Google Analytics Example

How to setup Google Analytics on your Facebook fan pages

The workaround we use in our code is to include Google Analytics as an image instead of setting the standard Javascript. This method tracks every visitor to the custom facebook pages on Google Analytics. It required a combination of server side cookie management and an additional <img> tag to the bottom of the facebook fan page. Here are the steps to get Google Analytics working on your facebook fan page.

1) Setup Google Analytics account. If you already have one, create a new website profile. You can name it facebook.com or facebook.com/your_page_name. You will finally get your tracking code which looks like this UA-3123123-2
2) Create your custom img tag for each of your pages you like to track. EG: contact form, services, products etc. You can use our tool to create the Google Analytics link generator for Facebook pages.
3) Add the entire custom image html tag from step 2 to the bottom of each Facebook fan page that you need to track.

That is all there is to it! Google Analytics is not real-time, so you will need to give it some time. Approximately a day before you see the fruits of your “hard” work.

For advanced users

Use this method, if you don’t want to use our hosted link redirection as mentioned in the method above. You can download the entire source code which is just about three files to get this setup working on your own server (running PHP4.3 or above). The code is written in PHP and essentially creates the Google image tracking URL with the referrer, page information, ID, etc. The additional advantage of hosting this on your own server and domain is that visits from your website to your facebook fan page gets tracked, etc. You will also be able to customise further if you wish. Please do share any useful updates you apply to the tracking link code.

Facebook – Google Analytics Tracker v1.1 (Updated 21st Feb, 2010).  For advanced method – Download this code to use on your server.

If you don’t have a Facebook fan page yet, visit our tutorial for code and help on creating customised Facebook fan pages.

PS: We could not find any other source / blog that described how to get Google Analytics on Facebook fan pages! There is support for canvas pages and applications but nothing for StaticFBML fan pages. Hope this helps and please leave your comments below.

UPDATE:
1) A lot of users have asked how to track visits to the wall. Yes, this can be done. Please see the comments by iphp below.
2) Here is a screenshot to a staticFBML where the code should be placed
3) We have managed to set up funnels, goals and segments to separate fan and non fan activity.
4) This blog and comments cover all aspects of setting up Google Analytics. If you still want help, we are available to offer paid support and installation of Analytics for your page. Please contact us here.

Google launched their Google App Engine (GAE) a year ago. The free hosting in App Engine is allocated 500 MB of persistent storage and enough CPU and bandwidth for about 5 million page views a month. Also, if you really want more you can see pricing plans.

GAE will support Java going forward. Unfortunately PHP support on the App Engine is still left as the top item in the wishlist. So until Google announces their official PHP support we have a workaround to run PHP using Quercus. Quercus is basically a 100% Java implementation of the PHP language (requires JDK 1.5).  Since the App Engine now supports Java this means we can use Quercus to run PHP scripts on the App Engine.

So all you need to use the GAE and run PHP
1) Register a free account.
2) Download this file to your computer.
3) Edit application XML tag in the file war\WEB-INF\appengine-web.xml to the name of the application you have registered.
4) Finally upload your application. I downloaded Google App Engine SDK for Java and use the following command in windows.
appcfg.cmd update C:\projects\phpwithjava\war

To see this in action just visit:
http://phpwithjava.appspot.com/webdigi.php and http://phpwithjava.appspot.com/info.php

NOTE: phpwithjava is my app name with GAE. Image by Aral Balkan.

1) Namespaces for classes and functions
This feature will help us shorten the class names and function names. To appreciate this feature, we need to go back to the days before there was Object Oriented Programming in PHP. Imagine all the function names with name save(). How would you differentiate if the call save() was to save a blogs or save comments? The solution was to use blog_save() or comment_save() before the introduction of classes in which we could write the save() function within the Blog class or the Comment class. Using classes is obviously a much more elegant solution.

