# 13 — `/affiliates/` and `/data/` folders

Added 2026-04-13. These two top-level folders live **alongside** `httpdocs/`/`httpsdocs/` (not inside them) at `/var/www/html/Searchmercials/`. They are not served directly by the primary Apache vhost, but several sub-trees are linked into per-domain vhosts via `fixlinks.sh`.

## Top-line summary

| Folder | Size | Role |
|--------|------|------|
| `affiliates/` | **262 MB** | Per-brand cobrand webroots + the iDevAffiliate v4.0 vendor package |
| `data/` | **59 MB** | Shared runtime config, per-site templates, legacy Hyperseek data files, SQL migrations, bid spreadsheets |

Together they materialise the multi-tenant / multi-brand shape of the platform that `httpdocs/` alone does not explain.

---

## `affiliates/` — cobrand webroots + iDevAffiliate

Two very different things live side-by-side here:

### A. iDevAffiliate 4.0 vendor package — `affiliates/affiliate/` (2.3 MB)

Commercial affiliate-tracking application by **iDevDirect.com** (Jim Webster, copyright 2001–2005). This is a **bought** product, not first-party code; its license terms explicitly prohibit redistribution.

Key files:

- `README.txt`, `README_tech_notes.txt` — install/upgrade docs
- `install.php`, `update.php`, `upgrade.php`, `setup.php` — **installers left in production tree** (should be removed or `.htaccess`-blocked; see [08-security-audit.md](08-security-audit.md))
- `phpinfo.php` — **exposed debug endpoint** (new — add to audit)
- `config/` — `config.php`, `database.php`, `lang_packs.php`, `pay_options.php`, `paypal.php`, `signup_check.php`, `terms.php`, `updates.php`
- `admin/` — full admin console (40+ PHP files: `account_list.php`, `approve_sales.php`, `pay_affiliates.php`, `paypal_mass_pay.php`, `commission_stats.php`, etc.)
- `account.php`, `signup.php`, `login.php`, `logout.php`, `sale.php` — affiliate-facing front-end
- `paypal_ipn.php`, `idevads.php`, `idevaffiliate.php` — payout + tracking endpoints
- `banners/`, `images/`, `skins/`, `templates/`, `languages/`, `payments/`, `backups/`

Uses **deprecated `mysql_*` functions** throughout (see `admin/mysql.php` and back-ups via `exec("mysqldump ...")`). Will fatal on PHP 7+.

### B. Per-brand cobrand webroots

Each subdirectory below is a **full webroot for one brand** pointed at by Apache's per-domain vhost. Most are reduced copies of the core app (sharing the dsX engine via symlinks) with their own `index.php`, templates, images, and search entry points.

| Folder | Size | Notes |
|--------|------|-------|
| `searchtube_com/` | 62 MB | Primary SearchTube.com brand |
| `searchmercials_com/` | 34 MB | Primary Searchmercials.com brand — contains a **duplicate `videoads/` pipeline** (advertisers/publishers/account/settings) paralleling `httpdocs/` |
| `wwbn_com/` | 27 MB | WWBN.com — **exposes `phpinfo.php`, `xdebug/`, `webgrind/`** in webroot (new security findings) |
| `newspaperrevenues_com/` | 27 MB | |
| `avideo_com/` | 17 MB | |
| `arism_tv/` | 11 MB | |
| `vendor_directory/`, `ibusiness_directory/` | ~10 MB each | Business directory cobrands |
| `jobslistings_app/` | 6.6 MB | |
| `searchppv_com/`, `searchads_tv/`, `fingersearch_com/` | 3–6 MB | |
| `pooptube_com/`, `ccsllconline/`, `wwbn_tv/`, `components/`, `wideadmin/`, `SpryAssets/`, `responsive/`, `dandelion/` | < 1 MB – 3 MB | Smaller cobrands + shared asset libs |
| `searchmercials_com_old/` | 1.3 MB | Legacy snapshot — delete or archive |
| `searchtube_mobi/`, `wwbn_mobi/`, `searchmercials_mobi/` | small | Mobile variants |
| `help/`, `flash/`, `contextads/`, `services/`, `stylesheet/`, `includes/`, `inc/`, `files/`, `images/`, `connections/` | assets | Shared across cobrands |

Inside `searchmercials_com/` specifically:

- `class/sdba/` — **a second copy of SDBA** (`sdba.php`, `dbconnect.php`, `sdba_config.php`) distinct from the one in `httpdocs/auth/classes/sdba/`. Confirm which copy is canonical — diverging credentials or schema would split logic silently.
- `class/common/common.class.php`, `user.location.check.php` — utility classes
- `videoads/` — **parallel video-ads implementation** (advertisers/, publishers/, account/, `accounts.php`, `details_function.php`, `search_function.php`, `settings.php`, `index.php`). See [10-video-ads-system.md](10-video-ads-system.md) and cross-check for divergence from the `httpdocs/` pipeline.
- `admin/index.php`, `internal_templates/`, `videoads_delete/`, `version-selector/`, `upload/`, `r.php`, `search.php`, `accounts.php`, `assets/`, `language/`, `help/`, `front/`, `_errors/`

Shared cobrand pattern (repeated across most brands): `index.php` + `template/` + `images/` + `inc/` + `r.php` + `robots.txt` + brand `.ico` + often `info.txt` or `info.html`.

