1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Unexplained visitors in download counter

Discussion in 'PHP' started by jacka, Feb 5, 2008.

0
  1. #1
    Hi

    I have a php script that counts the number of pdf download files and then I use those numbers to find out how many downloads we have had and which file has been downloaded most, etc. etc.

    This is the code:
     
<style type="text/css">
.wraptocenter {
    display: table-cell;
    text-align: center;
    vertical-align: middle;
    width: ...;
    height: ...;
}
.wraptocenter * {
    vertical-align: middle;
}
/*\*//*/
.wraptocenter {
    display: block;
}
.wraptocenter span {
    display: inline-block;
    height: 100%;
    width: 1px;
}
/**/
</style>
<!--[if IE]><style>
.wraptocenter span {
    display: inline-block;
    height: 100%;
}
</style><![endif]-->
    Code (markup):
    Every now and then I get unexplained data instead of the name of our pdf file shown in the list.

    Can some one please explain how they get into my pdf and how to get rid of them.


    here is a sample:
    http%3A%2F%2Famyru.h18.ru%2Fimages%2Fcs.txt%3F               3
http%3A%2F%2Fwww.alonsaunet.com%2Fwebmaster%2Fromi%2Fjirudog%2F               3
http%3A%2F%2Flaudanskisucksss.chat.ru%2Fplaceholder%2Fimage%3F               3
http%3A%2F%2Fhissusoeoekiaskwkdehsrfeyare.mail333.su%2F.images%2Findex%3F               2
http%3A%2F%2Fwww.fabcraft.co.uk%2Fforum%2Flovuqo%2Fzil%2F               2
http%3A%2F%2Fwww.psikolojikyardim.org%2Fetkinlik%2Finclude%2Feto%2Fnixaz%2F               2
http%3A%2F%2Fwww.feliciano.de%2FWebgalerie%2Fbilder%2FItaly%2Fune%2Fyiwul%2F               2
http%3A%2F%2Fwww.ce-cioceoforum.com%2Ftalk%2Ft1%2Froda%2Filubov%2F               2
http%3A%2F%2Fwww.elettrodataservice.it%2Ffoto_articoli%2Fonoda%2Fiyegimi%2F               2
http%3A%2F%2Fhotaebywk.chat.ru%2Fhtml%2Fbody%3F               2
http%3A%2F%2Fholengirl.eclub.lv%2Fimages%2Fme%3F               2
http%3A%2F%2Fwww.marsbook.co.kr%2Fmain%2Fcreated%2Fproduct%2F2%2Fupu%2Fohoqoh%2F               2
http%3A%2F%2Fwww.northfans.ch%2Fforum%2Fadmin%2Fsettings%2Fgucor%2Fujusu%2F               2
http%3A%2F%2Fgunmennse.eclub.lv%2F.html%2Fbody%3F               2
http%3A%2F%2Fwww.altaiseer-eg.com%2Far%2Farticles%2Fjed%2Fumut%2F               2
http%3A%2F%2Fwww.vacacionalhouse.com%2Fen%2Fimg%2Fvohe%2Fseyon%2F               1
http%3A%2F%2Fwww.stomol.ru%2Fcatalog%2Fafa%2Fazo%2F               1
http%3A%2F%2Fwww.tcmforum.com%2Fweb%2Fopu%2Fmujag%2F               1
http%3A%2F%2Fwww.unduetretoccaate.it%2Fcodice%2Faseje%2Fwocobo%2F               1
http%3A%2F%2Fwww.no1flower.com%2Fbbs%2Ffiles%2Fhegoye%2Feru%2F               1
http%3A%2F%2Fwww.electrofed.com%2F_app%2Fefc%2Fodoqu%2Fferus%2F               1
http%3A%2F%2Fwww.sanyoclim.fr%2Fextension%2Fezodf%2Fcaj%2Fkuyufuh%2F               1
http%3A%2F%2Fwww.uxbridgerotary.org%2Fmambo%2Fadministrator%2Fincludes%2Fguwul%2Fyaway%2F               1
http%3A%2F%2Fwww.kidspace-epe.com%2Fphotos%2Fenahur%2Favid%2F               1
http%3A%2F%2Fwww.thoseguysfilms.com%2Fforums%2Ftemplates%2FsubSilver%2Fimages%2Fuza%2Flaqipu%2F               1
http%3A%2F%2Fitsupportunit.com%2Fawstats%2Ficon%2Fnisum%2Fivuj%2F               1
http%3A%2F%2Frabotnitsa.ru%2Fjoomla%2Fadministrator%2Fincludes%2Foxa%2Fukihah%2F               1
http%3A%2F%2Fwww.vacacionalhouse.com%2Fen%2Fimg%2Fgaham%2Fedipa%2F               1
http%3A%2F%2Fwww.municipioxii.it%2Fsunnyway%2Feheqebi%2Fjahibop%2F               1
http%3A%2F%2Frabotnitsa.ru%2Fjoomla%2Fadministrator%2Fincludes%2Fgosa%2Fyiw%2F               1
http%3A%2F%2Fwww.heaven-house.kz%2Ftemplates_c%2Fsexes%2Fafacub%2F               1
http%3A%2F%2Fsans-packing.ru%2Fimg%2Fjipeqap%2Fehudute%2F               1
http%3A%2F%2Fwww.molod.net.ru%2Fforum%2Ftemplates%2FsubSilver%2Fimages%2Fesoxod%2Friwezin%2F               1
http%3A%2F%2Fwww.service-exposants.com%2Fstore%2Fpunotag%2Fufacip%2F               1
http%3A%2F%2Fsahel55.com%2Farticles%2Fomaduro%2Fkimumid%2F               1
http%3A%2F%2Frumusic.chat.ru%2Frumusic.wav%3F               1
    Code (markup):
    Thanks
    :confused:
     