We now have the same situation with the large number of classes and functions. Using namespaces, we could simply separate the two functions above in the code below:

<?php
namespace Blog;
function save()
{
echo "Now saving the blog!";
}

namespace Comment;
function save()
{
echo "Now saving the comment!";
}

// To invoke the functions
Blog\save();    // This prints - Now saving the blog!
Comment\save(); // This prints - Now saving the comment!
?>

EDIT: A final decision was made on October 2008.  Developers will have to use \ backslash operator to dereference namespaces.

2) MySQL Native Driver
PHP 5.3 has a native driver specific to PHP, optimised for the ZEND engine. It is an alternative to connect to MySQL server versions newer than 4.1. Being a native driver we should be able to get much faster execution times. The native driver will also be licensed under the PHP license. If you are like most users, you are currently using libmysql (A MySQL database client library) you will be able to easily switch over to mysqlnd without making any changes to your existing PHP Scripts!

3) phar – PHp ARchive
This is a cool new feature.  Think of it like an archive, like a .zip file or a .tar file. Besides just being able to group all the files into one simple file, we will be able to deliver and run an entire PHP application from a single file!

We will also be able to use phar archives within PHP, so the following will work in PHP 5.3 and above

<?php
include "singlefilelibrary.phar"
?>

Obviously, there will be a performance hit but the possibilities are endless, imagine being able to upload phpMyAdmin to the server as a single phar file instead of hundreds of small files.

4) Closures & Lambdas
This gets into the list because this is something most web developers would have been familiar with while working on Javascript. A lambda can be declared anywhere and they can be assigned to a variable. A closure on the other hand are lambda funcions but have access to the variables where they were declared. This is something called lexical scoping. To see this in action take a look at this example.

<?php
$hellolambda = function () {
echo "Hello world via Lambda";

}
$hellolambda(); // Outputs Hello world via Lambda
?>

5) All of the rest!
There are a lot of other things in PHP 5.3 which I thought are nice, I have just described all of them very succinctly.
Functors: This allows an object to be invoked as a function.
Traits: This is a new unit of reuse, traits can be incomplete, provides reusability, modularity and structure. In short it is copy-paste glorified!
Magic functions: We have a couple of new magic functions for classes (interceptors) __callstatic() and invoke()
Ternary operator: You can now display the a value that exists $value1 or $value2 using this simple statement echo $value1?:$value2;
There are many more things added like Late Static Binding, Variable Static Calls, Changes to PHP Error Levels, new PHP functions, improvements to help with OpenID, Command line and many more.

Final Thought
Well, this gives us much more to play with. It is definitely a lot to include into PHP 5.3 and I would have expected so many changes to go into PHP 6. I sometimes wonder if there will be anything new left to add into PHP 6 given the fact that so much has been released already.  If you are interested in PHP 5.3, do give it a try here, it is in beta at the time of the writing.

Server Error 
500 – Internal server error.
There is a problem with the resource you are looking for, and it cannot be displayed.
Cause:

This error happens on the default configuration of windows server 2008. The server logs do not say a lot except for the fact that the php file is causing an error. This happens for the following reasons on the server:

• PHP Fatal error (Something that you did or didn’t do caused the server to run into a fatal error)
• PHP error_reporting is on and there are some errors (Anything from a NOTICE or WARNING can cause this)

 
How to rectify:

Obviously the best way to resolve the error is find out what is wrong with the PHP code. But how do you do this if the server won’t show you what the error is? One of the best ways to find what is wrong with your PHP script is to try to login to the machine via RDP. This works only if you have remote desktop access. Once in RDP try to go to the same URL but using the server’s Internet explorer. Accessing the server locally will avoid the 500 Internal Server Error and show you what is wrong with the PHP file as on a development environment. The server just shows you the PHP error messages and the rest of your script output is not shown.

Change IIS 7.0 Setting
Alternatively to the above, you can always change the configuration using the Configuration Editor of IIS 7.0. You will find this under the Section > system.webServer/httpErrors. You have to change errorMode to Detailed from the usual DetailedLocalOnly and then click on Apply.

