tracking websites that use my snippets

[Tommie84]

Hello everyone,

 

i have a simple question..

also hope that the answer is quite simple..

Banged my head over it several times but cannot find a solution in my head, nor on google.

 

on my website users can generate 2 snippets like:

 <?php echo file_get_contents('http://short.domain.net?K=ezzyWFRUyhxp'); ?>

and

<iframe frameborder='0' width='950' src='http://short.domain.net?K=SBzuzsdi1btq'></iframe>

the 2 snippets generate content on a users website if they place it in either their html or php site.

on content generation of index.php (my domain) it will log several things like lastUsed, timesUsed, ip, etc.

now what i also want to log is the website where the snippet is placed.

i know i can get the ip adress of the remote retriever, but that doesnt help me if the user is on a shared domain.

also tried $_SERVER['HTTP_REFERER'] without succes (always empty string).

my brain's PHP section is depleted

can anyone put the beauty back in my day ?

 

thnx in advance!

Tommie

[ocpaul20]

I believe the way Google and Yahoo do it when you ask for an ID for their analytics is to make the ID specific to the domain they will be receiving the call from. So it is all built in to the ID and from there Google know where it should come from. So, maybe make your K= id a little longer and more meaningful to you. There maybe another or better way of course. Have you printed out all the SERVER variables to see if there is anything else useful available?

[Tommie84]

I also thought of the google way to implement it in the string (insert it into db, the string wont change its just a rdm Id, not something encrypted.

but then i cant determine if user fills in growyourownone.org and puts it on hisrealdomain.com. i doubt it will work with google.. they must have some checking.

 

pulling out all SERVER vars however is a great idea, tnx!

[scootstah]

You could have them enter more information when they generate it, and tie that information to the ID.

[QuickOldCar]

file_get_contents doesn't pass a referrer, you would have to make a stream context and them send the current page as a referrer

if (!empty($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] == "on") {
$scheme = "https";
} else {
$scheme = "http";
}
$referer       = filter_var($scheme."://" . $_SERVER['HTTP_HOST'] . $_SERVER['SCRIPT_NAME'], FILTER_SANITIZE_STRING);
if (!empty($_SERVER["QUERY_STRING"])) {
    $referer .= "?" . filter_var($_SERVER['QUERY_STRING'], FILTER_SANITIZE_STRING);
}
$opts = array(
       'http'=>array(
           'header'=>array("Referer: $referer\r\n")
       )
);
$context = stream_context_create($opts);
echo file_get_contents("http://short.domain.net?K=ezzyWFRUyhxp", false, $context);

Or as the others said have them also pass additional information a url parameter

echo file_get_contents("http://short.domain.net?K=ezzyWFRUyhxp&domain=".$_SERVER['HTTP_HOST']);

It's best to have accounts set up your site and each account is associated with their website

A lot can be spoofed or someone send wrong data, if it's something important should make an api system and track through that.

 

I don't have much time today, but I would be willing to explain some ways with making an api and that a person can not cheat it.

[Tommie84]

nah its a simple thing.

 

i offer some dynamic content (nothing important). the main goal is that the user only has to click 1 button to retrieve 1 line of code (for simplicity sake).

there are features on my site that require registration. this feature is however completely registrationless :-)

 

the generated key is already a unique id in my db with diverse data tied to it. but ask user for website details is too easy too cheat.

users can fill in "some.com" and get away with it.

 

the first part of the snippet would work fine, but its way too long (and alterable)

 

for me i like to know where my dynamic content is placed, and dont depend on honesty of my non-registered visitors.

 

while writing this post some idea popped: since im delivering some dynamic content.. i could simply add some generated JS and send back the ['HTTP_HOST']. but i dont like hijacking my visitors cpu's (grown out of that age ).

 

ohw yeh.. checked all SERVER vars:

Array
(
[CONTEXT_DOCUMENT_ROOT] => /home/########/public_html/software/shortSum
[CONTEXT_PREFIX] =>
[DOCUMENT_ROOT] => /home/########/public_html/software/shortSum
[GATEWAY_INTERFACE] => CGI/1.1
[HTTP_HOST] => short.######.net
[PATH] => /bin:/usr/bin
[QUERY_STRING] => K=vwVMveooPZOu
[REDIRECT_STATUS] => 200
[REMOTE_ADDR] => ##.##.###.190
[REMOTE_PORT] => 5####
[REQUEST_METHOD] => GET
[REQUEST_SCHEME] => http
[REQUEST_URI] => /?K=vwVMveooPZOu
[SCRIPT_FILENAME] => /home/######/public_html/software/shortSum/index.php
[SCRIPT_NAME] => /index.php
[SERVER_ADDR] => ##.##.###.###
[SERVER_ADMIN] => webmaster@short.######.net
[SERVER_NAME] => short.#####.net
[SERVER_PORT] => 80
[SERVER_PROTOCOL] => HTTP/1.0
[SERVER_SIGNATURE] =>
[SERVER_SOFTWARE] => Apache
[UNIQUE_ID] => VhqCDFURx2MAB4Se6oYAAAAw
[PHP_SELF] => /index.php
[REQUEST_TIME_FLOAT] => 1444577804.82
[REQUEST_TIME] => 1444577804
[argv] => Array
(
[0] => K=vwVMveooPZOu
)

[argc] => 1
)

<?question The above vars do show the remote ip adress.. is there anyway i can reform that to a website (together with the remote port to target on shared web-machines) ?>

[scootstah]

i offer some dynamic content (nothing important). the main goal is that the user only has to click 1 button to retrieve 1 line of code (for simplicity sake).

In that case you are limited to the data that the client chooses to send you.

 

but ask user for website details is too easy too cheat.

There are ways to prove the user owns/has access to the domain they enter. If you don't do this, you're allowing the client to cheat in a much easier way.

[Tommie84]

what are the ways ?

i dont want to validate the client is honest (there is no input asked from the client), he doesnt need to say where it is heading. i only need/want to know..

[scootstah]

If you don't ask for input then there is no way to be sure.

 

One way is to do like Google Apps does, which is to add a TXT record to the domain containing a unique value that you can then verify matches the domain they entered. But, again, that requires user input.

[Zane]

First off

 

 

 

the 2 snippets generate content on a users website

 

What's an example of what this generated content looks like? You mentioned not wanting to use JS because you've grown out of doing that?

All of the analytics resources out there use javascript snippets to generate the complex reports that they do, why wouldn't you want to use it?

[Tommie84]

i place content on their domains using get_contents().. it would not be fair to send reporting JS along with the dynamic content. if u place snippets from google on your domain, u place the JS code yourself.

 

you think its legit/honorable to include JS code in the dat they receive?

 

(the dynamic content is text only, no html markup or anything (but could be)).

[Zane]

Whether it's legit or not depends on the circumstances. If the person using the snippet is aware that JS will be loaded along with it, then it's honorable. Though, looking back at your OP, I realize you're wanting to track the requests to your snippet generating script... not sure what I was thinking.