0

I run a link shortener, the users get paid for visitors which are using the short url. They see a landing page, and with a click at "skip" they are redirected. But some of my users try to cheat, instead of giving their visitors the short url like example.com/a/53425, they give them http://example.com/a/pugt.php?url=53425 with pugt.php are 2 sql queries performed:

  1. the target url is retrieved from the database

  2. the creator of the url gets +1 point per visitor.

That means that the visitors are redirected without seeing the ads at my landing page, and the user gets his points. Is there any way to hide this php file, or to perform this sql queries in a smarter way?

This is the source code of the "skip" button at my landing page: $url is the id of the short url like 53425

<section class="example">
   <br/>
   <a href="http://example.com/a/pugt.php?url=<?php echo $url; ?>" ><img style="display: block; margin-left: auto; margin-right: auto;width:15%; " src="img/proceed2.png"></a>
   <br/>
   <center><script src="//go.padstm.com/?id=345791"></script></center>
</section>
marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Vaze
  • 51
  • 1
  • 6
  • 2
    In order for someone to not be able to cheat as you've described, the logic for gaining the points as well as showing that ad would have to be contained with the same step. I don't know if you have control over that. Would it be possible to move the ad-displaying logic into the destination URL, that way the URL-shorterner does nothing but shorten the URL? – Nick Coons Aug 02 '15 at 20:19
  • Yes, thats what I did before. If I add the points with the .php file of the landing page, people are just reloading it to gain points. There must be a step between to make sure, that there is at least a human that clicks something as a anti-bot protection. @NickCoons – Vaze Aug 02 '15 at 20:39

2 Answers2

1

The best way is to create a token for every url. Add a new database column named token or anything you like. So your url should look like:

http://example.com/a/pugt.php?token=e49s73tr6198e76dg4&url=53425.

Your php script will update token every time a visitor views your ad and set the new token for next url. Without valid token no one will be able to bypass your add.

Crunch Much
  • 1,537
  • 1
  • 11
  • 14
  • In a later comment, the OP noted that people are repeatedly calling the same URL in order to gain additional points. I would add to your answer that tokens should be valid for only a single access so that repeated use of the same token won't gain additional points. – Nick Coons Aug 03 '15 at 04:47
  • @NickCoons The token is for skip url. The url user will share should be static and the next url for skip will be dynamic. Because of adding different token for every request. Actually users copy the skip url and share that url. they do not share the url provided by the url shortener . – Crunch Much Aug 03 '15 at 04:53
-2

Yes Vaze the better way to deal with the hidden urls is to encrypt the url by using urlencode as it is right at your requirement. In this way the users can't understand the url and you will have what you need. And at the time of the backend php magic you need to urldecode your url in order to do the things same as you are currently doing.

Haisum Usman
  • 518
  • 5
  • 13
  • `urlencode()` is not encryption. It's not even close. –  Aug 02 '15 at 20:57
  • @suskwuff please check "http://stackoverflow.com/questions/20014118/php-sending-encrypted-data-via-the-url#20014139 – Haisum Usman Aug 02 '15 at 20:59
  • The data that's being URL encoded in that question has already been encrypted; URL encoding is being used to make it valid as a query string parameter. –  Aug 02 '15 at 21:11