PHP advice needed

Itchen · Feb 22, 2015

Hiya

I need to install an image tracking pixel on my sites "thank you" page for one of our affiliates.

I'll be passing variables through the url to this page that need to be included ie www.mysite.com/?SUBID=21&LEADID=55&Opt=yes

Can I use GET in this way and would this work? ...

echo '<img src='https://www.imagepixel.com/tracking/RecordPixel.aspx?cmp=38721&optional=". $_GET["LEADID"] ."&optional2=". $_GET["SUBID"] ."&optional3=". $_GET["Opt"] ." width="1" height="1" border="0"'>';

Thanks in advance for any advice. Much appreciated

lazarus · Feb 23, 2015

Yes you can use $_GET to pull those variables from the URL.

Your example looks ok too.

Laz

tifosi · Feb 24, 2015

Never, use raw url data like that though. Make sure it's sanitised.

The filter input functions in php are good. Some variables can be typecast to a type e.g. integer.

If you're using a cms like wordpress then that has sanitization tools built in.

Anything that is going to touch a database query needs it.

RobM · Feb 24, 2015

Are you putting the data into a database? I always track any visit locally. If so you can use echo '<img src='https://www.imagepixel.com/tracking/RecordPixel.aspx?cmp=38721&optional=". mysql_real_escape_string($_GET["LEADID"]) ."&optional2=". mysql_real_escape_string($_GET["SUBID"] )."&optional3=".mysql_real_escape_string( $_GET["Opt"]) ." width="1" height="1" border="0"'>';

This sanitizes the $_GET vars for slashes and any mysql injections when you're passing them through. Note it won't change them though so you'll need to run the same function on the $_GET vars before passing them into a database. You might want to go further and remove other things you wouldn't want to pass through.