### New security findings (see [08-security-audit.md](08-security-audit.md))

- `affiliates/affiliate/phpinfo.php`
- `affiliates/wwbn_com/phpinfo.php`
- `affiliates/wwbn_com/xdebug/`, `affiliates/wwbn_com/webgrind/` — profiling UIs publicly reachable
- `affiliates/affiliate/install.php`, `setup.php`, `update.php`, `upgrade.php` — iDevAffiliate installers in production
- `affiliates/affiliate/admin/mysql.php` runs `mysqldump` via `exec()` and writes to `backups/` inside webroot
- Per-brand cobrand roots (e.g. `searchmercials_com/`) ship their **own SDBA + `dbconnect.php`** — each one is an independent plaintext-credentials file

---

## `data/` — shared config, templates, data files, SQL migrations

Despite the generic name, `data/` is the spine that drives **per-cobrand customisation** for the Hyperseek engine.

### Top-level config files

| File | Purpose |
|------|---------|
| `config.inc` | Primary Hyperseek config (PHP array: `ADMIN_DIR`, `CGI_DIR`, `DB_Format='IWeb'`, `Engine_Name='SEARCHMERCIALS'`, `Hits_Per_Page`, `PANIC_IMAGE`, `Search_Page`, `VIRTUAL`, `account_*`, ...) |
| `config.inc.save`, `config_bu_9-23.inc` | Backup copies — **delete or relocate out of webroot-adjacent tree** |
| `global.config.backup`, `global.config.save` | HTML-serialised config backups (very long lines) |
| `badwords.txt` | 83-entry profanity filter (used by listing validation) |
| `transaction.log` | **Plaintext log of Authorize.net deposits** — account names, amounts, TIDs, pending-balance lines. Rotate + relocate outside readable paths |
| `notes.txt` | Ops notes (PHP 5.4 upgrade, Apache + GeoIP setup instructions) |
| `financial-report.xls` | Financial export |
| `hscats.sql`, `tempcats.sql` | One-off SQL dumps |

### `data/config/` (176 KB) — per-site Hyperseek config

One `.inc` (and sometimes `.config`) per cobrand. Naming lines up with `affiliates/<brand>/`:

`arism.{inc,config}`, `avideo.{inc,config}`, `ccsllconline.inc`, `cyclevid.inc`, `default.inc`, `details.inc`, `fingersearch.inc`, `ibusiness.directory.config`, `ibusiness_directory.inc`, `jobsmediacenter_com.{inc,config}`, `nothing.inc`, `pooptube.inc`, `searchads.{inc,config}`, `searchads_tv.inc`, `searchmercials_com.inc`, `searchtube.{config,inc}` (+ `.save` backups), `searchtube_com.inc(.save)`, `searchtube_mobi.inc`, `wwbn_com.inc`, `wwbn_mobi.inc`, `wwbn_tv.inc`, `wwbntv.config`

Most are small PHP arrays (e.g. `default.inc` is a 3-line `redirect_url` map). `.save` files are editor backups — **sweep**.

### `data/custom/` (72 KB) — include fragments

Named-in-uppercase `.inc` snippets loaded by templates:

`ACCOUNTINFO.inc`, `CATEGORYQUERY.inc`, `COMPANYICON.inc`, `COMPANYNAME.inc`, `NETWORKS.inc` (+ `NETWORKS_orig.inc`), `TOP5CATEGORIES.inc`, `VIDEOCATEGORIES.inc`, `VIDEODETAILS.inc`, `VIDEOFRAME.inc`, `VIDEOLINK.inc`, `mobileadsensephp.inc`, `a.inc`, `debug.txt`, `fullscreen/`

### `data/templates/` (2.0 MB) — per-cobrand render templates

~35 subdirectories, one per cobrand + `default/`. Each contains `.txt` template files consumed by the dsX `PageTemplate`/`SubTemplate` renderer.

Typical template set (from `default/`):
`SearchADS-Results.txt`, `account-create.txt`, `account-login.txt`, `accounts.txt`, `add-url.txt`, `affiliates.txt`, `cobrand-details.txt`, `cobrand.txt`, `contentmatch.txt`, `default.txt`, `directory.txt`, `inline{,hor,vert}{,-media,-text}.txt`, `json.txt`, `plain.txt`, `top-cats.txt`, `xml.txt` (plus `detail_old.txt`, `search_OLD.txt`, `default_alex.txt` — **sweep targets**).

