php – Parsing a variable within SQL result – Education Career Blog

I’m currently building an affiliate program (a bit like CJ) with Paypal checkout. When people sign up as an affiliate (=to sell their own products from their own website) they receive 2 php lines that they have to insert into their shop.

In the header:

<?php include ''.$_GETxyz; ?> 

In the Paypal button:

<input type="text" name="notify_url" 
    value ="<?php echo $_GETxyz; ?>" +
    style="width:1px; height:1px; border:0">

The first part basically sets the cookie while the second forwards a return url to Paypal so that when someone decides to buy, this gets returned to us. I’ve not made the second part hidden as I want to be able to check whether the affiliates have really added the code.

This all works fine in simple hand-written PHP but it all goes wrong when these affiliates are using databases. Their scripts will then probably echo something like $row’paypal’ which will literally show the inserted lines and not parse the $_GET.

I have absolutely no clue as to how this gets resolved. If possible I would like something that I could fix on my side as I don’t want to annoy my affiliates with lots of customization on their side as they are mainly non-technical people.


they receive 2 php lines that they have to insert into their shop.

This is incredibly dodgy. include() drags in code from the given URL and executes it.

I would never allow an affiliate network to add PHP code to my application: this gives an external site total control over my application and database. This is especially unacceptable running over unencrypted HTTP: any man-in-the-middle attack can immediately compromise the server. Also if you have a cross-site-scripting hole in your tracker.php, any end user can completely compromise the customer site.

I strongly advise finding a less insecure way to interface your network with third-party apps.

If you are only intending to return HTML to be shown in the final page, and not PHP code, you can do that using readfile(), or the more usual method which is to have the affiliate insert a client-side <script> tag pointed at your site.

<?php include ''.$_GETxyz; ?>

You should also be using urlencode() so that any URL-special characters in the parameter are correctly escaped.

value="<?php echo $_GETxyz; ?>"

And here, plus you should, like any time you output any text content to HTML, be using htmlspecialchars() to encode HTML-special characters. Otherwise you are vulnerable to cross-site scripting attacks.

There’s not really, at the moment, enough information in your question to diagnose exactly what some of your affiliates are doing wrong. More concrete examples would be of use. But from what you’ve posted so far I have huge concerns about the security of your system at the most basic level.


Sorry about that, the second part should have been:

<input type="text" name="notify_url" value ="<?php echo $_GETxyz; ?>" style="width:1px; height:1px; border:0">


Thank you for your elaborate answer bobince.

I understand your point that people may not like to include php files on their pages. Therefore I have deleted part 1 and changed it with a redirect url and cookies. Evidently in the real script I also protect against SQL injection.

However my main issue still remains. In order to track a sale with Paypal, I need to add one input field to the Paypal buttons on the websites. This would look something like this:

<input type="text" name="notify_url" value
="<?php echo $_GET'xyz' ?>" style="width:1px; height:1px; border:0">

No security issues there as nothing strange can happen. The main problem is that a lot of issues may appear with the code from the users. If, for example, they use a mysql database to build their shop they will probably have a separate field for the paypal button. Now if they echo this paypal button, the extra input field will look exactly like above. And that is a problem since the $_GETxyz will not parse then.

Edit: cannot comment due to low rank

Leave a Comment