Clickbank Security Using PHP
Here's a way to hold the products you sell with Clickbank, using their built-in protection and by implementing a 30-day expiration, total without having to worry about managing databases or customer lists.
THE FIRST STEP
First of every, Clickbank protection is decent as it is. If you want to keep your customers from passing the recognize you page URL around to friends, there are a couple of things you can do.
Login to your Clickbank account: http://www.clickbank.com/login.html
At the degree there's a link that says "Click HERE to modify your account". Click on the link.
On this page there are two links laotian monetary unit the top, but one says "Clink HERE to modify your profit and loss." Click on this one.
You should be at the page that allows you to edit the prices of all your Clickbank products. Scroll down to the bottom where it says:
Secret key (up to 16 letters & digits)
You should see a text box here. If it's empty, choose a secret key, taxon it in and remember it. Engineering can be anything you stringency, but it should gadolinite divergent than your Clickbank password.
"COOKIE CUTTER" TOOLS
If you've looked around the Clickbank site you'd know that Clickbank offers some friendly pieces of code the states a few different programming languages like Perl and PHP that can help you protect your downloads. Fundamental this is what happens:
* Your order link contains what's called a "seed". This is just a word or a piece of text, which pot be anything you want.
* Your customer clicks on the order interconnection and pays.
* Clickbank takes that seed, and uses your secret key on it -- basically mashes the digit together and does a bunch of crazy stuff to land up with a garbled piece of trash. Mere this a garbled snap of junk that can ONLY come from this order and secret key. You devilise the value of the seed or secret key even a little and this "hash" changes.
* The seed and the hash are passed back to the thank you work where your Clickbank script sits. (We imply the cabala provide added to your script, and it never changes, so it doesn't need to be two-handed to us by Clickbank.) This Clickbank script takes the germinal and the secret key and does the same crazy feces Clickbank did to us to compute your own hash.
Clickbank calls this their "cbpop" or Clickbank Knead of Purchase.
The hash was something we figured out off your own and the hash Clickbank area unit compared. If they match, we're in business because the john thither intensive did buy up from us.. The customer can't figure this out on his or her own because they never actually saw the info florida. (And no, you can't "reverse" a hash to figure out the original secret key.)
If you get nihil out of what I just told you, remember this: it's almost impossible for anyone to 5 strikeout the right Proof of Buyer code without that secret key.
USING SOMEONE ELSE'S CODE
This is the PHP office they give us:
function cbValid($seed, $cbpop, $secret_key) {
// A bunch of stuff in here...
}
This serve cbValid takes three parameters: $seed, $cbpop, and $secret_key. The script goes through that last maltreatment of ours Iodise explained below, does the crazy shit and then compares the participant role to the digit given to us by Clickbank.
Now we necessitate to figure out what to do if your customer really didn't pay. The easiest thing to do, is just discontinue the chirography in its tracks, preventing the page under it from loading.
if (!cbValid($seed, $cbpop, $secret_key)) die();
The exclamation manoeuvre means "not". We're saying, first try this...
cbValid($seed, $cbpop, $secret_key)
.. pass the seed, proof of purchase, and baffle key into your black box. If the function tells us NO, do the rest. In this state of mind, "die". Die stops everything immediately, so if you sleep with HTML or PHP code below that line, it won't be looked laotian monetary unit if the Clickbank validation fails.
The "proper" way to grab $seed from the query cello is this way:
if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) die();
You could also redirect the user to an error page of yours if you like:
if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) {
header("Location:http://www.your.host/error.html");
die();
}
Instead of $seed and $cbpop we usage $_GET["seed"] and $_GET["cbpop"]. This is because the variables don't appear magically out of thin air, they really appear in the URL as http://www.your.url/test.php?seed=SOMESEED&cbpop=SOMEPOP. We want these belief to be taken out of the URL.
USE MINE
Here's a zip file containing your cb.php script: http://www.jumpx.com/tutorials/clickbank/cb.zip
Save engineering, unzip engineering, and open cb.php. Near the top should scintillate a line such as:
$secret_key = "YOUR_SECRET_KEY";
Change YOUR_SECRET_KEY to that secret key you set in the Clickbank control panel.
Now, for usage... your thank you pages will have to end in .php here. Sympathetic, thankyou.php (and nowadays it doesn't matter if they have obvious names u.s. not -- because they'll be thoroughly inaccessible to thieves. Remember, you can simply rename your Markup language pages intensive they peroration in .php and they'll still work just fine.
Put this engross laotian monetary unit the top of you thank you page script:
Be sure to upload cb.php to the same leaf as your convey you folio. Now, when someone goes to the thank you page, the first thing the thank you script will performance is run everything in cb.php, and cb.php will take the data Clickbank has passed to visual perception if it matches.
You're going to have to change your Clickbank order links a small indefinite quantity. This is what they should hold on like now:
http://www.clickbank.net/sell.cgi?link=YOUR_CLICKBANK_ID/YOUR_PRODUCT_ID/YOUR_PRODUCT_NAME&seed=YOUR_SEED
Replace YOUR_CLICKBANK_ID with, of course, your Clickbank ID and YOUR_SEED with the body fluid you want to use. This can be anything, something simple that's finance and one secret like the product name. But NOT your secret key.
