how phpmyvisitors works? - php

i have installed "phpmyvisitors" cms to get statistics of my sites visits.
it is written in php and is open source.
i gets many useful information like:
-total visits
-viewed pages
-visitor browser informations
-visitor distribution over the world
-how visitors access to site
-how much time they spend on sites
and ....
it is some think like Google Analytics.but fewer features.
my question is:
" how does it do all of them? "

I assume you mean phpMyVisites?
At a quick glance, it works very similarly to Google Analytics: A JavaScript snippet is embedded that sends a request to the server phpMyVisites runs on. That request contains all information JavaScript can get out of the client: Language, Screen resolution, browser version, OS....
On server side, I assume all that information is collected into a database, and a session cookie is set so different visitors can be told apart.
For users without JavaScript, an image tag will be included to at least get some basic information (IP and browser type can be found out on server side without JavaScript) and count the hit:
<noscript>
<p>phpMyVisites : better than Google analytics!
<img src="http://www.phpmyvisites.us/phpmv2/phpmyvisites.php"
alt="phpMyVisites" style="border:0" />
</p>
</noscript>
To recognize the country of a visitor, it is possible that a web service is contacted that tries to determine the country based on the visitor's IP address.
Everything else is "just" database analysis really - analyzing, calculating and presenting the data requested. If you want to know how a specific aspect of that works, I suggest you ask a new question detailing the aspect you want to know more about.

Related

Extracting Data from Another Domain, possible?

I'm terrible at keeping track of my bills, so I wanted to create something automated. I also wanted the challenge of making it myself.
My questions:
Is it possible to have a webpage connect to another domain (any utility website i.e. timewarnercable.com) with the proper login credentials and retrieve the dollar amount I owe, then send me an email or even just display it on the webpage?
I've already got a webpage setup that has all my account info stored in it (don't worry it's only a local site!) and I can click a button and the info I have stored sends a POST request to the utility login site. This logs me in to my account page and then I can view the bill. But don't want it to open another page..I'd rather load the content of that page in the background, scan for the code where its says my $ owed, then capture that somehow, then return the dollar amount onto the webpage.
If so, is this possible to design this with Ruby (Rails) or php, with Javascript / AJAX.
Thanks!
What you're basically asking about is "page scraping", but your scenario is more complicated. You would have to fake the login post, capture and store any cookie/session info returned to you in the response and use that in subsequent requests to the site. You may also have to deal with redirects, depending on the site.
I have found nodejs actually quite useful for scraping pages since it has plugins that provide dom selectors (there is a jquery plugin) - you're using javascript for server-side programming.
Check if the site has API and if the site provides that, will make your life a ton easier.
Some banks like BankOfAmerica have applications that already do this - they aggregate your accounts and bills from other sites, see if your bank can do this.

Geolocation Keeping the Browser Session Persistent

I am working on a geolocation project that is browser-based and geared specifically towards mobile browsers. I won't go deep into details but overall the project uses geolocation across many pages and pieces of the project. The problem as it seems is that despite hitting "accept" and "allow" always on any given browser, when the user reloads a page they are prompted almost everytime to reallow the location authentication.
Which to me is weird, I've gone to sites with geolocation on it that it truly remembers that I allowed it, even if for the duration of me being on the site and not always. So with that I am wondering is there some type of special thing I need to do to store this authentication for a prolonged period on my project?
Currently I am using javascript-based geolocation through the google maps API and newer browser support for non ip based location. My project at the users discretion tracks where they are so other people connected to them can see where they are, where they have been, or where they plan to go (if they enter that in). There's more as well, but that's the basics. From a UX perspective, it's annoying to have to prompt my users every time the browser reloads to reauth the location.
So any advice anyone is able to give, or insight on how to handle this would be appreciated.
Cookies and sessions.
Right after detecting the user geo-location you should store it in a Cookie.
Every request from the server should look if there is a cookie set (with the user's location) and act upon it.
Over-simplified code:
// get user location (via javascript)
navigator.geolocation.getCurrentPosition(function(position)
{
initialLocation = new google.maps.LatLng(position.coords.latitude,position.coords.longitude);
}
// ajax the server with the user location
$.post('ajax/set_user_location.php', initialLocation);
Then on the server you grab the initialLocation and save it in a cookie.

