Categorized | Featured, PHP Tutorials

Secure your Clickbank products with PHP

Posted on16 July 2011. Tags: , ,

An effective method to protect the merchandise sold with Clickbank, utilizing the built-in protection and by applying a 30 day expiration, without having to manage databases or data lists of clients

Clickbank security is pretty good as it is. If you want to keep your clients from sending the thank you page link around to friends, there are some measures that can be taken.

Firstly Login to your Clickbank account: http://www.clickbank.com/login.html

Then click on the link to modify your clickbank account

You should arrive at the page where you can modify the pricing of your clickbank merchandise, scroll to the very bottom where it displays: Secret key (up to 16 letters & digits)

You will see a text box. If empty, select a secret key, type it in and dont forget it (not it down somewhere). It needs to differ from your clickbank password, but can be absolutely anything you desire.

Cookie Cutter Tools

If you have browsed around the clickbank website you will notice that clickbank has some scripts available in PHP that can help you secure your downloads. This is what generally happens:

1.) The order URL contains  a “seed”. Text within the url that can be simply anything you desire

2.) The visitor clicks on the order link and makes the purchase

3.) Clickbank takes this seed, and utilizes your secret key on it — simply combines the two together and generates some scrambled code. This scrambled code can only come from  both the seed and the secret key, any slight alteration to any of these would also change the scrambled code.

4.) Both the  seed and the scrambled code are sent back to the thank you page where your Clickbank script resides. This Clickbank script takes both the seed and secret key and scrambles the code exactly how clickbank itself does it

Clickbank calls this the cbpop (Clickbank Proof of Purchase.)

When the scrambled code match’s, then the visitor did make the purchase. The client cannot work out this out on their own since they never seen the secret key.
Its literally impossible for anybody to work out the right Proof of Purchase code without the secret key.

Using other code

This is the PHP function they give us:

function cbValid($ seed, $ cbpop, $ secret_key) {

// Code here..

}

This function cbValid takes 3 parameters: $ seed, $ cbpop, and $ secret_key. The script carries out the final step of ours mentioned above.
Ok, so now we need to work out what to do if your visitor didn’t pay. The best thing to do, is just halt the script immeadiatley, forbidding the page under it from processing.

if (!cbValid($ seed, $ cbpop, $ secret_key)) die();

The exclamation point means “not”. We’re saying, first try this…

cbValid($ seed, $ cbpop, $ secret_key)

.. pass the seed, proof of purchase, and secret key into the black box. If the function tells us NO, do the rest. In this case, “die”. Die stops everything immediately, so if you have HTML or PHP code below that line, it wouldn’t be looked at if the Clickbank validation fails.

The “proper” way to grab $ seed from the query string is this way:

if (!cbValid($ _GET["seed"], $ _GET["cbpop"], $ secret_key)) die();

You could also redirect the user to an error page of yours if you like:

if (!cbValid($ _GET["seed"], $ _GET["cbpop"], $ secret_key)) {

header(“Location:http://www.your.host/error.html”);

die();

}

Instead of $ seed and $ cbpop we use $ _GET["seed"] and $ _GET["cbpop"]. This is is due to variables that don’t appear, since they appear in the link as http://www.domain.url/test.php?seed=SOMESEED&cbpop=SOMEPOP. We want these values to be taken out of the URL.

Pre-Made Script

Here is a zip  containing the cb.php script: http://www.phpide.com/clickbank-script.zip

Download it, then unzip it, and then open cb.php. Find the following line:

$ secret_key = “YOUR_SECRET_KEY”;

Change YOUR_SECRET_KEY to the secret key you created in your clickbank account settings page.

Your thank you pages should end in .php here. Like, thankyou.php  it does not matter if they have apparent names – since they will be soundly unaccessible to unauthorized users. Note, you can basically rename your HTML pages so they end in .php and they will still work just as good

Put this line at the top of you thank you page script:

Make certain to upload cb.php to the same folder as your thank you page. When somebody goes to the thank you page, the 1st thing the thank you script will do is process everything in cb.php, and cb.php will accept the data Clickbank has authorized to see if it matches.

