Chris Kassa 0 Posted July 17, 2021 Share Posted July 17, 2021 As I understand, automated affiliate tracking is accomplished by calling: $aff_integrate = file_get_contents('http://www.yourdomain.com/affiliates/sale/amount/' . $sub_total['value'] . '/trans_id/' . $this->session->data['order_id'] . '/tracking_code/' . $_COOKIE['jamcom']); It would seem that any affiliate that knows the url scheme can simply add a `value` and `trans_id` with the cookie value and call it from a web browser. If that's true, How do we prevent abuse? If not, then why can I call a file and generate multiple commissions with the same cookie? For example, I can call this code and it generates a commission every time simply because the `trans_id` is different: $test_url = 'http://www.yourdomain.com/affiliates/sale/amount/8/trans_id/'.rand(0, 9999).'/tracking_code/' . $_COOKIE['jamcom']; $aff_integrate = file_get_contents($test_url); Hopefully I am missing something in my quick test, like the cookie getting deleted? Thanks for any replies. Quote Link to post Share on other sites
Forum Support 5 Posted July 17, 2021 Share Posted July 17, 2021 that function should only be called after the sale of your product. Normally, in a shopping cart or payment page, the thank you page where that function is called can only run once. If the user refreshes it, the page should be redirected back to your home page or somewhere else, so that the checkout processes themselves are not duplicated. This goes for the JAM integration code as well. Quote Link to post Share on other sites
Chris Kassa 0 Posted July 17, 2021 Author Share Posted July 17, 2021 Quote that function should only be called after the sale of your product. Understood. My concern is that the url sent to file_get_contents($url) is basically public knowledge. So if someone was to call the url directly, that they could possibly trigger a commission. I realize there is an order_id query within the implementation code on successful checkout page, but it still seems as though a script could send random order id's directly to a "good guess" of the commission trigger url. To alleviate my concerns, I have set the global configuration setting for "restrict commission generation to IP" to the static ip of my installation. This solves my perceived problem. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.