It certainly IS possible and NO it doesn't show PSA's, contrary to popular belief.

That is one loophole that G hasn't closed and of course leads us to the possibility of fraudulent clicks being made on a totally unrelated site. Of course Google (and the google devotees/worshippers) will claim that no one is innocent and their fancy dan proprietary software will be able to spot this!

My recomendations is NOT to use php includes and perhaps other who are more technical than me can advise what else nto to use

why not use php includes?
what is wrong with em?

thanks..

If you use php includes there is nothing wrong with that. Furthermore, no one will be able to tell if you do ro not since it will just insert the code.

If you use a php include. For example www.example.com/example and on that page you use something like include googlesadsense code.

I can then copy your page and instead of include googlesadsense code. I type include www.example.com/googlesadsensecode.php it will inlcude the adsense ads which were being served to that page.

Try it. Open up some free host account. Copy your page on to it then make the slight adjustment to the include statment and voila. Can't be done I hear all the cynics cry, everyone is guilty of something.

Try it then decide.

Then why not google approves every domain? Thats the best solution I guess

Can't be done I hear all the cynics cry, everyone is guilty of something.

Who exactly has been crying this?

If you use php include or SSI, unless the other person gets hold of your source code, no one can even tell that you are using php/SSI include.

"View Source" will show the regular html code, as if they were part of the html page.

So I don't understand your logic.

Then why not google approves every domain? Thats the best solution I guess

Or even simpler just let us list all the domains we have put our code on

The best thing to aviod this problem and best way for google to detect invalid clicks manual approval or sending the domains that we want to use our ads.

Isn't that a better idea? Tracking scripts more or less prevents the invalid clicks and if google uses the method which I mentioned I guess we wouldn't have any problems..

I would like to hear what do you guys think about this issue..

Regards

Who exactly has been crying this?

Every time a new thread is started where someone claims they have been kicked out of adsense for no apparent reason, someone else will basically say - you are guilty of something(obviously paraphrased). From my readings of many posts on this board, there is a general consensus that anyone who gets kicked out of adsense then they deserved it and they were guilty as charged (by google obviously).

I was merely showing that if someone is clever enough to work out the php include statment on your site, then they can easily spoof your site and POTENTIALLY make YOU guilty of invalid clicks.

if google comes up with solutions that wouldnt be the case. I belive there are many solutions besides the ones we have been discussing here

From my readings of many posts on this board, there is a general consensus that anyone who gets kicked out of adsense then they deserved it and they were guilty as charged (by google obviously).

That's weird, I haven't seen that general consensus at all.

Just because one or two people post their personal opinion doesn't make a general consensus for an entire forum.

Google is stupid.

They have lots of "holes" in everything they do.

SERPS continue to get worse, more and more filled with SERP pages with adsense ads on them. Adsense has not gotten any better in months, nothing new, no direct deposit, no nothing, nothing we asked for, but a stupid green book of mindless tips that anyone with a heartbeat can figure out.

Totally down the toilet.

[qoute]Try it. Open up some free host account. Copy your page on to it then make the slight adjustment to the include statment and voila. Can't be done I hear all the cynics cry, everyone is guilty of something.

Try it then decide. [/quote]

As other's have stated, php includes/etc are completely transparent. I think you have a misunderstanding somehwere.

Take for instance one of my sites... php includes make up the bulk of the site... you can't access those includes individually with a web browser or modified pages or by any other means other. But of course, you can see the output of those includes by simply viewing the source.

Maybe you are thinking an include cia a cgi script? By whats the problem there? Yeah, the "thief" wouls know where the include was located, but how you any more vulnerable than inserting the code into a static page? After all, a "view source" is going to display the adsense code & then could simply cut-n-paste, so why does using something like cgi include somehow make one more vulnerable?

Like wshi88, your logic defies me.

Well.

First of all , if you just copy and paste then the adsense ad server seems to realise this and simply serves PSA's. However, I have just set up a website on a free host. Copied the php include to a google adsense code and it is showing ads as if the ads were being shown on the "real" site itself. So perhaps my logic is perplexing you, but all I am stating is that php includes can be used to "fool" adsense ad server.

It is quite easy to do. As I stated previously. Your site page is example.com/example.php The adsense code is on a php include called say googleadsense code.

If I change the include statment on the free host to say include www.example.com/googleadsensecode.php then place it on the freehost webpage then it WILL work. As I keep saying if you don't believe me try it. Open up a free host account. Use your own code as a test ONCE (becuase no doubt it will break a TOS). Then once you see it working immediately delete it.

Also php includes aren't as transparent as you think. There are more ways of getting a source code from a page than view source in Internet Explorer. However, this is neither a coding thread nor a "get your own back on someone who has annoyed you" possibility thread. So not going to continue in this vein.

All I am saying (and all I have said all along) is that before everyone jumps to the conclusion that people who have been kicked out of adsense are guilty, then perhaps they should consider other possibilities. I have merely shown ONE.

If I could at least be able to maintain a list of domains that I approve, that would be nice, and easy for Google to implement too.

It is quite easy to do. As I stated previously. Your site page is example.com/example.php The adsense code is on a php include called say googleadsense code.

If I change the include statment on the free host to say include www.example.com/googleadsensecode.php then place it on the freehost webpage then it WILL work

And how is one supposed to know where the include file is located?

When some calls <?phpinclude ("googleadsense.php");?>, that doesn't always mean it is www.example.com/googleadsensecode.php, and in many cases isn't even avail online by itself.

How is one even supposed to know a php incl is used?

I've sticky mailed you an example page.