This is a good security measure as it will not accidentally show your PHP errors to the users of your system.

The problem

Once hackers get into your website either by exploiting known vulnerabilities in any of the installed programs OR by getting FTP access to your server, the first thing they usually do is to plant backdoor scripts to log them in again at a later date. They need some executable script on the server to gain access to MySQL passwords, installation passwords or even edit settings in your wordpress or other installations.  We have also seen situations where the site was left largely unchanged except for malicious javascript code added to the bottom of the index.php or index.html files.

So in short the bad guys have taken over your server and running anything from a backdoor script or launching phishing attacks or sending tons of spam emails. You will not know that your server is hacked until you get blacklisted on spamhaus or your customers get redirected to some random site or worser still when you are contacted by ebay/paypal/some bank saying that your website is phisihing their customers. The problem is that we dont even have an idea that our site is hacked until it is too late or too embrassing.

Simple Solution – Website Change Detection System

We need a script on the server that detects any changes or to any executable file on the server or any new file on the server from HTML, JS, to PHP, ASP, Perl, Python files etc.  If we generate a hash value of all our files and then compare them periodically, then we will be able to detect when our codebase has changed on the server.

These are the steps that our change detection system performs (It takes about 500ms to execute on a typical server):

1. Load configuration file (contains password, exclude list)
2. Check password from request before starting (recommended)
3. Recursively run through every file and sub folder on the server within the current directory of the script.
4. Generate a hash for each file and arrive at the master hash.
5. Compare master hash with hash the user has and alert if different!

Notes:

• This script at this simple level is almost 100% fool proof in detecting changes to the codebaes give that the hacker or bots don’t know of websiteCDS presence.
• At this stage the script cannot detect SQL injection attacks and changes to code that are saved to the database.
• The users hash is not stored on the server at any time, the comparison with master hash can be done at cron script level or using siteup as discussed below.

We have the following code written in PHP but you can do the same with any other scripting language to perform similar checks. We have started the project under google code and is available here: PHP code for WebsiteCDS
See the readme file in the download for help with setup.

Different ways to automate the alert system

Method 1: Using our trusted cron job
A cron job can be setup to run the website CDS, compare the results with the last known valid hash and send out an email alert.

Method 2: With Siteup
Siteup is a free tool for windows systems that can be set to periodically check if your website is reachable. This is recommended for those of us who don’t want to setup a cron job. It can be downloaded here http://www.xequte.com/other/index.html#siteup We can use this to frequently call our change detection system and then use the siteup word search to check if the hash value is the same as what we have from our last codebase update. ( See screenshot )

NOTE: The project & code included is the first version of the change detection system and kindly submit your ideas and comments here or an issue or feature request in google code project for websitecds.

Example of such an attack: Lets take an example of a banking website which provides login to access banking features. (this can be any site which allows users to login).
EG: http://www.poorbanking.com

1) Hacker
Creates a very a link and sends visitors to the site as http://www.poorbanking.com/index.php?PHPSESSID=1234
Lets assume PHPSESSID is the name of the cookie / variable used to store session information. It is very easy for anyone to find this by just visiting the site once.

2) Hacker sends link to the target user.
http://www.poorbanking.com/index.php?PHPSESSID=1234 by email or placed in a blog etc.

3) Victim
Sees the link and clicks on it. The site looks genuine and the victim logs in to the site. At this stage the PHPSESSID is set to PHPSESSID=1234 and user is logged in.

4) The happy hacker
Hacker can keep checking if they can login by simply going to http://www.poorbanking.com/showmeaccount.php?PHPSESSID=1234
where showmeaccount.php is the page after login. They can see that once the user has logged in they can easily get access to the page.

Work around to this problem

Just prior to setting such a session variable, a call to session_regenerate_id() can help to protect against a session fixation attack.

See more information at http://en.wikipedia.org/wiki/Session_fixation