After the php5.6 changes this is not working on https.
But I can make fake commissions from my browser http://mysite.com/myfolder/sale/amount/$AMOUNT/trans_id/$ORDERID/tracking_code/$COOKIE
I write the values into the variables.
I think everybody can make fake commission who "know" the script.
I think it is a security risk.
It is a better method to post (with a security ID) than this.
Or another possibility if I can change the route from "myfolder/sale/amount/" to "myfolder/sale23tqprz65kst/amount/" for example.
Or if you not encrypt a file - the sale.php I think.