I think I'm understanding what you mean. But, it won't work with php. If one were to call the googleadsense file w/ javascript & even a cgi include, you'd be able to see it's usage (and possibly guess where the file was located).
With PHP you wouldn't even know the include was used, and if you did, you'd probably have a hard time finding the include file. So in prevention of others using your file w/ adsense code, while it is still on your server, the usage of a PHP file would actually be the best choice.

[edited by: MrAnchovy at 7:14 pm (utc) on Aug. 14, 2004]

I can understand the include argument.

[google.com...]

And I agree, Adsense should let us list the sites on which we're including our ads.

Anyone have any idea why they haven't implemented such an option? Maybe to allow rapid propagation of Adsense?

Forgive my ignorance on this ... but if you're talking about using the include on another site are you talking about a transparent server side include or including it into the client-side (via iframe etc)

Server-Side Include
To all intents and purposes requesting/using it on the server side and displaying it inline is equivalent to just stealing someone elses code - from the perspective of an outsider it all appears to be one seemless site so there is no benefit in doing this over straight copy & paste.

I fail to see how this method poses any greater threat than someone "borrowing" your code as once it a page/include loses the linkage to the original site it's just a collection of javascript & HTML.

Client-Side Include
Here you have a slightly more plausable situation but you're limited by the fact that you're including a portion of someone else's site at the client side.

Other big downside is that the victim will see a number of requests for their ad-include coming from the attacker's site, which if they're on the ball allows them to rat that site out before they get suspended (or even counter-attack and get that site closed down).

- Tony

fail to see how this method poses any greater threat than someone "borrowing" your code as once it a page/include loses the linkage to the original site it's just a collection of javascript & HTML

This would simply show PSA's. What I have shown (I have responded to the above poster who stickied me-perhaps he will be good enough to confirm this as I should really take the site down soon-just in case anyone finds it and clicks on it) that it is possible to have an unrelated site host for example on a free host, which can leech an adsense ad which will show REAL ads.

I realise that someone would have to be determined (and perhaps a bit lucky) to do this, however it CAN be done. Thats ALL I am saying.

Client-Side Include
Here you have a slightly more plausable situation but you're limited by the fact that you're including a portion of someone else's site at the client side.

Other big downside is that the victim will see a number of requests for their ad-include coming from the attacker's site, which if they're on the ball allows them to rat that site out.

I think you are right on, and this is was Blair is getting at, and not a PHP-based SSI. (edit, ok, so maybe not (read posts below))

And as you state, there are obvious downfalls to such a method. Adding the file to .htaccess to prevent hotlinking would thwart such usage from the start.

I host quite a few files known to be loved by hotlinkers, but have a large number of visitors that block their referring URL, so I have gone about another method of preventing hotlinking. For instance, take an image file:

<img src="/<?php include "folder.php"?>/image.jpg">

folder.php simply outputs to location of the folder hosting the image.

But then I also have a cron script run 2x/day that changes the folder & the folder.php file.

So basically the location of the files change every 12 hours. If you want to use the files on your page it's going to take a lot of work to keep up with the location changing every 12 hours.
There are ways to defeat such protection, but I haven't encountered anyone going through the trouble to do so.

[edited by: MrAnchovy at 7:56 pm (utc) on Aug. 14, 2004]

Just re-read hughmungus' post. Can't believe the search you highlighted. That anyone would be so daft to just call their include adsense.php. and recomend that others do the same-and their are quite a few sites that are doing so. But then again (as I have been trying to say) If someone is determined enough and people are stupid enough to call their include "adsense" then......

Ok... sticky mail read & confirmed.

You say "My recomendations is NOT to use php includes"

I say "my recomendation is to cleverly name your includes, and even place them in a dir that isn't avail online if one has the knowledge to do so"

The problem isn't with using a PHP include file imho, but with the protection of said file. Like i stated in my example, I can tell you I'm using an include, the name of the file, and even the files's location... but you still couldn't access/use it, if properly protected..

If someone is foolish enough to have their include file be adsense.php in the root dir of the website... then yeah, potential for "theft" exists.... but if cleverly named w/ a hidden location there should be no problem (unless im missing something additional here).

Although I still fail to understand the difference between just copying the relevant entries from the visible source and copying those same portions from the include (since they amount to the same thing)...

If you code the include properly then it shouldn't be able to be abused in the manner described - even something as simple as wrapping the output script in a function will stop it being abused and allow you to render inline when you need it with no risk if the include filename is discovered since the include is worthless on its own.

- Tony

The code must be output to the browser in order for the ads to appear. With PHP, you must still output to the browser, meaning that a view source would show the same as with an html file.

A slight diversion would be to include a .js file and print from the js file using a javascript call. That would mean a View Source would not reveal the code. However, the .js file would be in the users temp files, but not as many people would catch on to this.

Is the bandwidth leeching via hotlinking being confused with what is effectively a cut and paste of the adsense code?

The two are unrelated in my opinion.

I also don't think adsense serves PSAs if someone cuts and pastes the code. This has not been my experience with my own and affiliate sites that I control.

blairsp I think you are creating another google-urban myth... The AdSense PHP include file myth ;)

The AdSense PHP include file myth ;)

I have already proved it to Mr Anchovy via stickymail. To be honest it doesn't really matter to me if anyone believes me or not. It can certainly be done. Yes it's not easy, yes it would take someone very determined.

I am merely saying (again and again) that the google adsense ad server can be fooled. Google isn't nearly as infallable as a lot of people believe. Even google itself I believe is arrogant enough to believe its software is perfect and catches all the cheats.

Why doesn't someone write to google and say. "Can an ad be shown on a site that is unauthorised"? See what they say.

I think they'll say an ad can be shown anywhere. Why would someone put another's adsense code on his/her page? They would derive no revenue from it while the adsense account might. As for preventing fraud, I leave that to google.

What is the scandal? Adsense can be placed on any page by anyone and it will show non-PSAs.