Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

0

Affiliate Script help

Started by josiec09, Aug 11 2010 11:07 PM

You cannot reply to this topic
Go to first unread post

3 replies to this topic

#1 josiec09

Member

Members
12 posts

Posted 11 August 2010 - 11:07 PM

Ok this is part of an Affiliate script i am trying to working in to my site but i am having some troubles.

Note: This is was not made by me just going off a tutorial. I will fix all security bugs later.

I would contact the tutorial writer but it was a quest submitted one with no contact info.

My problem is this script is not increasing the hit count in my mysql database.

This can be used to ways, to count hits in, and hits out. For incomming hits, give your affiliates yourdomain.com/click.php?mode=in&id=theirid, for outgoing hits, it is taken care of in the show affiliates code. (Not posted!)

<?php           
// include the connect.php
include "connect.php";
// count clicks
$mode = $_GET['mode'];
// get the mode

// a switch is like a series of ifs and elses, but in less space, and more efficent
switch ($mode) {
    case "in":
        // for incomming hits, log and redirect to site index     
        // get id, and protect it
        $id = htmlspecialchars($_GET[id]);                                                               
        // check db
        $get = mysql_fetch_assoc(mysql_query("SELECT * FROM `affiliates` WHERE `id` = '$id' LIMIT 1"));    
        // increment hits
        $insert = mysql_query("UPDATE `affiliates` SET `in` = 'in+1' WHERE `id` = '$id'");    
        // redirect
        header("Location: http://yoursite.com");
    break;
    
    case "out":
        // for outbound hits, log and redirect to affiliates site       
        // get id and protect it
        $id = htmlspecialchars($_GET[id]);      
        // check db
        $get = mysql_fetch_assoc(mysql_query("SELECT * FROM `affiliates` WHERE `id` = '$id' LIMIT 1"));        
        // increment hits
        $insert = mysql_query("UPDATE `affiliates` SET `out` = 'out+1' WHERE `id` = '$id'");  
        // redirect
        header("Location: $get[url]");
    break;
}
?>

Mysql database:

CREATE TABLE `affiliates` (
`id` int(11) NOT NULL auto_increment,
`name` varchar(255) NOT NULL default '',
`banner` text NOT NULL,
`url` text NOT NULL,
`email` varchar(255) NOT NULL default '',
`in` int(11) NOT NULL default '0',
`out` int(11) NOT NULL default '0',
`active` int(1) NOT NULL default '0',
PRIMARY KEY (`id`)
) ENGINE=MyISAM;
-------------------------

Back to top

#2 Shoel

Administrator

Administrators
125 posts

Posted 12 August 2010 - 08:33 AM

Hi there,

Your problem most likely lies in the UPDATE queries there, they are not formed correctly to increment the value.

<?php
$insert = mysql_query("UPDATE `affiliates` SET `in` = 'in+1' WHERE `id` = '$id'");
?>

With the value enclosed in single quotes, it'll be treated as a string instead of being evaluated.. and being an int field, it'll most likely be set to 0 when the query is executed.

If you remove the single quotes like this:

<?php
$insert = mysql_query("UPDATE `affiliates` SET `in` = in+1 WHERE `id` = '$id'");
?>

Or alternatively enclose the name in backticks (keeping the +1 outside):

<?php
$insert = mysql_query("UPDATE `affiliates` SET `in` = `in`+1 WHERE `id` = '$id'");
?>

It should work.

- S.

PS: htmlspecialchars() is not designed to escape strings for safe queries. Use mysql_real_escape_string() instead. Your script is vulnerable.

Hi there! If you found this post useful, or used this information to help others, we would greatly appreciate a link back to our forum from your website/blog. Thanks! =)

Back to top

#3 josiec09

Member

Members
12 posts

Posted 14 August 2010 - 04:19 AM

Shoel, on 12 August 2010 - 08:33 AM, said:

Hi there,

Your problem most likely lies in the UPDATE queries there, they are not formed correctly to increment the value.

<?php
$insert = mysql_query("UPDATE `affiliates` SET `in` = 'in+1' WHERE `id` = '$id'");
?>

With the value enclosed in single quotes, it'll be treated as a string instead of being evaluated.. and being an int field, it'll most likely be set to 0 when the query is executed.

If you remove the single quotes like this:

<?php
$insert = mysql_query("UPDATE `affiliates` SET `in` = in+1 WHERE `id` = '$id'");
?>

Or alternatively enclose the name in backticks (keeping the +1 outside):

<?php
$insert = mysql_query("UPDATE `affiliates` SET `in` = `in`+1 WHERE `id` = '$id'");
?>

It should work.

- S.

PS: htmlspecialchars() is not designed to escape strings for safe queries. Use mysql_real_escape_string() instead. Your script is vulnerable.

Yep that worked! And replacing htmlspecialchars()with mysql_real_escape_string() was already on my list to do thanks for the info any ways. ^_^

Back to top

#4 Shoel

Administrator

Administrators
125 posts

Posted 15 August 2010 - 02:40 PM

You are very welcome.

And I figured it wouldn't hurt to mention it, just in case. Also for the sake of pointing it out to others who might not be aware of it.

- S.

Hi there! If you found this post useful, or used this information to help others, we would greatly appreciate a link back to our forum from your website/blog. Thanks! =)

Back to top

Back to General PHP talk · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users