wrapping up js code in php, and calling php with custom query

I am building a web-application which uses Piwik. Piwik is open-source analytics tool, similar to Google Analytics.

It gives tracking code similar to one mentioned below.

<!-- Piwik --> 
    <script type="text/javascript">
    var pkBaseURL = (("https:" == document.location.protocol) ? "https://example.com/" : "http://example.com/");
    document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
    </script><script type="text/javascript">
    try {
    var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1);
    piwikTracker.trackPageView();
    piwikTracker.enableLinkTracking();
    } catch( err ) {}
    </script><noscript><p><img src="http://example.com/piwik.php?idsite=1" style="border:0" alt="" /></p></noscript>
<!-- End Piwik Tracking Code -->

Following code is for Site, whose site-id is 1. Checking following lines in code.

var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1);

<noscript><p><img src="http://example.com/piwik.php?idsite=1" style="border:0" alt="" /></p></noscript>

Users of my site will login to custom-made Admin Panel, and will get tracking code for the site.

Now I need to hide that tracking code. so, I thought that I keep it in a php script. Similar to one here

<?php
  // Custom-made Analytics Script
  // File Name: custom.php

  $site_id = isset($_GET['id'])?$_GET['id']:0;
?>

<!-- Piwik --> 
    <script type="text/javascript">
    var pkBaseURL = (("https:" == document.location.protocol) ? "https://example.com/" : "http://example.com/");
    document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
    </script><script type="text/javascript">
    try {
    var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", <?php echo $site_id; ?>);
    piwikTracker.trackPageView();
    piwikTracker.enableLinkTracking();
    } catch( err ) {}
    </script><noscript><p><img src="http://example.com/piwik.php?idsite=<?php echo $site_id; ?>" style="border:0" alt="" /></p></noscript>
<!-- End Piwik Tracking Code -->

As you can see, I have replaced site-id in JavaScript, with PHP variable which I will fetch using $_GET

Now, I will provide my users with following JavaScript code that they will put in their site.

<script type="text/javascript">
    var pkBaseURL = (("https:" == document.location.protocol) ? "https://example.com/" : "http://e开发者_运维知识库xample.com/");
    document.write(unescape("%3Cscript src='" + pkBaseURL + "custom.php?id=1' type='text/javascript'%3E%3C/script%3E"));
</script>

My question here is, will this script have any down-points or will it break-down anywhere?

I see two issues here:

• If javascript is disabled, piwik will not register those visitors any more since you're solely using JS

• Your custom.php is vulnerable to XSS. If you want to keep it, replace:

  $site_id = isset($_GET['id'])?$_GET['id']:0;
  

  with:

  $site_id = (int)filter_input(INPUT_GET, 'id');
  

  to allow numeric input only.

Unless you're planning to change this code, just provide the static code with the ID hard-coded in it.