You are going to have to change your Clickbank order links a bit. This is what they should appear like:

http://www.clickbank.net/sell.cgi?link=YOUR_CLICKBANK_ID/YOUR_PRODUCT_ID/YOUR_PRODUCT_NAME&seed=YOUR_SEED

Replace YOUR_CLICKBANK_ID with, naturally, your Clickbank ID and YOUR_SEED with the seed you want to utilize. This can be anything, something basic that’s short and one word like the product name. But not your secret key.

YOUR_PRODUCT_ID is the number Clickbank shows to the left of each thank you page as you add it. When you’re trying this out, make sure to set the price at .00. Once everything’s in order you can increase the price of the item to .75 or .85 depending on the price of the product.

http://www.clickbankguide.com/merchant.htm#account will explain everything if you are new to clickbank

More prevention methods:

Preventing the visitor from sharing the downloaded file is impossible, but of course not the download link.. But there is a measure we can take to give unauthorized users a fair obstacle and that is utilizing the expiration.

We can say, 30 days after somebody buys your product, the thank you page will be unaccessible to them. If they purchase on May 15th, they can revisit the thank you page up until June 15th at the exact time they made their purchase. This provides enough time for the user to download the product but also makes it useless to share the link.

Creating the Expiration:

To work out the Unix timestamp of this very moment, subtracting 30 days is:

strtotime(“-30 days”)

Store this in a variable called $ expire:

$ expire = strtotime(“-30 days”);

The next question we may ask is, how do we know when these users bought the product? Remember, the seed you put in your order links can be anything you want. So let’s just make it the timestamp of this exact moment.

When the visitor revisits the thank you page, they cannot modify the seed, because as I mentioned, if you alter either the seed or the secret key, the resulting scrambled code (proof of purchase) will be slightly different. So you now see, they are stuck with it. However, the current time always changes.

Now we have to edit cb.php :

- Work out what the timestamp was exactly 30 days ago, and store this value in $ expire.

- Compare the seed and $ expire. If the the value of the seed is less than that of $ expire, it means that the product was purchased more than 30 days ago and the user should not be given access to the page. Die.

We have already taken care of step one by saving the timestamp 30 days prior in $ expire. Now, we compare the seed (it’s $ _GET["seed"], take note, since we are taking hold of of the url string) and $ expire like:

if ($ _GET["seed"] Order Now

Besides your seed we want PHP to call the function mktime(), that gives us the current timestamp, and output it, using echo.

echo mktime();

insert it in

“>Order Now

Assemble a link for .00 in your Clickbank control panel and try it. You can be certain it works by altering that “-30 days” in strtotime to “-1 minute”. Then try accessing the download page, then wait 1 minute and try again.

If you have multiple products, how do you keep somebody from seizing everything once they’ve took hold of one product?

Have your links look like the following: “>Order Now

This way the seeds will look like “dummys445433″ if you’re selling dummys. If you are selling toys, you can change “dummys” to “toys”. The seeds for each merchandise will vary.

The seeds won’t be all digits. So, in cb.php, do this:

$ timestamp = ereg_replace(“[^0-9]“,”",$ _GET["seed");

This tutorial wont go heavily into patcjing matching, but the [^0-9] means “NOT anything from 0 to 9. It simply goes through every letter and number of $ _GET["seed"], and if what is there Is not a 0, 1, 2,. It is substituted with nothing (thus the “”). The concluding result is saved down in a variable called $ timestamp.

Because now we are looking at $ timestamp and not $ _GET["seed"], let’s alter that if-statement:

if ($ timestamp

When I extracted the timestamp from the seed, just remove all characters that were not digits, leaving just the digits contained within that string. If we want to do the opposite. Here’s an example seed:

toy1074482258

We remove out all the digits and  left with “toy”. Next we work out which script called cb.php (that is stored in the variable $ _SERVER["SCRIPT_NAME"]). The script removes everything up to the last slash (/) and everything before the first dot (.). If the script was located at “/clickbank/toy.php”, all that’s left is “toy”.

If you name each thank you page a different name, and make certain all your seeds reflect the correct page, for example. if your thank you page is called “beans”, the part of that order link containing the seed should appear as:

&seed=beans

So that’s it, I hope this tutorial now helps to secure your Clickbank products!


Comments are closed.