I'm currently building an affiliate program (a bit like CJ) with Paypal checkout. When people sign up as an affiliate (=to sell their own products from their own website) they receive 2 php lines that they have to insert into their shop.
我目前正在使用Paypal结账建立联盟计划(有点像CJ)。当人们注册成为联盟会员(=从他们自己的网站销售他们自己的产品)时,他们会收到2条php行,他们必须将这些行插入他们的商店。
In the header:
在标题中:
<?php include 'http://www.mydomain.com/tracker/tracker.php?xyz='.$_GET[xyz]; ?>
In the Paypal button:
在Paypal按钮:
<input type="text" name="notify_url"
value ="http://www.mydomain.com/ipn.php?xyz=<?php echo $_GET[xyz]; ?>" +
style="width:1px; height:1px; border:0">
The first part basically sets the cookie while the second forwards a return url to Paypal so that when someone decides to buy, this gets returned to us. I've not made the second part hidden as I want to be able to check whether the affiliates have really added the code.
第一部分基本上设置cookie,而第二部分将返回URL转发给Paypal,这样当有人决定购买时,这会返回给我们。我没有隐藏第二部分,因为我希望能够检查附属公司是否真的添加了代码。
This all works fine in simple hand-written PHP but it all goes wrong when these affiliates are using databases. Their scripts will then probably echo something like $row['paypal'] which will literally show the inserted lines and not parse the $_GET.
这一切都可以在简单的手工编写PHP中正常工作,但当这些关联企业使用数据库时,这一切都会出错。然后他们的脚本可能会回显类似$ row ['paypal']的东西,它会逐字显示插入的行而不解析$ _GET。
I have absolutely no clue as to how this gets resolved. If possible I would like something that I could fix on my side as I don't want to annoy my affiliates with lots of customization on their side as they are mainly non-technical people.
我完全不知道如何解决这个问题。如果可能的话,我想要一些我可以解决的问题,因为我不想惹恼我的附属公司,因为他们主要是非技术人员。
3 个解决方案
#1
they receive 2 php lines that they have to insert into their shop.
他们收到2个php行,他们必须插入他们的商店。
This is incredibly dodgy. include() drags in code from the given URL and executes it.
这令人难以置信的狡猾。 include()拖动给定URL的代码并执行它。
I would never allow an affiliate network to add PHP code to my application: this gives an external site total control over my application and database. This is especially unacceptable running over unencrypted HTTP: any man-in-the-middle attack can immediately compromise the server. Also if you have a cross-site-scripting hole in your tracker.php, any end user can completely compromise the customer site.
我永远不会允许联盟网络将PHP代码添加到我的应用程序:这使外部站点可以完全控制我的应用程序和数据库。这对于未加密的HTTP运行尤其不可接受:任何中间人攻击都可能立即危及服务器。此外,如果tracker.php中有跨站点脚本漏洞,任何最终用户都可能完全破坏客户站点。
I strongly advise finding a less insecure way to interface your network with third-party apps.
我强烈建议找到一种不太安全的方式来将您的网络与第三方应用程序连接起来。
If you are only intending to return HTML to be shown in the final page, and not PHP code, you can do that using readfile(), or the more usual method which is to have the affiliate insert a client-side <script> tag pointed at your site.
如果您只想返回HTML以显示在最终页面而不是PHP代码中,您可以使用readfile()或更常用的方法来使联盟会员插入客户端
<?php include 'http://www.mydomain.com/tracker/tracker.php?xyz='.$_GET[xyz]; ?>
You should also be using urlencode() so that any URL-special characters in the parameter are correctly escaped.
您还应该使用urlencode(),以便正确转义参数中的任何URL特殊字符。
value="http://www.mydomain.com/ipn.php?xyz=<?php echo $_GET[xyz]; ?>"
And here, plus you should, like any time you output any text content to HTML, be using htmlspecialchars() to encode HTML-special characters. Otherwise you are vulnerable to cross-site scripting attacks.
在这里,加上你应该像任何时候输出任何文本内容到HTML一样,使用htmlspecialchars()来编码HTML特殊字符。否则,您很容易受到跨站点脚本攻击。
There's not really, at the moment, enough information in your question to diagnose exactly what some of your affiliates are doing wrong. More concrete examples would be of use. But from what you've posted so far I have huge concerns about the security of your system at the most basic level.
目前,您的问题中没有足够的信息来准确诊断您的某些关联公司的错误。更具体的例子是有用的。但是根据您发布的内容,我对最基本级别的系统安全性抱有很大的担忧。
#2
Sorry about that, the second part should have been:
对不起,第二部分应该是:
<input type="text" name="notify_url" value ="http://www.mydomain.com/ipn.php?xyz=<?php echo $_GET[xyz]; ?>" style="width:1px; height:1px; border:0">
#3
Thank you for your elaborate answer bobince.
谢谢你精心回答的问题。
I understand your point that people may not like to include php files on their pages. Therefore I have deleted part 1 and changed it with a redirect url and cookies. Evidently in the real script I also protect against SQL injection.