    jacka, Feb 5, 2008 IP
  2. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #2
    You would have to post the PHP code. There's nothing we can do with the CSS code.
     
    nico_swd, Feb 5, 2008 IP
  3. jacka

    jacka Peon

    Messages:
    165
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Hi

    My apologies, wrong code
    Here is the php code:
    $cnt_sql = @mysql_connect($MYSQL_HOST, $MYSQL_USER, $MYSQL_PASS);
@mysql_select_db($MYSQL_DB, $cnt_sql);

if(isset($_GET['file'])) {
	$file = urlencode($_GET['file']);

	if(empty($file)) {
		echo "No File Specified";
		exit;
	}
	if(strpos($file, "..") !== FALSE) {
		echo "HACK ATTEMPT!";
		exit;
	}
	if(strpos($file, "://") !== FALSE) {
		echo "Invalid File";
		exit;
	}

	$cookie = urlencode(str_replace(".", "_", $file));  //cookie fix

	$query = "SELECT * FROM dl_count WHERE file = '$file'";
	$result = mysql_query($query, $cnt_sql);
	if(!$result) {
		echo mysql_error();
		exit;
	}
	if(mysql_num_rows($result) == 0) {
		//first use of this file
		$query = "INSERT INTO dl_count VALUES('$file', 1)";
		$result = mysql_query($query, $cnt_sql);
		setcookie("dl_" . $cookie, "set", time() + 60*60*24*365);
	} else {
		if(!isset($_COOKIE['dl_' . $cookie])) {
			$query = "UPDATE dl_count SET count = count + 1 WHERE file = '$file'";
			$result = mysql_query($query);
			setcookie("dl_". $cookie, "set", time() + 60*60*24*365);
		}
	}

	header("Location: " . $FILES_DIR . $file);
}

function showCount($fileID)
{
	global $cnt_sql;
	$query = "SELECT count FROM dl_count WHERE file = '$fileID'";
	$result = mysql_query($query, $cnt_sql);
	if(mysql_num_rows($result) == 0) {
		return 0;
	} else {
		$count = mysql_fetch_row($result);
		return $count[0];
	}
}

?>
    Code (markup):
     
    jacka, Feb 5, 2008 IP
  4. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #4
    It looks like someone is trying to force the download of a file from another server/page. Not sure what this would accomplish, but make sure in your validation of the $_GET['file'] it only includes files on your domain.
     
    drewbe121212, Feb 5, 2008 IP
  5. TechEvangelist

    TechEvangelist Guest

    Messages:
    919
    Likes Received:
    140
    Best Answers:
    0
    Trophy Points:
    133
    #5
    How would you go about validating the domain through GET? I would think that anything fed to a script through GET could be spoofed.
     
    TechEvangelist, Feb 7, 2008 IP
    bogart likes this.
  6. drewbe121212

    drewbe121212 Well-Known Member

    Messages:
    733
    Likes Received:
    20
    Best Answers:
    0
    Trophy Points:
    125
    #6
    Well personally I would never let anything entered that is not a base path. IE

    I would pass $_GET['value'] = '/link/to/file.txt';

    and all my 'hidden' files would be in a base path:

    $base = '/hidden/path/to/files';

    so when you initiate the download,

    $download = $base . $_GET['value'];

    then

    if (file_exists($download))
    {
    // start download
    }
    else
    {
    // invalid file; does not exist
    }


    This is rough psudo code, but I hope you get the idea!
     
    drewbe121212, Feb 7, 2008 IP