John Tell’s Us How To Take Care Of Security Issues from User Generated Input
While dynamic landing pages are awesome for advertising, and we haven’t had any problems yet after thousands of clicks and tons of conversions, security is a concern for us and our users so John has kindly commented on the previous post about how to fix these potential security issues. I simply copied John’s comments and posted them here. Thanks John!
_____________________
Unfortunately, as simple as your code example is, it introduces a Cross-Site Scripting (XSS) vulnerability to your page. XSS can lead to all kinds of bad things like session hijacking and browser redirection. Check out these links to learn how to prevent XSS:
http://www.owasp.org/index.php/XSS
http://shiflett.org/blog/2005/jan/xss-cheatsheet
The code snippets on the ha.ckers.org site show you different ways to exploit or discover XSS problems. To fix it, you have to properly sanitize the input from the query string variable before you display it on the page.
You have an additional issue on your page as it looks like magic quotes are enabled. For example:
http://www.qualityscores.com/prosperity.php?kw=james’
To fix the XSS problem, you’ll need to filter the input. For efficiency, you can do this once, save the output, and use the cleaned variable for displaying on the page.
Right now, your script allows pretty much anything to be injected on the page. In your use case, it seems reasonable that you want to prevent any kind of HTML. After all, this looks pretty silly:
http://www.qualityscores.com/prosperity.php?kw=%3Ch1%3EBIG%20TEXT%3C/h1%3E
If this is the case, you can simply use the htmlentities function to escape all tags:
//top of the script
$cleankw = htmlentities($_GET['kw'],ENT_QUOTES);
//wherever it appears on the page
php echo $cleankw;
On the other hand, if you want to allow HTML, it’s a much harder problem to solve. I recommend this article as a starting point:
http://blog.liip.ch/archive/2005/01/16/xss-how-we-try-to-prevent-it.html
An extreme example of what can go wrong when you allow XSS to persist can be found here:
Hope that helps 
______________________
If you want to learn more about John Herren, he has a blog here. Thanks again John!
Note: Input problems appear to generally occur when the user can manipulate it from a form, etc. Because our users are clicking directly to the page, input is supplied by Google and the query searched by the user. After the user is ON the page, they can manipulate the page if you don’t use htmlentities to escape html characteristics…you also have the risk of a savvy user hijacking things which is why it is good to filter the input once then display the output. I could be wrong, but that is my understanding…here is a great list of ways to filter the data from php.net: http://us.php.net/filter.
Read MorePPC Management: Create Dynamic Landing Pages In 15 Minutes Or Less
This is the second installment in our QualityScores PPC Management series where we expose some of the best pay per click secrets ever!
If you missed the introductory installment, you can find it here.
___________________________________________
This secret will rock your world – it does not need great copy to hype it up because the results will scream success!
*Note 3/31/08 – I changed the first ucwords in the dynamic code to htmlentities for security purposes…I recommend you use htmlentities as shown in this blog post.
Without further ado, here is your quick 4 step guide to making a dynamic landing page with PHP in 15 minutes or less:
1. Open your landing page in your favorite editor and make sure it is saved as php OR html.
Copy and paste this line to your .htaccess file if you are going to use an html (or htm) landing page:
AddType application/x-httpd-php .htm .html
Now you can run php scripts in your htm(l) files.
2. Copy and Paste the following code into your landing page’s Title and content. Put your original content (the word or phrase you are replacing) in the string “Your Original Info Here”:
<?php
if ($_GET['kw'])
{echo htmlentities($_GET['kw']);}
else
{echo ucwords("Your Original Info Here");}
?>
For example, I want to replace the Title on the QualityScores landing page so I would use this code for my Title:
The title would display the original content if somebody landed on the page without querying a keyword:
And if somebody came to our page from a specific keyword in the destination url, our Title would look like this:
This is the code I would use for one of our original content questions or headlines:
<p>Are You Looking For
<php?
if ($_GET['kw'])
{echo htmlentities($_GET['kw']);}
else
{echo ucwords(“High Quality PPC Management”);}
?>
?</p>
This question would be displayed if somebody landed on the page without querying a keyword:
Are You Looking For High Quality PPC Management?