Cobrand-specific directories: `adfare`, `arism`, `avideo`, `bidding`, `ccsllconline`, `change`, `cyclevid`, `dandelion`, `default` (+ `default - Copy` — **delete**), `details`, `fingersearch`, `ibusiness_directory_orig`, `jobsmediacenter_com`, `mediacenter`, `module`, `newspaperrevenues`, `nothing`, `ostv`, `parking`, `plain`, `platform`, `pooptube`, `rei4you`, `reports`, `responsive`, `searchads_tv`, `searchmercials_com`, `searchtube_com`, `searchtube_mobi`, `tvcommcentral`, `tvcommonline`, `wideadmin`, `wwbn_com`, `wwbn_mobi`, `wwbn_tv`, `youportal`.

### `data/hyperseek/` (47 MB) — Hyperseek runtime data

- `GeoIP.dat`, `GeoIPCity.dat` — **older MaxMind GeoIP binaries**, distinct from the copies under `httpdocs/maxmind/assets/`. Verify which the app actually reads; the presence of two copies risks stale-lookup drift.
- `affiliates/` — 18 dated CSV/tab/txt snapshots from 2005–2006 (`05_17_2006.csv`, ..., `12_31_2006.txt`) — historical affiliate data dumps
- `bids.{csv,pipe,tab}`, `hyperseek.{csv,import,pipe,tab}` — structured exports in multiple delimiters (legacy import/export pipelines)
- `qualifiers.dat`, `uploaded.dat` — binary Hyperseek state files
- `recent.log` — search-term log; **contains live SQL-injection probe strings** (`1496073328'A=0`, `1496073328'"` ...). The log is user-input-derived — if it is ever `include()`d or rendered without escaping, it is an injection vector. Treat as untrusted.
- `global/BusinessServicesCategories.txt` — category seed data

### `data/sql/schemas/` — migration archive

Historical schema patches applied once and marked `.done`:

- `autobilling.patch.done` — creates `iweb_jh_autobill` + cleans `iweb_table_def` rows
- `renametables.patch.done` — **the origin of the `iweb_` table prefix**: a bulk `RENAME TABLE accounts TO iweb_accounts; ...` run that re-prefixed every Hyperseek table at some point in history
- `done/` — older `.data`/`.mysql` dumps: `bannermaster`, `categories`, `generic`, `hyperseek`, `jackhammer`, plus `renametables.patch`

This is the only in-repo record of schema evolution — there is no migration framework ([02-data-model.md](02-data-model.md) §"Schema evolution signals"). Keep read-only; **do not re-run**.

### `data/bids/` (1.5 MB) — bid spreadsheets

Seven `.xls` files: `ConnPost.xls`, `ConnPost-report.xls`, `DJanis.xls`, `ISMG.xls`, `Rei4You.com.xls`, `WWBN.com.xls`, `WWBN.com-report.xls`. Advertiser bid ledgers delivered/exported as Excel. Audit whether these contain PII or bid data that should be encrypted at rest.

---

## How these folders relate to `httpdocs/`

```
/var/www/html/Searchmercials/
├── httpdocs/          ← primary webroot (the app)
├── httpsdocs/         ← HTTPS webroot
├── affiliates/        ← per-brand cobrand webroots + iDevAffiliate
│     (pointed at by per-domain Apache vhosts via fixlinks.sh)
└── data/              ← shared config / templates / migration history
      (loaded by httpdocs AND affiliates via path includes)
```

- `httpdocs/` and each `affiliates/<brand>/` are **distinct Apache vhosts** that share the dsX engine via symlinks (`fixlinks.sh`).
- `data/config/<brand>.inc` + `data/templates/<brand>/` are the **per-brand overrides** loaded at request time based on hostname / cobrand token.
- The iDevAffiliate product in `affiliates/affiliate/` is a **separate application** with its own DB tables (`idevaff_*`) and its own login. Treat it as a sibling system, not a module.

## Actions this surface adds to the backlog

1. **Delete installer/debug leftovers**: `affiliates/affiliate/install.php`, `setup.php`, `update.php`, `upgrade.php`, `phpinfo.php`; `affiliates/wwbn_com/phpinfo.php`, `xdebug/`, `webgrind/`.
2. **Sweep editor/backup litter**: `data/*.save`, `data/*_bu_*`, `data/global.config.backup`, `data/templates/default - Copy/`, `data/templates/*/detail_old.txt`, `*_OLD.txt`.
3. **Relocate `data/transaction.log`** outside any webroot-adjacent path; rotate.
4. **Reconcile the duplicate SDBA** in `affiliates/searchmercials_com/class/sdba/` with `httpdocs/auth/classes/sdba/` — make one authoritative or vendor a single copy.
5. **Reconcile the duplicate GeoIP binaries** under `data/hyperseek/` vs `httpdocs/maxmind/assets/`.
6. **Audit the duplicate `videoads/` tree** in `affiliates/searchmercials_com/videoads/` against the canonical `httpdocs/` video-ads pipeline.
7. **Add `data/hyperseek/recent.log` handling to the untrusted-input register** — confirm no code path includes or echoes it without escaping.
8. **Encrypt or relocate `data/bids/*.xls`** if they contain advertiser PII/financials.