我理解你的观点,人们可能不喜欢在他们的页面上包含php文件。因此,我删除了第1部分,并使用重定向网址和Cookie更改了它。显然在真实的脚本中我也可以防止SQL注入。
However my main issue still remains. In order to track a sale with Paypal, I need to add one input field to the Paypal buttons on the websites. This would look something like this:
但是我的主要问题仍然存在。为了使用Paypal跟踪销售,我需要在网站上的Paypal按钮中添加一个输入字段。这看起来像这样:
<input type="text" name="notify_url" value
="http://www.artinthepicture.com/sellmyart/ipn.php?xyz=<?php echo $_GET['xyz'] ?>" style="width:1px; height:1px; border:0">
No security issues there as nothing strange can happen. The main problem is that a lot of issues may appear with the code from the users. If, for example, they use a mysql database to build their shop they will probably have a separate field for the paypal button. Now if they echo this paypal button, the extra input field will look exactly like above. And that is a problem since the $_GET[xyz] will not parse then.
没有任何安全问题可以发生。主要问题是用户的代码可能会出现很多问题。例如,如果他们使用mysql数据库来构建他们的商店,他们可能会有一个单独的paypal按钮字段。现在如果他们回显这个paypal按钮,额外的输入字段将看起来与上面完全相同。这是一个问题,因为$ _GET [xyz]不会解析。
[Edit: cannot comment due to low rank]
[编辑:因低排名无法发表评论]
#1
they receive 2 php lines that they have to insert into their shop.
他们收到2个php行,他们必须插入他们的商店。
This is incredibly dodgy. include() drags in code from the given URL and executes it.
这令人难以置信的狡猾。 include()拖动给定URL的代码并执行它。
I would never allow an affiliate network to add PHP code to my application: this gives an external site total control over my application and database. This is especially unacceptable running over unencrypted HTTP: any man-in-the-middle attack can immediately compromise the server. Also if you have a cross-site-scripting hole in your tracker.php, any end user can completely compromise the customer site.
我永远不会允许联盟网络将PHP代码添加到我的应用程序:这使外部站点可以完全控制我的应用程序和数据库。这对于未加密的HTTP运行尤其不可接受:任何中间人攻击都可能立即危及服务器。此外,如果tracker.php中有跨站点脚本漏洞,任何最终用户都可能完全破坏客户站点。
I strongly advise finding a less insecure way to interface your network with third-party apps.
我强烈建议找到一种不太安全的方式来将您的网络与第三方应用程序连接起来。
If you are only intending to return HTML to be shown in the final page, and not PHP code, you can do that using readfile(), or the more usual method which is to have the affiliate insert a client-side <script> tag pointed at your site.
如果您只想返回HTML以显示在最终页面而不是PHP代码中,您可以使用readfile()或更常用的方法来使联盟会员插入客户端
<?php include 'http://www.mydomain.com/tracker/tracker.php?xyz='.$_GET[xyz]; ?>
You should also be using urlencode() so that any URL-special characters in the parameter are correctly escaped.
您还应该使用urlencode(),以便正确转义参数中的任何URL特殊字符。
value="http://www.mydomain.com/ipn.php?xyz=<?php echo $_GET[xyz]; ?>"
And here, plus you should, like any time you output any text content to HTML, be using htmlspecialchars() to encode HTML-special characters. Otherwise you are vulnerable to cross-site scripting attacks.
在这里,加上你应该像任何时候输出任何文本内容到HTML一样,使用htmlspecialchars()来编码HTML特殊字符。否则,您很容易受到跨站点脚本攻击。
There's not really, at the moment, enough information in your question to diagnose exactly what some of your affiliates are doing wrong. More concrete examples would be of use. But from what you've posted so far I have huge concerns about the security of your system at the most basic level.
目前,您的问题中没有足够的信息来准确诊断您的某些关联公司的错误。更具体的例子是有用的。但是根据您发布的内容,我对最基本级别的系统安全性抱有很大的担忧。
#2
Sorry about that, the second part should have been:
对不起,第二部分应该是:
<input type="text" name="notify_url" value ="http://www.mydomain.com/ipn.php?xyz=<?php echo $_GET[xyz]; ?>" style="width:1px; height:1px; border:0">
#3
Thank you for your elaborate answer bobince.
谢谢你精心回答的问题。
I understand your point that people may not like to include php files on their pages. Therefore I have deleted part 1 and changed it with a redirect url and cookies. Evidently in the real script I also protect against SQL injection.
我理解你的观点,人们可能不喜欢在他们的页面上包含php文件。因此,我删除了第1部分,并使用重定向网址和Cookie更改了它。显然在真实的脚本中我也可以防止SQL注入。
However my main issue still remains. In order to track a sale with Paypal, I need to add one input field to the Paypal buttons on the websites. This would look something like this:
但是我的主要问题仍然存在。为了使用Paypal跟踪销售,我需要在网站上的Paypal按钮中添加一个输入字段。这看起来像这样:
<input type="text" name="notify_url" value
="http://www.artinthepicture.com/sellmyart/ipn.php?xyz=<?php echo $_GET['xyz'] ?>" style="width:1px; height:1px; border:0">
No security issues there as nothing strange can happen. The main problem is that a lot of issues may appear with the code from the users. If, for example, they use a mysql database to build their shop they will probably have a separate field for the paypal button. Now if they echo this paypal button, the extra input field will look exactly like above. And that is a problem since the $_GET[xyz] will not parse then.
没有任何安全问题可以发生。主要问题是用户的代码可能会出现很多问题。例如,如果他们使用mysql数据库来构建他们的商店,他们可能会有一个单独的paypal按钮字段。现在如果他们回显这个paypal按钮,额外的输入字段将看起来与上面完全相同。这是一个问题,因为$ _GET [xyz]不会解析。
[Edit: cannot comment due to low rank]
[编辑:因低排名无法发表评论]