1

So I wanted to make something like a counter for visits for every page AND directory. The purpose was that of a security perspective but so far I've only managed to think of this:

<?php

include('connect.php');
$date = date("d.m.Y H:i:s",time());
$url = $_SERVER['REQUEST_URI'];
$ip = $_SERVER['REMOTE_ADDR'];

$query = "INSERT INTO `visits` VALUES ('','$date','$url','$ip')";

mysql_query($query);

?>

Problem is that in order for this to work I need to include this snippet in each file which isn't exactly what I need since, for example, I can't include it in any of my files in the /js/ folder. How can I make use of something like this and log each visit on each page individually?

schmitsz
  • 175
  • 1
  • 13
  • (This is a terrible idea). – Marty Feb 01 '15 at 23:20
  • For starters, if you did end up doing this, you would be executing a query for every single file that is embedded on a page. – Marty Feb 01 '15 at 23:23
  • cause if you have high traffic you will be hitting millions of rows within no time – Nishanth Matha Feb 01 '15 at 23:23
  • Also, [please read this thread](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) before you continue. – Marty Feb 01 '15 at 23:24
  • have you thought about putting it in a file and just including the file in all your pages? – dewd Feb 01 '15 at 23:24
  • Perhaps I should've mentioned that I'll be having the database on a separate VPS. But nonetheless, I won't be really experiencing enough traffic to cause trouble. – schmitsz Feb 01 '15 at 23:25
  • @Marty how is he going to get client sql injection using server generated vars? – dewd Feb 01 '15 at 23:25
  • I suppose request uri could contain injection. good point. – dewd Feb 01 '15 at 23:25
  • @dewd That's not the point - you shouldn't be in the habit of building queries like this in the first place. – Marty Feb 01 '15 at 23:25
  • @Marty, I already have a WAF for almost all kinds of web-based attacks. I'm asking about something else. – schmitsz Feb 01 '15 at 23:27
  • Just the fact that you're using a deprecated API really doesn't convince me that you're safe against attacks. – Marty Feb 01 '15 at 23:31
  • @schmitz sql injection is where the variables you include in an sql statement can be used to inject unwanted sql into your db. since i might find out you're using the request url var, i could add sql to the uri, thus changing your statement - potentially very dramatically. always use prepared statements just in case. – dewd Feb 01 '15 at 23:33

1 Answers1

1

If you have common scripts for every page you should start thinking about a landing page which is actualy delivering the content to the users request. This could be your index.php and your pages are accessed by an page-id (for example /index.php?show=home) or use a url-rewrite engine from the webserver to rewrite www.yourdomain.de/home to index.php?show=home so every page request starts at index.php and you can track the visitor and the requested page from the "show"-parameter. So you don't have lots of php files but only one for start and load the desired content from this starting point.

So first thing to do would be to reorganize your page to a single landing page with commonly executed scripts (like session handling, tracking, logging etc).

ynnus
  • 241
  • 2
  • 6
  • 1
    Note this is called the [front controller pattern](http://en.wikipedia.org/wiki/Front_Controller_pattern). – Marty Feb 01 '15 at 23:33