Protect Your ClickBank "Thank You" Page
Selling digital products on ClickBank is a great way to earn extra income, and link up with affiliates from all over the Internet. When you first set up your account and create your sales page and thank you page, there really isn’t any security built in to keep people from trying to figure out your thank you page’s address, and going there directly, bypassing the ordering system.
When I was creating the download page for my Internet Safety for Parents ebook and video training series, I ran into some trouble trying to secure my thank you page. If you are a parent and want to a comprehensive training package (book and video series) teaching you how to protect your children from online dangers including hackers, scam artists, cyber-bullies, identity theft, online predators and more, check out the training.
PHP Protection Script
ClickBank’s site offers some basic scripts to protect your thank you page, but unfortunately for modern PHP sites, the use of global variables often doesn’t work. Here is the script they offer on their site (that I couldn’t get to work):
function cbValid()
{ $key='YOUR SECRET KEY';
$rcpt=$_REQUEST['cbreceipt'];
$time=$_REQUEST['time'];
$item=$_REQUEST['item'];
$cbpop=$_REQUEST['cbpop'];
$xxpop=sha1("$key|$rcpt|$time|$item");
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop) return 1;
else return 0;
}
I couldn’t get that script to work, and from what I was able to figure out, it’s because they are assuming global variables are turned on, which in most later versions of PHP, that is disabled by default. By specifying the variables in the code, I was able to get it to work. So this basically checks to make sure the person visiting the thank you page is coming from clickbank’s site after making a purchase. If they aren’t you redirect them to another page. Place this code in the very beginning of your thank you page, before any html.
<?php // thankyou.php
function cbValid($rcpt, $time, $item, $cbpop){
$key=’ABCDE’;
$xxpop=sha1(“$key|$rcpt|$time|$item”);
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop){
return 1;
} else {
return 0;
}
}
// ===== Sanitize the input (only allow GET for security) =====
$rcpt = trim(addslashes($_GET['cbreceipt']));
$time = trim(addslashes($_GET['time']));
$item = trim(addslashes($_GET['item']));
$cbpop = trim(addslashes($_GET['cbpop']));
// ===== Redirect if invalid and exit =====
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header (“Location: http://www.SendThemSomewhere.com/“);
exit;
}
// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed
// now have the thank you page html
?>
Full Protection Application
I suppose that still doesn’t stop someone from copying the full URL from a valid purchase and posting that out there somewhere, but you could add some additional variables to make it time out after a certain period of time.
If you need further protection or a full featured ClickBank protection application that provides WAY more than just protecting your Thank You page, check out DLGuard. It’s definitely a full-featured software application and allows you easily add products, completely secure them, add customers to your mailing lists, etc. Check out DL Guard here.
Hey I Have another Great Click Bank Protection Product Here http://www.clickbankprotection.com, Let me ask you a question though? would you pay $3 dollars to protect $10,000?? Let me know here
http://www.clickbankprotection.com
Reply
I use MS Front Page, and when I place the script you provided above above , after I close the html view and re-open it, the script is moved into the top of the body section. Will it still work, or is there additional code that needs to be added so FrontPage won’t rearrange things once I close out of html view.
Thanks, Joe.
Reply
admin reply on June 9th, 2008 7:18 am:
The script should work fine.. When adding a script, it doesn’t really matter where on the page it’s placed, sometimes it makes more sense to load it in the bottom (so the rest of the page loads first) but in this case it shouldn’t make a difference.
Reply
Thanks for the quick and easy explanation and script, works perfectly.
Karen
Reply
cdrees reply on October 21st, 2008 6:35 am:
Hi Karen, thanks for the comment and glad I was able to help out! -Chris
Reply
Thanks for the quick and easy explanation and script, works perfectly.
Karen
Reply
Hi Karen, thanks for the comment and glad I was able to help out! -Chris
Reply
I decided to try out ClickBank yesterday to leverage their affiliate network for a digital product. Instead of relying on the thank you page for anything, I’m using their “instant notification” option.
When a sale is made, the clickbank system notifies a url on the seller’s site with details of the purchase. You can then setup a script to validate the incoming data (see clickbank documentation for php example), and perform any actions needed – in my case, the creation of a new upgraded user on the site, and sending an email with their login details.
With this approach, because all validation and actions are done at the notification url stage, when the user gets to the thank you page you don’t need to expose your product or any other sensitive data on that page.
You can still show the user any data you want on the thank you page however, by saving the receipt string during the notification process, and then using the $_GET value given in the thank you url to select the information from your database again.
Reply
I copied the script and pasted it into my thankyou page and gave the page a .php extension. I changed ABCDE to my key and sendthemsomewhere.com to wiseh2o.com/error.html. The script did not work and I keep getting a Parse error. Any help would be appreciated.
Reply
admin reply on January 20th, 2009 9:48 pm:
@Vincent DErrico, send me the pages you have, and I’ll take a look at them… you can send them to chris@teamrees.com
Reply
Guys, don’t u think someone could view the source code and copy your secret key if this code is used?
Reply
admin reply on August 27th, 2009 9:16 pm:
No, because the page with the key on it is never visible nor displayed… it’s just called from initial page.
I would never say never, I guess anything is possible, but it’s not as easy as you might think… and it’s certainly more secure than using nothing at all.
Reply
Clearly you do not understand PHP proper seo service
PHP is server-side.
HTML is client-side.
This code is PHP, which means – it is -not- displayed to the user.
Reply
There is an parse error on the script when i tried to paste it in the thank you page.. hope fully someone can help me.
This is the exact error I’ve encountered.
Parse error: syntax error, unexpected T_VARIABLE in /home/****/public_html/**********/*******443isdbxksncyromwgdx/index.php on line 4
(I replaced my domain folders to asterisk for security purposes)
Thanks!
Reply
steve reply on March 2nd, 2010 1:22 am:
here is what makes it work.
change line 4 from
$xxpop=sha1(“$key|$rcpt|$time|$item”);
to
$xxpop=sha1($key|$rcpt|$time|$item);
then change line 20 from
header (“Location: http://www.blabla.com/blabla.php“);
;
to
header ('Location: http://www.blabla.com/blabla.php'
its symple syntax error
i also got rid of
exit;
on line 21 and changed to to
else
;
header ('Location: http://www.blabla.com/blabla.php'
here is the full code
<?php // thankyou.php
;
;
function cbValid($rcpt, $time, $item, $cbpop){
$key=’key’;
$xxpop=sha1($key|$rcpt|$time|$item);
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop){
return 1;
} else {
return 0;
}
}
// ===== Sanitize the input (only allow GET for security) =====
$rcpt = trim(addslashes($_GET['cbreceipt']));
$time = trim(addslashes($_GET['time']));
$item = trim(addslashes($_GET['item']));
$cbpop = trim(addslashes($_GET['cbpop']));
// ===== Redirect if invalid and exit =====
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header ('Location: http://www.blabla.com/blabla.php'
else
header ('Location: http://www.blablacom/blabla.php'
}
// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed
// now have the thank you page html
?>
Reply
Thanks for writing this article – I've as of yet heard very little about Windows Mobile 6, so it was nice to read about it.
Reply