PriviMetrics Tracker (PHP)
This file is the server-side tracking endpoint of PriviMetrics.
It receives requests from the JavaScript tracking pixel and stores analytics data in a privacy-focused way.
It always returns a 1×1 transparent GIF, so browsers treat it as a normal image request.
1. Purpose
privimetrics.php is responsible for:
-
validating tracking requests
-
enforcing privacy rules (DNT, IP anonymization)
-
validating site keys and domains
-
applying rate limits
-
extracting search and referrer data
-
hashing visitors anonymously
-
storing analytics using XML or MySQL
Every page view recorded in PriviMetrics passes through this file.
2. Pixel response design
The script always returns this image:
R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7
This is a 1×1 transparent GIF.
This ensures:
-
no CORS issues
-
no JavaScript needed
-
browser and ad-blocker compatibility
-
no visible content on the page
Even when tracking fails, the GIF is returned so the page never breaks.
3. Fail-safe loading
If any required file is missing:
-
config.php -
functions.php -
storage.php
the script immediately returns the GIF and exits.
This prevents broken installs from leaking errors into user websites.
4. Do Not Track (DNT) support
If the system setting respect_dnt is enabled and the browser sends a DNT header:
-
no tracking is performed
-
only the GIF is returned
This ensures compliance with privacy regulations and browser preferences.
5. Data received from JavaScript
The tracker receives these query parameters:
| Parameter | Meaning |
|---|---|
t |
Tracking code (site key) |
p |
Page URL |
title |
Page title |
r |
Referrer |
js |
JavaScript enabled flag |
track-ip |
Whether IP tracking is allowed |
All values are sanitized before use.
6. URL normalization
The page URL is cleaned to remove:
-
query strings
-
fragments
Only:
scheme + host + path
is stored.
This prevents personal data leakage via URLs.
7. Search query detection
If the page URL contains query parameters like:
-
q -
search -
results
their value is extracted and stored as the search query.
This allows PriviMetrics to track internal and external search usage.
8. Referrer validation
The system only stores a referrer if it is external.
If the visitor comes from the same domain:
-
the referrer is discarded
Only the referrer domain is stored, never the full URL.
9. Site validation
The tracking code must match:
-
an active site
-
with a matching domain
-
respecting domain restriction mode
If the site is invalid:
-
no data is stored
-
the GIF is returned
This prevents tracking code abuse.
10. Rate limiting
Limits are loaded from chosen-limits.php.
They are applied per tracking code.
If the limit is exceeded:
-
HTTP 204 is returned
-
no tracking occurs
This prevents abuse, bot floods, and DDoS amplification.
11. IP anonymization and hashing
If IP tracking is allowed:
-
IPv4 → last two octets removed
-
IPv6 → last segments replaced
Example:
192.168.45.23 → 192.168.X.X
The visitor ID is generated as:
MD5(anonymous_ip + user_agent)
If IP tracking is disabled:
MD5("anon" + user_agent)
This allows:
-
session recognition
-
without storing real IP addresses
12. Geo-location
Country and country code are derived from the real IP, but only the anonymized IP is stored.
If IP tracking is disabled:
-
a neutral IP is used
-
geo data becomes generic
13. Storage routing
Depending on site settings, data is saved via:
StorageManager->saveTracking()
to either:
-
XML files
-
or MySQL
The rest of the system is storage-agnostic.
14. What gets stored
Each page view includes:
-
anonymous user hash
-
anonymized IP
-
country & country code
-
user agent
-
clean page URL
-
page title
-
referrer domain
-
search query
-
timestamp (handled in storage layer)
No personal data is stored.
15. Final response
After storing data, the tracker always outputs the transparent GIF and exits.
This guarantees:
-
no visible output
-
no JavaScript errors
-
no page slowdowns