11 April 2008 ~ 16 Comments

Protect Your ClickBank "Thank You" Page

Selling digital products on ClickBank is a great way to earn extra income, and link up with affiliates from all over the Internet.  When you first set up your account and create your sales page and thank you page, there really isn’t any security built in to keep people from trying to figure out your thank you page’s address, and going there directly, bypassing the ordering system.

When I was creating the download page for my Internet Safety for Parents ebook and video training series, I ran into some trouble trying to secure my thank you page.  If you are a parent and want to a comprehensive training package (book and video series) teaching you how to protect your children from online dangers including hackers, scam artists, cyber-bullies, identity theft, online predators and more, check out the training.

PHP Protection Script

ClickBank’s site offers some basic scripts to protect your thank you page, but unfortunately for modern PHP sites, the use of global variables often doesn’t work.  Here is the script they offer on their site (that I couldn’t get to work):

function cbValid()
{ $key='YOUR SECRET KEY';
  $rcpt=$_REQUEST['cbreceipt'];
  $time=$_REQUEST['time'];
  $item=$_REQUEST['item'];
  $cbpop=$_REQUEST['cbpop'];

  $xxpop=sha1("$key|$rcpt|$time|$item");
  $xxpop=strtoupper(substr($xxpop,0,8));

  if ($cbpop==$xxpop) return 1;
  else return 0;
}
   

I couldn’t get that script to work, and from what I was able to figure out, it’s because they are assuming global variables are turned on, which in most later versions of PHP, that is disabled by default.  By specifying the variables in the code, I was able to get it to work.  So this basically checks to make sure the person visiting the thank you page is coming from clickbank’s site after making a purchase.  If they aren’t you redirect them to another page.  Place this code in the very beginning of your thank you page, before any html.

<?php // thankyou.php
function cbValid($rcpt, $time, $item, $cbpop){
$key=’ABCDE’;
$xxpop=sha1(“$key|$rcpt|$time|$item”);
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop){
return 1;
} else {
return 0;
}
}
// ===== Sanitize the input (only allow GET for security) =====
$rcpt = trim(addslashes($_GET['cbreceipt']));
$time = trim(addslashes($_GET['time']));
$item = trim(addslashes($_GET['item']));
$cbpop = trim(addslashes($_GET['cbpop']));
// ===== Redirect if invalid and exit =====
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header (“Location: http://www.SendThemSomewhere.com/“);
exit;
}
// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed
// now have the thank you page html
?>

Full Protection Application

I suppose that still doesn’t stop someone from copying the full URL from a valid purchase and posting that out there somewhere, but you could add some additional variables to make it time out after a certain period of time.

If you need further protection or a full featured ClickBank protection application that provides WAY more than just protecting your Thank You page, check out DLGuard.  It’s definitely a full-featured software application and allows you easily add products, completely secure them, add customers to your mailing lists, etc.  Check out DL Guard here.

Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Mixx
  • Google Bookmarks
  • Slashdot
  • SphereIt
  • StumbleUpon
  • Technorati
  • HackerNews
  • PDF
  • Tipd
  • Tumblr
Tags:

16 Responses to “Protect Your ClickBank "Thank You" Page”

  1. Sonny Mataka 6 May 2008 at 2:57 pm Permalink

    Hey I Have another Great Click Bank Protection Product Here http://www.clickbankprotection.com, Let me ask you a question though? would you pay $3 dollars to protect $10,000?? Let me know here

    http://www.clickbankprotection.com

    Reply

  2. Joe 2 June 2008 at 5:57 pm Permalink

    I use MS Front Page, and when I place the script you provided above above , after I close the html view and re-open it, the script is moved into the top of the body section. Will it still work, or is there additional code that needs to be added so FrontPage won’t rearrange things once I close out of html view.
    Thanks, Joe.

    Reply

    admin reply on June 9th, 2008 7:18 am:

    The script should work fine.. When adding a script, it doesn’t really matter where on the page it’s placed, sometimes it makes more sense to load it in the bottom (so the rest of the page loads first) but in this case it shouldn’t make a difference.

    Reply

  3. Karen Newton 21 October 2008 at 5:59 am Permalink

    Thanks for the quick and easy explanation and script, works perfectly.
    Karen

    Reply

    cdrees reply on October 21st, 2008 6:35 am:

    Hi Karen, thanks for the comment and glad I was able to help out! -Chris

    Reply

  4. Karen Newton 21 October 2008 at 12:59 pm Permalink

    Thanks for the quick and easy explanation and script, works perfectly.
    Karen

    Reply

  5. Christopher Rees 21 October 2008 at 1:35 pm Permalink

    Hi Karen, thanks for the comment and glad I was able to help out! -Chris

    Reply

  6. Simon 9 January 2009 at 5:18 am Permalink

    I decided to try out ClickBank yesterday to leverage their affiliate network for a digital product. Instead of relying on the thank you page for anything, I’m using their “instant notification” option.

