I have a situation where someone is trying to sabotage my google adsense account by continuously sending personally identifiable information into the URL to my site. How can I block this or at least detect the random variables they are using?
For example, the variable name could be ANYTHING.
mysite.com/[email protected]
or
mysite.com/[email protected]
...?
The only thing I can think of doing is collecting known variables and then perform a header location redirect to the main site URL.
If: you want to have no GET parameters, check if $_GET is empty
if (!empty($_GET)) {
header('Location: ' . $_SERVER['SCRIPT_NAME']);
exit;
}
Or: check $_GET for non-allowed parameters:
$allowed_params = ["id", "some_param", "another one"];
foreach($_GET as $key => $val)
if (!in_array($key, $allowed_params)) {
// if something's wrong, get out!
echo('Location: '.$_SERVER['SCRIPT_NAME']);
exit;
}
// everything is ok here
Note: before any
header()s you mustn't have any output. Otherwise you'll get an error. Better place the code in the very top of your script.