Securely posting and then printing JavaScript tags

I am trying to develop a back-end Ad Checking application in PHP. We have lots of places where ads can be shown and almost all of them has its unique requirements (they are shown inside games, that is why everyone is different in size, weight, format, etc.). Since this can cause lots of confusions on campaigns targeting different games (with the agencies sending us ads with the wrong formats), we need to check every ad to make sure it works as expected.
The application works fine if our clients send us the Ad File to check. But most of the time they send Adserver tags, so they can keep track of the results, and those tags generally are javascript and iframe tags.
The problem is how to securelly allow the insertion of javascript and iframe code, and render that to the page on the postback page (for visual checking), on all browsers, without risking XSS problems?
At the moment, I've managed to post the code and print to the postback page on all browsers, but Chrome, because of the security measures. But since I'm gonna have to tackle that issue anyway, how can I make it work on all browsers and still be sure the application is safe?
Thanks.
Decio
If you include 3rd party javascript code, you are always risking XSS. Let's say, you're testing the code from ad provider:
<script src="http://some3rdPartySite.com/script.js"></script>
Script can be altered to be displayed and to cause different results on target domain and on all other pages. That is, you can see how it wants to be showed to you, but you can't be sure that it will be the same in some of your customer's games.
Ad provider can change the script on it's server at any moment, possibly after your tests.
If you do not trust your ad vendors, I suggest to let them choose image + URL or iframe URL + dimensions. You can do "bad stuff" with Iframe too (like frame-busting thus redirecting from your customer page), but you still must obey cross-domain policy. This is not the case if you let javascript code to be executed.
You could also provide your own analytics for ad vendors to fill their needs.
Anyway, for testing javascript results you could use Selenium drivers with any browser: http://seleniumhq.org/. It let's you to load any page, execute javascript code and get results. In this way you could load your javascript code, search DOM for nodes and check their dimensions etc.
Also, you can look at sahi: http://sahi.co.in/w/

How to track users across domains?

We got pitched this idea yesterday. A user visits our site and are marked. Then when they visit other sites like CNN they are targeted with adds for our site. So once they are exposed to us, they start to see us everywhere, creating the illusion we are bigger than we are.
The person pitching it said it was done by cookies. I was very skeptical since I don't believe there to be anyway to see what cookies a different domain has set. So I wanted to try an figure out how it was accomplished. The salesman called this technology pixel tracking.
I have never heard of pixel tracking but from my research I have found that it is placing a 1 pixel image that references a script on another domain with parameters to be executed. My first thought was, OK maybe its possible this way.. But I still don't know how?
Can anyone explain how they are able to mark you as visited our site, and then see this mark on another site? Is it from your IP?
Included at the bottom of the (CNN) website in this case is an img tag like:
<img src="http://www.webmarketingCompany.com/pixel.php?ID=623489593479">
When a user visits the (CNN) website, and the browser renders the page, it sends http requests for all the images as well, including a request to http://www.webmarketingCompany.com for the image pixel.php which includes the ID as a get parameter. pixel.php not only returns an image, typically a 1x1 transparent gif (so it isn't visible in the rendered page), but can do a whole host of additional processing using the ID value; and it also has access to any webmarketingCompany.com cookies, which are also sent with the http request.
Of course, CNN have to agree to include the img tag in their html. Typically it's used as a tracker by third party marketing companies working on behalf of CNN to identify who is visiting their site, what pages they're viewing, etc.
But because it's a PHP script, it can do a whole host of extras, such as setting further cookies. If webmarketingCompany.com also handle ad-serving on behalf of CNN, they can do some creative selection of the ads that they choose to serve.
Such cross-client "pollination" is frowned upon, certainly here in the UK.
What you are describing is pretty standard for all advertisement networks. The only difference here is that they will place that cookie on your site as well.
As long as the browser has "accept third party cookies" set to true, this will work as the salesman said. Most browsers has the setting set to true by default, the only exception I can think of is Safari.

How to check if the webpage has actually been loaded?

I have an affiliate tracking script that is currently being exploited by an affiliate. In the main, site I track the affiliate clicks using this url www.example.com?member=affiliatecode,
then I capture the query string $_GET['member'];
Problem is, an affiliate is exploiting this simple system and page loads on his site is being recorded as clicks going to mine.
What measures can I add to prevent this without changing the affiliate link to my site? An idea that I had is to check if my page has actually been loaded, but how would I do that in PHP?
Thanks
I don't quite grasp the exact problem (or more to the point, exactly how the affiliate is logging hits), but a solution may be to put a image on your page which should ensure that a browser has loaded it. So at the bottom of you page you should insert
<?
if ( isset($_GET['affiliate']) ){
echo '<img src="affimg.php">';
}
?>
And then in the affimg.php, you would log the affiliate and then output a 1x1 image (remembering to set the headers). The downside is that there is no way to stop an affiliate just simply putting that image in to his page and if the affiliate is using an iframe, the image would still be loaded.
A better way may be to simply do some tracking. Rather than just requiring that one page gets visited, change it so that you require two or more using a database to track the ip addresses.
There may be a better way, but then I don't know the exact details.
First, you can never be sure that a bot/script instead a human "clicks" on an image, this is a fact. Secondly, you can make things a bit difficult. An idea would be:
Deliver a banner including a unique link that is triggered via a Javascript-click-event, like:
<img src="http://www.targetsite.com/image.jpg" />
Save the token in your database before and give it a expiration time of some minutes. Then, only count the click if the token is valid later. So your affiliate has to change the "onClick"-Event or parse the source code to extract the token.
As said, it only makes things more difficult. You could also parse your affiliate's site source to see whether there, your banner is "clicked" automatically (which would be very cheeky).
Another addition would be to read a cookie on the client side and attach it to the generated link to implement a check if the client has already requested your target site.
Since you can't protect yourself completely from fakes, you can build several little tools like these that increase safety.
HTH

Categories