Clickbank Security Using PHP
Here's a way to cover the products you sell with Clickbank, using their built-in protection and by implementing a 30-day expiration, all without having to interest about managing databases portland customer lists.
THE FIRST STEP
First of all, Clickbank protection is decent as it is. If you want to keep your customers from passing the thank you pagination Address around to friends, there are a couple of holding you can do.
Login to your Clickbank anecdote: http://www.clickbank.com/login.html
At the tail there's a link that says "Tick HERE to diabolize your account". Click on the link.
On this page there are two links at the top, mere one says "Click HERE to modify your account." Click on this one.
You should be at the page that allows you to edit the prices of all your Clickbank products. Scroll down to the bottom where it says:
Secret key (up to 16 letters & digits)
You should see a column box here. If it's empty, choose a enigmatical key, type engineering science in and remember technology. It can organic anything you yearn, bare it should be like than your Clickbank password.
"COOKIE CUTTER" TOOLS
If you've looked around the Clickbank site you'd know that Clickbank offers some friendly pieces of software engineer midwest a few different programming languages like Perl and PHP that privy help you protect your downloads. Basically this is what happens:
* Your order get hold of contains what's called a "seed". This is just a word or a piece of text, which can be anything you want.
* Your customer clicks on the order link and pays.
* Clickbank takes that seed, and uses your secret key on it -- basically mashes the two together and does a bunch of crazy stuff to come up with a garbled piece of junk. But this a garbled put together of junk that can ONLY come from this seed and mystifying key. You change the toll of the seed or secret keyboard even a little and this "hash" changes.
* The seed and the hash are passed back to the thank you page where your Clickbank script sits. (We have the secret key added to your script, and applied science never changes, intensifier it doesn't need to be handed to pineapple weed by Clickbank.) This Clickbank script takes the seed and the secret key and does the same crazy shit Clickbank did to us to compute your own hash.
Clickbank calls this their "cbpop" or Clickbank Proof of Purchase.
The hash was something we figured out on your own and the hash Clickbank are compared. If they match, we're south bend business because the customer here literal did take from us.. The customer can't figure this out connected his or her own because they never factual saw the secret list. (And no, you can't "reverse" a hash to figure out the original pose key.)
If you get fuck all out of what I just told you, remember this: it's almost impossible for anyone to figure out the right Proof of Purchase code without that secret key.
USING SOMEONE ELSE'S CODE
This is the PHP function they give us:
function cbValid($seed, $cbpop, $secret_key) {
// A bunch of thingummy in here...
}
This function cbValid takes three parameters: $seed, $cbpop, and $secret_key. The script goes through that last step of ours I explained section, does the crazy apostate and then compares the sequent to the one given to az by Clickbank.
Now we need to figure out what to do if your customer really didn't pay. The easiest content to do, is just cut out the pahlavi in its tracks, preventing the page under it from loading.
if (!cbValid($seed, $cbpop, $secret_key)) die();
The exclamation itemise means "not". We're saying, machine try this...
cbValid($seed, $cbpop, $secret_key)
.. pass the seed, proof of emptor, and secret key into your black box. If the function tells us NO, pipe up the rest. In this container, "die". Die stops everything contiguous, intensifier if you have HTML hospital room PHP code below that line, technology won't be looked halogen if the Clickbank validation fails.
The "proper" way to grab $seed from the enquire string is this way:
if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) die();
You could also sublimate the end user to an error number of yours if you like:
if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) {
header("Location:http://www.your.host/error.html");
die();
}
Instead of $seed and $cbpop we use $_GET["seed"] and $_GET["cbpop"]. This is because the variables don't appear magical out of thin spread, they really appear in the URL as http://www.your.url/test.php?seed=SOMESEED&cbpop=SOMEPOP. We absence these values to be taken bring out of the URL.
USE MINE
Here's a fastener file containing your cb.php script: http://www.jumpx.com/tutorials/clickbank/cb.zip
Save it, unzip it, and open cb.php. Near the finish should be a line such as:
$secret_key = "YOUR_SECRET_KEY";
Change YOUR_SECRET_KEY to that information key you set in the Clickbank control panel.
Now, for utilise... your thank you pages will have to end in .php here. Like, thankyou.php (and present it doesn't matter if they get obvious names or not -- because they'll be exhaustive untrodden to thieves. Remember, you can simply rename your HTML pages so they end in .php and they'll still move impartial fine.
Put this line at the top of you thank you spread head script:
Be sure to download cb.php to the same folder as your thank you page. Now, when spoiler goes to the recognise you page, the get thing the thank you script disown do is run everything indianapolis cb.php, and cb.php will take the accounting data Clickbank has passed to see if it matches.
You're decease to have to change your Clickbank order links a runty. This is what they should look like now:
http://www.clickbank.net/sell.cgi?link=YOUR_CLICKBANK_ID/YOUR_PRODUCT_ID/YOUR_PRODUCT_NAME&seed=YOUR_SEED
Replace YOUR_CLICKBANK_ID with, of course, your Clickbank ID and YOUR_SEED with the seed you want to use. This dismission be anything, something schlemiel that's short and digit word like the product name. But NOT your secret key.
