About protecting against cheating I do not know, and the rest.
For example:
in the DB table of banners
Columns: id, img, url, show, click (the value no need to explain I hope)
In the cms write something like:
\r
$banner=mysql_fetch_array(mysql_query("SELECT img,id FROM banners ORDER BY RAND() LIMIT 1 ")); mysql_query("UPDATE banners SET show=show+1 WHERE id='$banner[id]'"); $banner="

";
\r
In banner.php by analogy.
1)Filtered $_GET[id] to protect against injection.
2)Check on the cookies or in the session, clicked whether the companion banner before. If not, add one in the box click. Write a cookie or in the session, that at this banner I've clicked.
3)Redirectin friend url from the database.
\r
Like this. If somewhere in the code was wrong, do not swear, it is too late.