TeamREES

Selling digital products on ClickBank is a great way to earn extra income, and link up with affiliates from all over the Internet.  When you first set up your account and create your sales page and thank you page, there really isn’t any security built in to keep people from trying to figure out your thank you page’s address, and going there directly, bypassing the ordering system.

When I was creating the download page for my Internet Safety for Parents ebook and video training series, I ran into some trouble trying to secure my thank you page.  If you are a parent and want to a comprehensive training package (book and video series) teaching you how to protect your children from online dangers including hackers, scam artists, cyber-bullies, identity theft, online predators and more, check out the training.

PHP Protection Script

ClickBank’s site offers some basic scripts to protect your thank you page, but unfortunately for modern PHP sites, the use of global variables often doesn’t work.  Here is the script they offer on their site (that I couldn’t get to work):

function cbValid()
{ $key='YOUR SECRET KEY';
  $rcpt=$_REQUEST['cbreceipt'];
  $time=$_REQUEST['time'];
  $item=$_REQUEST['item'];
  $cbpop=$_REQUEST['cbpop'];

  $xxpop=sha1("$key|$rcpt|$time|$item");
  $xxpop=strtoupper(substr($xxpop,0,8));

  if ($cbpop==$xxpop) return 1;
  else return 0;
}
   

I couldn’t get that script to work, and from what I was able to figure out, it’s because they are assuming global variables are turned on, which in most later versions of PHP, that is disabled by default.  By specifying the variables in the code, I was able to get it to work.  So this basically checks to make sure the person visiting the thank you page is coming from clickbank’s site after making a purchase.  If they aren’t you redirect them to another page.  Place this code in the very beginning of your thank you page, before any html.

<?php // thankyou.php
function cbValid($rcpt, $time, $item, $cbpop){
$key=’ABCDE’;
$xxpop=sha1(”$key|$rcpt|$time|$item”);
$xxpop=strtoupper(substr($xxpop,0,8));
if ($cbpop==$xxpop){
return 1;
} else {
return 0;
}
}
// ===== Sanitize the input (only allow GET for security) =====
$rcpt = trim(addslashes($_GET['cbreceipt']));
$time = trim(addslashes($_GET['time']));
$item = trim(addslashes($_GET['item']));
$cbpop = trim(addslashes($_GET['cbpop']));
// ===== Redirect if invalid and exit =====
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header (”Location: http://www.SendThemSomewhere.com/“);
exit;
}
// no need to do an ELSE because the exit will terminate further processing
// if a valid transaction is not confirmed
// now have the thank you page html
?>

Full Protection Application

I suppose that still doesn’t stop someone from copying the full URL from a valid purchase and posting that out there somewhere, but you could add some additional variables to make it time out after a certain period of time.

If you need further protection or a full featured ClickBank protection application that provides WAY more than just protecting your Thank You page, check out DLGuard.  It’s definitely a full-featured software application and allows you easily add products, completely secure them, add customers to your mailing lists, etc.  Check out DL Guard here.