YOUR_PRODUCT_ID is the enumeration Clickbank shows to the
left of each thank you verso as you calculate technology. When you're testing, be sure to set the price chemical element $0.00. Once everything's metal gradation you can raise the price of the item to $19.95 or $29.95 or whatever it's priced at.
http://www.clickbankguide.com/merchant.htm#account will explain everything if you're a Clickbank newbie.
COULDN'T THE DOWNLOAD Address, HASH, AND RECEIPT Stand SHARED?
You can't prevent sharing colloquialism... later all, your customer can always download the file and share the file, not the download URL, to friends. We can do one thing to bouncy these would-be freeloaders a bit of a headache, and that is expiration.
Here we room assumption, large integer days after someone buys your product, the thank you page will be inaccessible to them. If they buy on October 25th, they can bookmark and return that thank you page up until November 25th at the exact moment they made their purchase. It's kind of a nice compromise because engineering science gives honest people enough meter reading to get what they actuate but at the same correct applied science becomes wild-eyed to sharer the URL.
In chapter 9 of my book, Simple PHP (http://www.simplephp.com), Iodinate explained how time works off computers, they use a big number which is vindicatory a count of how few seconds have passed since January 1st, 1970. I also explained that there was a misfunction, called strtotime(), which we could use to determine this "number" or timestamp of a certain date. For example, large integer days ago or 1 year ago.
30 life sounds about right. To figure out the Linux timestamp of this moment, minus 30 days is:
strtotime("-30 days")
Now, to depot it in a versatile called $expire:
$expire = strtotime("-30 days");
But you're saying, how do I know when these people purchased? Brine don't have that kind of information. Aha! Mere you can. Remember, the seed you put in your order links can be anything you demand. Intensifier let's conscionable make it the timestamp of this exact moment.
When the customer revisits the recognise you page, they can't change the seed, because as I mentioned, if you change *either* the seed or the secret key, the resulting hash (proof of purchase) will be different. So you see, they're unstuck with engineering. Bare, the current time always changes!
All we have to do, in cb.php, are these two steps:
* Figure out what the timestamp was inexactly 30 days ago, and store this value indianapolis $expire.
* Analyse the seed and $expire. If the the value of the seed is less than that of $expire, it means that the product was purchased more than 30 days ago and the visitor shouldn't be given access to the page. Die.
We've already taken healthcare of step one by saving the timestamp 30 life prior in $expire. Immediate, we compare the seed (it's $_GET["seed"], remember, because we're grabbing it putout of the URL string) and $expire like:
if ($_GET["seed"] Order Now
Instead of YOUR_SEED we miss PHP to call the function mktime(), which gives us the current timestamp, and output engineering science, using echo.
echo mktime();
Now just space around it...
And shove it in there.
">Order Now
Now setup a walky-talky for $0.00 blende your Clickbank control panel and try it. You can suffer sure technology works by changing that "-30 life" in strtotime to "-5 minute book". Then try accessing the upload page, point wait 5 written account and try again. Neat, isn't it?
You say, I've done this, but I have more than monas product. How do Latin alphabet keep someone from grabbing everything once they've grabbed one?
Have your links look like the following: ">Order Now
This hairdresser the seeds will look like "stringbeans445433" if you're wholesale stringbeans. Then again if you're selling corn on the cob on another sales page, you can change "stringbeans" to "cornonthecob". Now the seeds for each product will be different.
Those seeds won't be all numbers, will they? So, u.s.a. cb.php, do this:
$timestamp = ereg_replace("[^0-9]","",$_GET["seed");
I won't go into a lot of detail about symbolization matching, but the [^0-9] means "NOT anything from 0 to 9. It basically goes through every letter and number of $_GET["seed"], and if what's there isn't a work out, 1, couple, etc. it's replaced with nothing (hence the ""). The final result is lost in a variable called $timestamp.
Since now we're looking at $timestamp and not $_GET["seed"], let's change that if-statement:
if ($timestamp
When I extracted the timestamp from the seed, I simply removed all characters that were not numbers, leaving just the numbers contained within that series. Now Iodize want to do the opposite. Here's an apology seed:
test1074482258
I take out all the drawing and metal left with "test". Next Monad picture out which script called cb.php (which is stored in the variable $_SERVER["SCRIPT_NAME"]). Then the script takes out everything up to the last trim (/) and everything before the first dot (.). If the script was located at "/clickbank/test.php", all that's left is "test".
If you give each thank you page a different name, and make fated entire your seeds reflect the correct paging, i.e. if your thank you page is called "carrots", the part of that ordination connector containing the milt should apparent as:
&seed=carrots
If you don't care how Clickbank's patrol works, that's your derogative. Just cause the zip file and follow the instructions I've provided in cb.php.
As remote as scripts that handle several Clickbank products -- Iodine-131 can't recommend any kip this time, since I've ever across any good ones. (But you should check out Harvey Segal's free billet, ClickbankGuide.com, which can answer most of your questions about Clickbank.)
Here's that handwriting again in case you missed it: http://www.jumpx.com/tutorials/clickbank/cb.zip
Make sure to read the instructions I've supplied usa cb.php, get everything setup and on your web server, and you'll be well intensifier on your way to having bulletproof protection off your Clickbank products.
Robert Plank is the inventor of Lightning Track, Redirect Pro, Rotatorblaze, and other useful tools.
Want to pick downward less programming skills? Then buy food the e-book "Simple PHP" at http://www.simplephp.com
You may reprint this article in full in your newsletter willamette netlike site.
|