And this question would be displayed after somebody clicked on our ad from the query “PPC Management Services”:
Are You Looking For PPC Management Services?
Using ucwords in the code will capitalize the first letter of every word in the search query or string…, you can simply remove ucwords and the corresponding parenthesis () if you don’t want to have the first letter capitalized on each word – your code would look like this:
<?php
if ($_GET['kw'])
{echo $_GET['kw'];}
else
{echo "your original info here";}
?>
This is particularly useful if you are using it in a paragraph of regular text. You can format this so your searcher’s query can be bold or italicized or underlined, making it appear more relevant and useful to the user.
3. Save, Upload, and Test your landing page.
To test it, simply type in your landing page url -
www.yoursite.com/yourlandingpage.php?kw=your+search+query
Pretty freaking sweet, huh?
4. Now go to any ad platform and simply enter this in your destination url on your ads:
www.yoursite.com/yourlandingpage.php?kw={keyword}
Example -
My landing page is already edited using the steps listed above…so I went to AdWords to play with the Quality Score on a highly irrelevant search query. Please excuse or have fun with my mild sense of humor…
I started a new campaign and a new adgroup using the keyword homestar poopsmith. 
The destination url (our company name is now QualityScores – we used to be known as apollo sem):
The live ad:
And this is what I get when I click through the ad after searching for Homestar Poopsmith (click on the screenshot to enlarge):
The entire page is technically about PPC Management. I added the dynamic text to two headlines on the page…one at the beginning of the content and one towards the middle of the page. The title is also dynamic.
Here is my quality score for the broadly matched term homestar poopsmith:
How will this help you?
Your landing pages will be more relevant to your users AND Google; your quality scores should go up, your costs should come down, and we can expect you to convert more visitors!
Recommendations
Use this pay per click secret with caution! Your results can and will vary!
If you are an ecommerce site with a specific product, you will probably want to carefully include the dynamic search query in your content and titles – maybe you will use empty or open questions like “Are You Looking For (Keyword)?” “This is the closest match…and we think it will be a perfect fit for you because…”
Everybody that implements this secret should aggressively use negatively matched keywords in your campaigns and ad groups.
Creating a dynamic landing page might compromise your SEO strategy. We generally recommend that you duplicate your SEO landing pages (if you are using them for PPC) and place them into a separate file or directory for you to advertise with. Add the “advertisement” directory to the robots.txt file as a disallowed directory to avoid some duplicate content issues.
You will be able to view the exact search terms people are using by filtering through your landing page results in Analytics – another useful way to find negative match keywords.
That’s a wrap! Now You can Create A Dynamic Landing Page in 15 Minutes or Less with PHP!
The originating source of our knowledge regarding this post came from this 2006 Digital Point Forum post.
Read MoreGetting Conversion Data With Your New Analytics Profile
A few people emailed/posted a great question about finding the conversion data with the new filters you added to your Google Analytics profiles we discussed in our PPC Management series. Here you go:
(These instructions start after you are logged into your Analytics profile of choice…)
If You DO NOT Use Goals -
1. Click on Content.
2. Then click on Top Content.
3. Find your conversion page and click on it…you will get a bunch of fantastic stats about that page.
(Click the image above to see a bigger picture…)
4. Drop down the Segment menu and choose Keyword (directly underneath and to the right of the bold sentence “This page was viewed **** times“).
If You USE Goals!
1. Click on Traffic Sources.
2. Then click on Keywords.
3. Click on a detailed keyword.
4. Finally, click on Goal Conversion – you can see the keyword conversion rate, number of conversions, and my favorite: the Per Visit Goal Value for that specific keyword!
Now you can review all the specific keywords that converted from AdWords!
PPC Management: AdWords Keyword Data Exposed With Google Analytics!
Introducing our QualityScores PPC Management series where we expose some of the best ppc management
secrets ever!
_______________________________________
You CAN expose your specific AdWords Keyword Data beyond the dreaded “other unique queries” in the AdWords Search Query Report with Google Analytics!
Don’t you hate running the AdWords Search Query report because you know the best data is behind the cold words “other unique queries”?
