PHP tracking when links are clicked

Question

Hello and thanks in advance for any suggestions you can lend.

What I am trying to accomplish: When a user clicks a link I want to add an auto-increment id, clicked URL and time stamp to the database and then send them to the URL links landing page.

The problem I am having: When the link is clicked the URL is not added to the database and the redirect also fails.

Here is the code I am working on:

ad_click_tracking.php

<?php


include ("admin/includes/connect.php");


mysql_select_db("$database") or die(mysql_error());

//Collecting the destination URL from the clicked link
$redirect = mysql_real_escape_string($_GET['page']);

//Insert destination URL and time stamp into MySQL

$page_insert = mysql_query("INSERT INTO ad_click_tracking (`url`, `date`) VALUES ('$redirect', now())") or die(mysql_error());

//Redirecting user to the clicked URL

header("Location: $redirect");

//Debugging to see if we collected the URL
echo "Redirect URL: $redirect";

?>

header.php (Contains the links to be tracked - the first link is internal the second link is external)

<a href="http://recyclingkansascity.com/ad_click_tracking.php?page="index.php" target="_blank"><img src="/images/header_banner/recycling_kansas_city_header.png" width="620px" height="340px" alt="Recycling Banner" title="Recycling Kansas City"></a></li>

<a href="http://recyclingkansascity.com/ad_click_tracking.php?page="http://paws4autism.org" target="_blank"><img src="/images/header_banner/funny_bunny_5k_autism_egg_hunt.png" width="620px" height="340px" alt="Paws 4 Autism" title="Paws 4 Autism Easter Event"></a></li>

When I click the internal or external link the browser displays the URL as recyclingkansascity.com/ad_click_tracking.php?page= and then when I check the database the id has been auto-incremented and the timestamp is inserted but the URL is null. For some reason the ($_GET['page']) seems to be failing to grab the page URL and I have not been able to figure out why as of yet. I read through relevant "similar questions" and was not able to find an answer.

Answer 1

A better way to create your links would be with PHP code such as this:

$url = 'http://paws4autism.org';
echo '<a href="http://recyclingkansascity.com/ad_click_tracking.php?page='
       . htmlspecialchars(urlencode($url)) . '" target="_blank">...</a>';

This will escape the url as a query string. It may or may not work without doing this, but this is the proper way to do it. For example, http://paws4autism.org would become http%3A%2F%2Fpaws4autism.org. If you are wondering about the double escaping, here it is broken down a bit:

$url = 'http://paws4autism.org';
// escape query string when constructing url:
// (this would be necessary even if you weren't rendering it as a link in html)
$href = 'http://recyclingkansascity.com/ad_click_tracking.php?page=' . urlencode($url);
// escape for html rendering:
echo '<a href="' . htmlspecialchars($href) . '">...</a>';

In ad_click_tracking.php, you ought to check whether $_GET['page'] is set at all before you continue. Also, it doesn't make sense to be redirecting to the MySQL-escaped version of the page parameter. So, instead of this:

$redirect = mysql_real_escape_string($_GET['page']);
// (...insert with $redirect...)
header("Location: $redirect");

I would do this:

if (!isset($_GET['page'])) {
  // this is a little bit more informative than just dying
  header($_SERVER['SERVER_PROTOCOL'] . ' 400 Bad Request');
  die('No page specified');
}
$redirect = $_GET['page'];
$s_redirect = mysql_real_escape_string($redirect);
// (...insert with $s_redirect...)
header("Location: $redirect");

Lastly, the plain mysql library for PHP isn't really recommended for use. Mysqli (which uses nearly the same syntax) or PDO is preferred. See here: MySQL vs MySQLi when using PHP

Oh, and as for the security of doing the HTTP redirect, see this page (I recommend reading through all the answers). The only real issue is related to phishing scams. You aren't serving a file that the user normally wouldn't have access to. php security for location header injection via $_GET