Someone is overriding my ads by putting a -%22 in a src...please help me

[paymentstv]

Hello All,

 

I am really in need of help because my monetization is hijacked by someone else.

Currently I have the following code on embed.php file that I want others to embed on their site. I then display an ad on this embed.php file

 

<div style="position:absolute;width:<?=$playerWidth?>px; height:<?=$playerheight?>px; top:0px; left:0px; right:0px;  z-index:1000; vertical-align:middle; opacity:0.9;filter:alpha(opacity=90); background-color:#ffffff; overflow:hidden;" align="center" id="adsdiv">

<table align="center" height="<?=$playerheight?>" width="90%" cellpadding="0" cellspacing="0" border="0">
	<tr>
		<td align="center" valign="middle">
		<?=$videobanner?></td>
	</tr>
</table>
</div>

 

However, someone is able to override the above ad in the following manner

<iframe src="mysite.com/embed.php?fileid=13130590312747&vw=600px;&vh=400px;top:-400px;-%22" frameborder="0" scrolling="no" width="600" frameborder="0" height="400"></iframe> 

 

When he has the

-%22

in above code my ad is not displayed.

Is there any code that I can place on my embed.php to null this effect?

I only wants others to feed my embed.php with the following parameters fileid, vw, vh I want to discard anything else that they feed my page.

 

Really appreciate any help regarding this. Thank you

 

[Muddy_Funster]

on your embed.php file include a check on the URL using $_SERVER['PHP_SELF'] to make sure the end of the url is as it is supposed to be, and if it's not perform a header redirect to a rebuilt version using substr() to pull out the relevent variables from the url.

[mdarling]

-%22 equates to " in the url so you need to figure out a way around this. its breaking the  line by adding the additional "  i know this doesn't give you a solution but it way give you some insight as to what is happening.

i will keep thinking about a solution for you.

[JasonLewis]

Validate your inputs. Obviously you want an integer, so ensure that it is as such. If it is not, set it to a default number instead.

 

So in your embed.php you'd have something like:

$vh = $_GET['vh'];
if(!is_numeric($_GET['vh']))
{
    // Not a number, set it to a default height.
    $vh = 400;
}

Or something similar. I used is_numeric to check if it is a numerical string as well.

[xyph]

The issue is you're allowing the user to manipulate the sizes. You want a bunch of predefined sizes, and simply have the user call it like

 

<iframe src="mysite.com/embed.php?fileid=13130590312747&template=1" frameborder="0" scrolling="no" width="600" frameborder="0" height="400"></iframe>

Then use a switch to tell your script the width/height for each of your templates, failing to a deafult case if the user tries to mess with things.

Keep in mind, someone who embeds this on their site can still just place their content on top of it, no matter what z-index you give it. There's really no way to stop someone from hiding your ads.

[paymentstv]

-%22 equates to " in the url so you need to figure out a way around this. its breaking the  line by adding the additional "  i know this doesn't give you a solution but it way give you some insight as to what is happening.

i will keep thinking about a solution for you.

 

Yes when I check the generated source from his hack I see my embed.php code is altered.

<div style="position:absolute;width:600px;px; height:400px;top:-400px;-\"px; top:0px; left:0px; right:0px; bottom:0px; z-index:1000; vertical-align:middle; opacity:0.9;filter:alpha(opacity=90); background-color:#ffffff; overflow:hidden;" align="center" id="adsdiv"> 
<table align="center" height="400px;top:-400px;-\"" width="90%" cellpadding="0" cellspacing="0" border="0"> 
	<tr> 
		<td align="center" valign="middle"> 
		<script type="text/javascript" language="javascript" src="http://cdn.adk2.com/agdhZGsyd2Vicg8LEgdOZXR3b3JrGKOQBQw/player.js?a=agdhZGsyd2VichILEglBZmZpbGlhdGUY6umGAQw&w=300&h=250"></script></td> 
	</tr> 
</table> 
</div> 

 

I am not sure how to check for the %22 value in the feed URL

[paymentstv]

Validate your inputs. Obviously you want an integer, so ensure that it is as such. If it is not, set it to a default number instead.

 

So in your embed.php you'd have something like:

$vh = $_GET['vh'];
if(!is_numeric($_GET['vh']))
{
    // Not a number, set it to a default height.
    $vh = 400;
}

Or something similar. I used is_numeric to check if it is a numerical string as well.

 

I think this may work. however, as you can see, the %22 is not assigned to any variable while it is fed to my embed.php file

Is it still possible to check the URL and discard it?

[xyph]

Are you sure about this? Where are $playerWidth etc being defined if not from the query string?

[paymentstv]

Are you sure about this? Where are $playerWidth etc being defined if not from the query string?

 

$playerWidth etc is defined by the embedder who want to embed my php file (size is customizable). The thing that is killing my income is people put things like %22 to override my ad display.

[mdarling]

Are you sure about this? Where are $playerWidth etc being defined if not from the query string?

 

<iframe src="mysite.com/embed.php?fileid=13130590312747&vw=600px;&vh=400px;top:-400px;-%22" frameborder="0" scrolling="no" width="600" frameborder="0" height="400"></iframe>

 

Yes so this calls the embeded file and someone has inserted the -%22 into it  ans it kills the  code because it inserts the " that is %22.

 

 

 

What you need to do is swtich up to single quotes i think.