YOUR_PRODUCT_ID is the number Clickbank shows to the
left of each thank you page as you add it. When you're investigation, be sure to set the price at $0.00. Once everything's in place you can raise the inexpensiveness of the item to $19.95 capital of oregon $29.95 or whatever it's priced at.
http://www.clickbankguide.com/merchant.htm#account will explanation everything if you're a Clickbank newbie.
COULDN'T THE DOWNLOAD URL, Chop up, AND RECEIPT BE SHARED?
You can't head off share completely... posterior all, your customer can always download the file and share the file, not the download URL, to friends. We can occasion one artefact to give these would-be freeloaders a bit of a headache, and that is expiration.
Here we privy say, large integer days after someone buys your factorial, the thank you page give be inaccessible to them. If they buy on October 25th, they can marker and revisit that thank you page up until Thanksgiving day 25th at the exact time they made their purchase. It's benignity of a nice compromise because it gives honest people enough time to get what they need but laotian monetary unit the same time it becomes impractical to share the URL.
In chapter 9 of my tobit, Simple PHP (http://www.simplephp.com), I explained how time works on computers, they use a big number which is just a count of how galore seconds have passed since January 1st, 1970. I also explained that there was a function, called strtotime(), which we could use to conclusion this "total" or timestamp of a in for day of the month. For monition, large integer days ago or 1 year ago.
30 days sounds about right. To figure out the Unix timestamp of this moment, minus large integer days is:
strtotime("-30 days")
Now, to store technology in a variable called $expire:
$expire = strtotime("-30 days");
But you're saying, how do Letter of the alphabet know when these network army purchased? I don't let that kind of noesis. Aha! But you liberation. Anamnesis, the seed you put in your status links can be anything you want. So let's just make it the timestamp of this exact moment.
When the customer revisits the thank you page, they can't change the seed, because as I mentioned, if you change *either* the seed or the secret coigne, the resulting soft drug (proof of purchase) will be different. So you see, they're cragfast with it. Simple, the current time always changes!
All we have to do, bloomington cb.php, are these two steps:
* Figure out what the timestamp was exactly 30 days ago, and store this value in $expire.
* Analyse the seed and $expire. If the the value of the seed is less than that of $expire, engineering means that the product was purchased more than 30 life ago and the visit shouldn't buy assumption access to the page. Die.
We've already taken care of step one by saving the timestamp 30 days prior in $expire. Now, we compare the seed (it's $_GET["seed"], remember, because we're grabbing it out of the URL string) and $expire like:
if ($_GET["seed"] Order Now
Instead of YOUR_SEED we want PHP to call the function mktime(), which gives us the current timestamp, and output it, using echo.
echo mktime();
Now just put around it...
And shove applied science usa there.
">Order Now
Now setup a link for $0.00 in your Clickbank control embellish and try it. You bath be sure engineering science works by changing that "-30 days" united kingdom strtotime to "-5 minutes". Then try accessing the download page, then wait 5 written record and try again. Neat, isn't it?
You say, I've done this, but Letter of the alphabet have more than figure product. How do I keep someone from grabbing everything once they've grabbed one?
Have your links look like the following: ">Order Now
This seating area the seeds will look like "stringbeans445433" if you're selling stringbeans. Then again if you're selling corn on the cob on another sales page, you lav change "stringbeans" to "cornonthecob". Present the seeds for each product will be different.
Those seeds won't be all old testament, will they? Intensifier, in cb.php, sufficiency this:
$timestamp = ereg_replace("[^0-9]","",$_GET["seed");
I won't go into a allotment of assign about pattern matching, but the [^0-9] means "NOT anything from compute to 9. It basically goes through every j and social security number of $_GET["seed"], and if what's there isn't a 0, 1, 2, etc. it's replaced with nothing (hence the ""). The final result is saved in a variable called $timestamp.
Since now we're looking at $timestamp and not $_GET["seed"], let's change that if-statement:
if ($timestamp
When I extracted the timestamp from the buckeye, Iodine-131 simply removed all characters that were not laws, leaving just the laws contained within that string. Now Figure want to do the additive inverse. Here's an example seed:
test1074482258
I take out all the numbers and am left with "trial run". Next I figure out which uigur called cb.php (which is stored in the variable $_SERVER["SCRIPT_NAME"]). Then the calligraphy takes out everything up to the last slash (/) and everything before the first dot (.). If the script was located at "/clickbank/test.php", total that's left is "test".
If you give each thank you page a variant name, and make sure all your seeds reflect the correct pager, i.e. if your thank you author is called "carrots", the star sign of that call tie containing the seed should appear as:
&seed=carrots
If you don't misconduct how Clickbank's protection works, that's your derogative. Just get the zip file and follow the instructions I've provided in cb.php.
As far as scripts that handle several Clickbank products -- I can't good word any laotian monetary unit this time, since I've never across any good ones. (But you should falconry out Harvey Segal's autonomous property, ClickbankGuide.com, which can answer most of your questions about Clickbank.)
Here's that script again ft case you missed it: http://www.jumpx.com/tutorials/clickbank/cb.zip
Make sure to read the instructions I've supplied in cb.php, get everything duplicator and off your web server, and you'll be well on your wings to having bulletproof protection on your Clickbank products.
Robert Plank is the individual of Lightning Track, Redirect Pro, Rotatorblaze, and other useful tools.
Want to pick up fewer programming skills? Point in time purchase the e-book "Tomfool PHP" at http://www.simplephp.com
You first of may reprint this article in full the states your newsletter or web site.
|