Do you have a sick feeling in your gut because you know you can make more money with your affiliate programs, blogs, and ads if you could only tighten up your AdWords advertising?
If you answered “yes”, then you need to read and implement this Analytics secret immediately.
Here is a detailed, step by step process to take a look at what lies beneath the silky covers of “other unique queries” using Google Analytics:
1. Log into AdWords and click on My Account -> Account Preferences:
2. Find the Tracking section in Account Preferences and make sure Auto-tagging is set to “yes”:
3. Click on Analytics from your AdWords account or sign into your Google Analytics account:
4. You can choose to skip this step if you want to edit your current website Analytics profile – we recommend you create a separate profile. Click on Add Website Profile >>:
5. Choose to add a profile to an existing domain:
6. Pick your domain, label the profile, make sure you have a check mark in the Apply Cost Data section and click finish:
7. You should see your new profile listed with any other profiles you already have:
8. Now you need to edit the settings of your new profile – Click on Edit next to your new profile:
Analytics Filter 1
9. Find the Filters Applied to Profile section and click Add Filter:
10. Choose to Add new Filter for Profile:
11. Give your filter a good name, drop down to the Custom Filter type and choose the Advanced option:
12. In Field A -> Extract A choose the Referral drop down and copy and paste this code into the available field -
(\?|&)(q|p|query|kw|searchfor|wd)=([^&]*)
I’ll update the image later – but the q|p…etc will effectively pull almost all queries from the url at the serp. Each search engine uses a different url parameter for this so if you find one you want to track, simply add it to the regex above using the bar | to separate them. The above regex was copied from the search lab.
13. In Field B -> Extract B choose the Campaign Medium drop down and copy and paste this code into the available field -
cpc|ppc
14. In Output To -> Constructor choose the Custom Field 1 drop down and copy and paste this code into the available field -
$A3
15. Make sure all fields are required and they do not need to be case sensitive, then click Finish:
16. You should be back on the profile settings page where you can see this first filter has been applied to your detailed analytics profile.
Analytics Filter 2
17. Repeat steps 9 through 11 to create a second filter. Remember to give the second filter a different name and give this filter the attributes outlined in steps 18 through 21. ***You NEED both filters for detailed keyword data to work!***
18. In Field A -> Extract A choose the Custom Field 1 drop down and copy and paste this code into the available field -
(.*)
19. In Field B -> Extract B choose the Campaign Term drop down and copy and paste this code into the available field -
(.*)
20. In Output To -> Constructor choose the Campaign Term drop down and copy and paste this code into the available field -
$B1, ($A1)
Some replicated posts detail using $B1, $A1 without parenthesis – and I haven’t seen any difference in results so it appears either way should work fine.
21. Make sure all fields are required and they do not need to be case sensitive, then click Finish:
22. You should be back on the profile settings page where you can see this second filter has been applied to your detailed analytics profile. Make sure they are in the order we described – filter 1 should be listed BEFORE filter 2 under the Filters Applied to Profile section.
You are done setting up the secret that will expose your AdWords Keyword Data!
Now you need to wait a few hours for the data to be captured and reported. When you revisit Analytics you simply need to look at these reports and note the added data next to your AdWords keywords:
Traffic Sources -> Keywords
- or -
Traffic Sources -> AdWords -> Keyword Positions
Or a number of other reports…
The data in your old Analytics profile should look like this:
And the data in your new profile should look like this:
The keywords shown in parentheses (key+word) is the exact term the user searched when they found and clicked on your advertisement.
This particular client is only selling home security systems so I would look at this report and add “car” as a negative keyword and I would research “home security devices” to see if there is a decent volume for that term. Then I would consider optimizing a page for that term and add the keyword to my AdWords campaign to see if I can turn those visitors into the kind of visitor that puts money in my wallet.
One note regarding GOALS
We published a post detailing how to see your keyword data for Goals/conversions. Enjoy!
That’s a wrap! Your AdWords Keyword Data is now EXPOSED!
Our source for learning and applying this secret to our client accounts and our own accounts comes from a November 2007 blog post by the GA-Experts. Thank you, GA-Experts, for sharing this secret with us!
Read MoreSubscribe Today!
