ansaurus

Question

Answer 1

A:

Sorry about that, the second part should have been:

<input type="text" name="notify_url" value ="http://www.mydomain.com/ipn.php?xyz=&lt;?php echo $_GET[xyz]; ?>" style="width:1px; height:1px; border:0">

2009-04-05 11:19:04

You can edit your question, code has 4 spaces infront of it.

Ólafur Waage 2009-04-05 14:07:05

Answer 2

+1 A:

they receive 2 php lines that they have to insert into their shop.

This is incredibly dodgy. include() drags in code from the given URL and executes it.

I would never allow an affiliate network to add PHP code to my application: this gives an external site total control over my application and database. This is especially unacceptable running over unencrypted HTTP: any man-in-the-middle attack can immediately compromise the server. Also if you have a cross-site-scripting hole in your tracker.php, any end user can completely compromise the customer site.

I strongly advise finding a less insecure way to interface your network with third-party apps.

If you are only intending to return HTML to be shown in the final page, and not PHP code, you can do that using readfile(), or the more usual method which is to have the affiliate insert a client-side <script> tag pointed at your site.

<?php include 'http://www.mydomain.com/tracker/tracker.php?xyz='.$_GET[xyz]; ?>

You should also be using urlencode() so that any URL-special characters in the parameter are correctly escaped.

value="http://www.mydomain.com/ipn.php?xyz=&lt;?php echo $_GET[xyz]; ?>"

And here, plus you should, like any time you output any text content to HTML, be using htmlspecialchars() to encode HTML-special characters. Otherwise you are vulnerable to cross-site scripting attacks.

There's not really, at the moment, enough information in your question to diagnose exactly what some of your affiliates are doing wrong. More concrete examples would be of use. But from what you've posted so far I have huge concerns about the security of your system at the most basic level.

bobince 2009-04-05 15:14:01

Answer 3

A:

Thank you for your elaborate answer bobince.

I understand your point that people may not like to include php files on their pages. Therefore I have deleted part 1 and changed it with a redirect url and cookies. Evidently in the real script I also protect against SQL injection.

However my main issue still remains. In order to track a sale with Paypal, I need to add one input field to the Paypal buttons on the websites. This would look something like this:

<input type="text" name="notify_url" value
="http://www.artinthepicture.com/sellmyart/ipn.php?xyz=&lt;?php echo $_GET['xyz'] ?>" style="width:1px; height:1px; border:0">

No security issues there as nothing strange can happen. The main problem is that a lot of issues may appear with the code from the users. If, for example, they use a mysql database to build their shop they will probably have a separate field for the paypal button. Now if they echo this paypal button, the extra input field will look exactly like above. And that is a problem since the $_GET[xyz] will not parse then.

[Edit: cannot comment due to low rank]

2009-04-05 16:10:52

There *is* a security issue there without htmlspecialchars: imagine a third party directs a user to a URL with parameter “?xyz="><script>...malicious JavaScript...</script>”. The site echoes that into their HTML and is victim to cross-site-scripting.

bobince 2009-04-05 20:11:05

If they try putting a string in their database with PHP embedded in it, I think it's fair to say they're doing it so very wrong there's basically nothing you can do to fix it. But shouldn't ‘xyz’ normally be a static affiliate code anyway?

bobince 2009-04-05 20:13:00

ansaurus

tags:

views:

answers:

Parsing a variable within SQL result

related questions