script non-hackable

This would be much easier (because there would be a lot more options) if we were using a Virtual Private Server (VPS) as our webserver, but we are limited to our hosting package and the cPanel features it offers. I would appreciate any help/advice I can get.

Answer 1

I think your approach is broadly sound.

I wouldn't go down the route of using an MVC framework, it's a bit of an overkill for this kind of thing. If you're using, for example, Perl's CGI module, then the output of the key as a simple text string or JSON string etc. is very simple, you just ask the CGI script to output a content header and the content as print strings, or the equivalent CGI output calls in your CGI scripts.

So, your CGI script does everything - it uses the DB connector (DBD::mysql through DBI), the function to calculate the next key is also defined in that single script, and a simple few lines to print the header to STDIO along with the key, and that's all you need.

If you think you might change the key generation code or use it elsewhere then modularise it, otherwise just define it inline.

If your web server is set to execute perl scripts in a give directory then nobody will be able to read the source anyway, it just gets executed by the server and the output (to STDOUT so anything 'print'ed is sent as the response to the client. The server will deal with setup and teardown of memory etc. Simple!