Protect Your ClickBank "Thank You" Page

by admin on April 11, 2008

Selling digital products on ClickBank is a great way to earn extra income, and link up with affiliates from all over the Internet.  When you first set up your account and create your sales page and thank you page, there really isn’t any security built in to keep people from trying to figure out your thank you page’s address, and going there directly, bypassing the ordering system.

When I was creating the download page for my Internet Safety for Parents ebook and video training series, I ran into some trouble trying to secure my thank you page.  If you are a parent and want to a comprehensive training package (book and video series) teaching you how to protect your children from online dangers including hackers, scam artists, cyber-bullies, identity theft, online predators and more, check out the training.

PHP Protection Script

ClickBank’s site offers some basic scripts to protect your thank you page, but unfortunately for modern PHP sites, the use of global variables often doesn’t work.  Here is the script they offer on their site (that I couldn’t get to work):

function cbValid()
{ $key='YOUR SECRET KEY';
  $rcpt=$_REQUEST['cbreceipt'];
  $time=$_REQUEST['time'];
  $item=$_REQUEST['item'];
  $cbpop=$_REQUEST['cbpop'];

  $xxpop=sha1("$key|$rcpt|$time|$item");
  $xxpop=strtoupper(substr($xxpop,0,8));

  if ($cbpop==$xxpop) return 1;
  else return 0;
}
   

I couldn’t get that script to work, and from what I was able to figure out, it’s because they are assuming global variables are turned on, which in most later versions of PHP, that is disabled by default.  By specifying the variables in the code, I was able to get it to work.  So this basically checks to make sure the person visiting the thank you page is coming from clickbank’s site after making a purchase.  If they aren’t you redirect them to another page.  Place this code in the very beginning of your thank you page, before any html.

<?php // thankyou.php
function cbValid($rcpt, $time, $item, $cbpop){
$key=’ABCDE’;
$xxpop=sha1(“$key|$rcpt|$time|$item”);
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop){
return 1;
} else {
return 0;
}
}
// ===== Sanitize the input (only allow GET for security) =====
$rcpt = trim(addslashes($_GET['cbreceipt']));
$time = trim(addslashes($_GET['time']));
$item = trim(addslashes($_GET['item']));
$cbpop = trim(addslashes($_GET['cbpop']));
// ===== Redirect if invalid and exit =====
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header (“Location: http://www.SendThemSomewhere.com/“);
exit;
}
// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed
// now have the thank you page html
?>

Full Protection Application

I suppose that still doesn’t stop someone from copying the full URL from a valid purchase and posting that out there somewhere, but you could add some additional variables to make it time out after a certain period of time.

If you need further protection or a full featured ClickBank protection application that provides WAY more than just protecting your Thank You page, check out DLGuard.  It’s definitely a full-featured software application and allows you easily add products, completely secure them, add customers to your mailing lists, etc.  Check out DL Guard here.

{ 16 comments… read them below or add one }

Sonny Mataka May 6, 2008 at 2:57 pm

Hey I Have another Great Click Bank Protection Product Here http://www.clickbankprotection.com, Let me ask you a question though? would you pay $3 dollars to protect $10,000?? Let me know here

http://www.clickbankprotection.com

Joe June 2, 2008 at 5:57 pm

I use MS Front Page, and when I place the script you provided above above , after I close the html view and re-open it, the script is moved into the top of the body section. Will it still work, or is there additional code that needs to be added so FrontPage won’t rearrange things once I close out of html view.
Thanks, Joe.

admin June 9, 2008 at 7:18 am

The script should work fine.. When adding a script, it doesn’t really matter where on the page it’s placed, sometimes it makes more sense to load it in the bottom (so the rest of the page loads first) but in this case it shouldn’t make a difference.