    When a sale is made, the clickbank system notifies a url on the seller’s site with details of the purchase. You can then setup a script to validate the incoming data (see clickbank documentation for php example), and perform any actions needed – in my case, the creation of a new upgraded user on the site, and sending an email with their login details.

    With this approach, because all validation and actions are done at the notification url stage, when the user gets to the thank you page you don’t need to expose your product or any other sensitive data on that page.

    You can still show the user any data you want on the thank you page however, by saving the receipt string during the notification process, and then using the $_GET value given in the thank you url to select the information from your database again.

    Reply

  7. Vincent DErrico 20 January 2009 at 5:31 pm Permalink

    I copied the script and pasted it into my thankyou page and gave the page a .php extension. I changed ABCDE to my key and sendthemsomewhere.com to wiseh2o.com/error.html. The script did not work and I keep getting a Parse error. Any help would be appreciated.

    Reply

    admin reply on January 20th, 2009 9:48 pm:

    @Vincent DErrico, send me the pages you have, and I’ll take a look at them… you can send them to chris@teamrees.com

    Reply

  8. proper seo service 5 June 2009 at 6:41 pm Permalink

    Guys, don’t u think someone could view the source code and copy your secret key if this code is used?

    Reply

    admin reply on August 27th, 2009 9:16 pm:

    No, because the page with the key on it is never visible nor displayed… it’s just called from initial page.

    I would never say never, I guess anything is possible, but it’s not as easy as you might think… and it’s certainly more secure than using nothing at all.

    Reply

  9. lol 2 August 2009 at 2:59 pm Permalink

    Clearly you do not understand PHP proper seo service

    PHP is server-side.
    HTML is client-side.

    This code is PHP, which means – it is -not- displayed to the user.

    Reply

  10. pill 16 September 2009 at 3:32 pm Permalink

    There is an parse error on the script when i tried to paste it in the thank you page.. hope fully someone can help me.

    This is the exact error I’ve encountered.

    Parse error: syntax error, unexpected T_VARIABLE in /home/****/public_html/**********/*******443isdbxksncyromwgdx/index.php on line 4

    (I replaced my domain folders to asterisk for security purposes)

    Thanks!

    Reply

    steve reply on March 2nd, 2010 1:22 am:

    here is what makes it work.
    change line 4 from
    $xxpop=sha1(“$key|$rcpt|$time|$item”);
    to
    $xxpop=sha1($key|$rcpt|$time|$item);

    then change line 20 from

    header (“Location: http://www.blabla.com/blabla.php“);
    to
    header ('Location: http://www.blabla.com/blabla.php&#39 ;) ;

    its symple syntax error

    i also got rid of

    exit;

    on line 21 and changed to to

    else
    header ('Location: http://www.blabla.com/blabla.php&#39 ;) ;

    here is the full code

    <?php // thankyou.php
    function cbValid($rcpt, $time, $item, $cbpop){
    $key=’key’;
    $xxpop=sha1($key|$rcpt|$time|$item);
    $xxpop=strtoupper(substr($xxpop,0,8));
    if ($cbpop==$xxpop){
    return 1;
    } else {
    return 0;
    }
    }
    // ===== Sanitize the input (only allow GET for security) =====
    $rcpt = trim(addslashes($_GET['cbreceipt']));
    $time = trim(addslashes($_GET['time']));
    $item = trim(addslashes($_GET['item']));
    $cbpop = trim(addslashes($_GET['cbpop']));
    // ===== Redirect if invalid and exit =====
    if (!cbValid($rcpt, $time, $item, $cbpop)) {
    // redirect
    header ('Location: http://www.blabla.com/blabla.php&#39 ;) ;
    else
    header ('Location: http://www.blablacom/blabla.php&#39 ;) ;
    }
    // no need to do an ELSE because the exit will terminate further processing
    // if a valid transaction is not confirmed
    // now have the thank you page html
    ?>

    Reply

  11. of mesothelioma 2 August 2010 at 8:51 pm Permalink

    Thanks for writing this article – I've as of yet heard very little about Windows Mobile 6, so it was nice to read about it.

    Reply


Leave a Reply