wrapping up js code in php, and calling php with custom query
I am building a web-application which uses Piwik. Piwik is open-source analytics tool, similar to Google Analytics.
It gives tracking code similar to one mentioned below.
<!-- Piwik -->
<script type="text/javascript">
var pkBaseURL = (("https:" == document.location.protocol) ? "https://example.com/" : "http://example.com/");
document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
</script><script type="text/javascript">
try {
var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1);
piwikTracker.trackPageView();
piwikTracker.enableLinkTracking();
} catch( err ) {}
</script><noscript><p><img src="http://example.com/piwik.php?idsite=1" style="border:0" alt="" /></p></noscript>
<!-- End Piwik Tracking Code -->
Following code is for Site, whose site-id is 1. Checking following lines in code.
var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", 1);
<noscript><p><img src="http://example.com/piwik.php?idsite=1" style="border:0" alt="" /></p></noscript>
Users of my site will login to custom-made Admin Panel, and will get tracking code for the site.
Now I need to hide that tracking code. so, I thought that I keep it in a php script. Similar to one here
<?php
// Custom-made Analytics Script
// File Name: custom.php
$site_id = isset($_GET['id'])?$_GET['id']:0;
?>
<!-- Piwik -->
<script type="text/javascript">
var pkBaseURL = (("https:" == document.location.protocol) ? "https://example.com/" : "http://example.com/");
document.write(unescape("%3Cscript src='" + pkBaseURL + "piwik.js' type='text/javascript'%3E%3C/script%3E"));
</script><script type="text/javascript">
try {
var piwikTracker = Piwik.getTracker(pkBaseURL + "piwik.php", <?php echo $site_id; ?>);
piwikTracker.trackPageView();
piwikTracker.enableLinkTracking();
} catch( err ) {}
</script><noscript><p><img src="http://example.com/piwik.php?idsite=<?php echo $site_id; ?>" style="border:0" alt="" /></p></noscript>
<!-- End Piwik Tracking Code -->
As you can see, I have replaced site-id in JavaScript, with PHP variable which I will fetch using $_GET
Now, I will provide my users with following JavaScript code that they will put in their site.
<script type="text/javascript">
var pkBaseURL = (("https:" == document.location.protocol) ? "https://example.com/" : "http://e开发者_运维知识库xample.com/");
document.write(unescape("%3Cscript src='" + pkBaseURL + "custom.php?id=1' type='text/javascript'%3E%3C/script%3E"));
</script>
My question here is, will this script have any down-points or will it break-down anywhere?
I see two issues here:
- If javascript is disabled, piwik will not register those visitors any more since you're solely using JS
Your
custom.php
is vulnerable to XSS. If you want to keep it, replace:$site_id = isset($_GET['id'])?$_GET['id']:0;
with:
$site_id = (int)filter_input(INPUT_GET, 'id');
to allow numeric input only.
Unless you're planning to change this code, just provide the static code with the ID hard-coded in it.
精彩评论