Karen Newton October 21, 2008 at 5:59 am

Thanks for the quick and easy explanation and script, works perfectly.
Karen

cdrees October 21, 2008 at 6:35 am

Hi Karen, thanks for the comment and glad I was able to help out! -Chris

Karen Newton October 21, 2008 at 12:59 pm

Thanks for the quick and easy explanation and script, works perfectly.
Karen

Christopher Rees October 21, 2008 at 1:35 pm

Hi Karen, thanks for the comment and glad I was able to help out! -Chris

Simon January 9, 2009 at 5:18 am

I decided to try out ClickBank yesterday to leverage their affiliate network for a digital product. Instead of relying on the thank you page for anything, I’m using their “instant notification” option.

When a sale is made, the clickbank system notifies a url on the seller’s site with details of the purchase. You can then setup a script to validate the incoming data (see clickbank documentation for php example), and perform any actions needed – in my case, the creation of a new upgraded user on the site, and sending an email with their login details.

With this approach, because all validation and actions are done at the notification url stage, when the user gets to the thank you page you don’t need to expose your product or any other sensitive data on that page.

You can still show the user any data you want on the thank you page however, by saving the receipt string during the notification process, and then using the $_GET value given in the thank you url to select the information from your database again.

Vincent DErrico January 20, 2009 at 5:31 pm

I copied the script and pasted it into my thankyou page and gave the page a .php extension. I changed ABCDE to my key and sendthemsomewhere.com to wiseh2o.com/error.html. The script did not work and I keep getting a Parse error. Any help would be appreciated.

admin January 20, 2009 at 9:48 pm

@Vincent DErrico, send me the pages you have, and I’ll take a look at them… you can send them to chris@teamrees.com

proper seo service June 5, 2009 at 6:41 pm

Guys, don’t u think someone could view the source code and copy your secret key if this code is used?

lol August 2, 2009 at 2:59 pm

Clearly you do not understand PHP proper seo service

PHP is server-side.
HTML is client-side.

This code is PHP, which means – it is -not- displayed to the user.

admin August 27, 2009 at 9:16 pm

No, because the page with the key on it is never visible nor displayed… it’s just called from initial page.

I would never say never, I guess anything is possible, but it’s not as easy as you might think… and it’s certainly more secure than using nothing at all.

pill September 16, 2009 at 3:32 pm

There is an parse error on the script when i tried to paste it in the thank you page.. hope fully someone can help me.

This is the exact error I’ve encountered.

Parse error: syntax error, unexpected T_VARIABLE in /home/****/public_html/**********/*******443isdbxksncyromwgdx/index.php on line 4

(I replaced my domain folders to asterisk for security purposes)

Thanks!

steve March 2, 2010 at 1:22 am

here is what makes it work.
change line 4 from
$xxpop=sha1(“$key|$rcpt|$time|$item”);
to
$xxpop=sha1($key|$rcpt|$time|$item);

then change line 20 from

header (“Location: http://www.blabla.com/blabla.php“);
to
header ('Location: http://www.blabla.com/blabla.php&#39 ;) ;

its symple syntax error

i also got rid of

exit;

on line 21 and changed to to

else
header ('Location: http://www.blabla.com/blabla.php&#39 ;) ;

here is the full code

<?php // thankyou.php
function cbValid($rcpt, $time, $item, $cbpop){
$key=’key’;
$xxpop=sha1($key|$rcpt|$time|$item);
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop){
return 1;
} else {
return 0;
}
}
// ===== Sanitize the input (only allow GET for security) =====
$rcpt = trim(addslashes($_GET['cbreceipt']));
$time = trim(addslashes($_GET['time']));
$item = trim(addslashes($_GET['item']));
$cbpop = trim(addslashes($_GET['cbpop']));
// ===== Redirect if invalid and exit =====
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header ('Location: http://www.blabla.com/blabla.php&#39 ;) ;
else
header ('Location: http://www.blablacom/blabla.php&#39 ;) ;
}
// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed
// now have the thank you page html
?>

of mesothelioma August 2, 2010 at 8:51 pm

Thanks for writing this article – I've as of yet heard very little about Windows Mobile 6, so it was nice to read about it.

Leave a Comment

Previous post:

Next post: