Jump to content

How to prevent abuse of commisions with file_get_contents?

Recommended Posts

As I understand, automated affiliate tracking is accomplished by calling:

$aff_integrate = file_get_contents('http://www.yourdomain.com/affiliates/sale/amount/' . $sub_total['value'] . '/trans_id/' . $this->session->data['order_id'] . '/tracking_code/' . $_COOKIE['jamcom']);

It would seem that any affiliate that knows the url scheme can simply add a `value` and `trans_id` with the cookie value and call it from a web browser.

If that's true, How do we prevent abuse?

If not, then why can I call a file and generate multiple commissions with the same cookie?

For example, I can call this code and it generates a commission every time simply because the `trans_id` is different:

$test_url = 'http://www.yourdomain.com/affiliates/sale/amount/8/trans_id/'.rand(0, 9999).'/tracking_code/' . $_COOKIE['jamcom'];
$aff_integrate = file_get_contents($test_url);


Hopefully I am missing something in my quick test, like the cookie getting deleted?

Thanks for any replies.

Link to post
Share on other sites

that function should only be called after the sale  of your product. Normally, in a shopping cart or payment page, the thank you page where that function is called can only run once.  If the user refreshes it, the page should be redirected back to your home page or somewhere else, so that the checkout processes themselves are not duplicated.  This goes for the JAM integration code as well.



Link to post
Share on other sites

that function should only be called after the sale  of your product.

Understood. My concern is that the url sent to file_get_contents($url) is basically public knowledge. So if someone was to call the url directly, that they could possibly trigger a commission.

I realize there is an order_id query within the implementation code on successful checkout page, but it still seems as though a script could send random order id's directly to a "good guess" of the commission trigger url.

To alleviate my concerns, I have set the global configuration setting for "restrict commission generation to IP" to the static ip of my installation. This solves my perceived problem.

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...