Forum Moderators: skibum
I recently downloaded a number of csv-files from various merchants, and whilst beginning to sort and structure the material, I noticed, that the product-descriptions contained all sorts of characters. Well, I'm quite experienced meanwhile to deal with these #*$!ing umlauts, but to my surprise, I also found pipe-signs, various brackets and even backtick-operators.
It seems quite logical, that the smaller merchants supplying this data don't have a clue about the nature and function of some of these characters. If they had more know-how about websites and the internet, there'd be no need for them to start affiliate programs.
At least the data I downloaded so far, makes me worry a bit about whether these product desriptions are really thorroughly checked by the affiliate-brokers. Checking ALL my sites for w3c-conformity, it was quite easy for me to realize that some sort of character escaping is inevitable, but I doubt this holds true for all guys trying to make some money with affiliate-programs. I know it is quite unlikely a hacker aims at malicious code injection with such a long breath, but who knows?
What do you think?
Please delete my post if this has been discussed before. I'm new to affiliate partnerships, but sometimes only naive humans realize the emperor naked. And if my assumption bears some truth, he'd be very naked.
I'm not sure about the rest of your post, but the above statement isn't necesssarily correct. Those that know about the internet and marketing, take full advantage of the power of affiliate marketing and have nice successful programs. What would you rather have selling your products, your own brick and mortar store website, or your own site plus thousands of other sites which bring additional sales to your store.
Let me give one example: the program I started with, contains links to image sources from the merchants websites, all jpegs of couse, but I did not really check. Now, as a matter of fact, it is quite easy to insert a .php-image-source-string into that database, which could be designed in such a way that it perfectly provides the image data with all necessary headers, but prior to that, performs some other commands, which would definitely be executed from my hosting-computer. In large databases it would take ages, until a human notices the difference.
Similar things hold true for all sorts of code that might be "hidden" in very long product descriptions. If these are sent to the browser unencoded from a php-mysql-based affiliate site, anything might happen.
If you are receiving product catalog feeds from a merchant and you accept them into your database and then display them to your visitors. then yes there us a potential security flaw.
Just like data entered by users should be screened before you process/ store/display it. So should any data your application reads from external sources. Even if you really "trust" that merchant. After all someone could hack the merchants database, ensure feeds contain their affiliate link and sit back while unsuspecting resellers lose profits.
So you should obtain a definition file from your merchant that describes what the data should look like. The filter any feeds you take based on that data.
I admit, I made a mistake: that pdf/jpg thing does NOT work, such a script would be executed on the server hosting the image; nevertheless some risk remains.
Where would you locate the responsibility on these issues? At the broker's side?
I am currently communicating with a broker, who said he would not tolerate me to use an intermediate php-script resizing the merchants' images to an acceptable corridor. There were some "thumbnails" of 300x300 pix in one of the merchant's database, and this is completely unacceptable if you are running a professional website.
They said I should tell them about the sources and they would make sure the data is corrected. But this is not my task, actually. I am planning to incorporate the merchant's data as some peripheric alternative around my core-business, presenting my customers affiliate data in case my search-function reveals a zero result. This means I am planning to list a hundred thousand additional products in my database, and I cannot go thru this by hand.
In fact, I'd write a php-script checking the image-size-data in less than one hour, but I don't want to. And the security issue is more important. I admit: It's just a single php-command for encoding, but what about those affiliates who still copy and paste the data into pure html-pages by hand? One of them might have or be a good lawyer...
