1

I have a situation where someone is trying to sabotage my google adsense account by continuously sending personally identifiable information into the URL to my site. How can I block this or at least detect the random variables they are using?

For example, the variable name could be ANYTHING.

mysite.com/?asdfd=emailaddress@gmail.com

or

mysite.com/?gfrewgtr1=emailaddress@gmail.com

...?

The only thing I can think of doing is collecting known variables and then perform a header location redirect to the main site URL.

Chris Hully
  • 23
  • 1
  • 4
  • If you're not using the GET variables, it shouldn't matter ? – adeneo Apr 17 '15 at 17:12
  • it does matter; if they are in the url when an adsense ad is displayed, it gets passed to google. Since it's an email address they view this as a policy breach. – Chris Hully Apr 17 '15 at 17:17
  • In that case, this is a duplicate of this -> http://stackoverflow.com/questions/29356043/remove-unwanted-email-address-from-url – adeneo Apr 17 '15 at 17:20
  • @ChrisHully you should go with the answer of Al.g place his snippet at top of your script. This way the GA javascript won't be triggerd if there are flagged vars in the `$_GET` – DarkBee Apr 17 '15 at 17:44

2 Answers2

0

The $_GET reserved variable will contain any parameters passed in the URL.

var_dump($_GET);

Will output:

array(1) {
  ["asdfd"]=>
  string(22) "emailaddress@gmail.com"
}

If there is anything in that array, you've essentially detected them. You could further use logic to weed out known query parameters you might use around your site and act accordingly if you find anything you deem actionable.

Michael Irigoyen
  • 21,233
  • 17
  • 82
  • 125
0

If: you want to have no GET parameters, check if $_GET is empty

if (!empty($_GET)) {
    header('Location: ' . $_SERVER['SCRIPT_NAME']);
    exit;
}

Or: check $_GET for non-allowed parameters:

$allowed_params = ["id", "some_param", "another one"];
foreach($_GET as $key => $val)
    if (!in_array($key, $allowed_params)) {
        // if something's wrong, get out!
        echo('Location: '.$_SERVER['SCRIPT_NAME']);
        exit;
    }

// everything is ok here

Note: before any header()s you mustn't have any output. Otherwise you'll get an error. Better place the code in the very top of your script.

Al.G.
  • 3,929
  • 6
  • 32
  • 52
  • Prolly good to mention this should be at the top of his script otherwise chances are that GA is executed anyway – DarkBee Apr 17 '15 at 17:43
  • Of course, this should be placed before any output printing. I'm just used to do it this way so I didn't even think to mention it in my post. – Al.G. Apr 17 '15 at 17:57
  • I'm using the second option allowing some variables. It's at the very top of my script, prior to any output. It doesn't seem to be catching the bad variables, it's not redirecting. entering example.com/?abc=123 results in a url of http://www.example.com/?abc=123 (only "r", "id" are allowed_params). – Chris Hully Apr 17 '15 at 19:02