Clickbank Security Using PHP

Written by Robert Plank

Here's a way to protectrepparttar products you sell with Clickbank, using their built-in protection and by implementing a 30-day expiration, all without having to worry about managing databases or customer lists.


First of all, Clickbank protection is decent as it is. If you want to keep your customers from passingrepparttar 107756 thank you page URL around to friends, there are a couple of things you can do.

Login to your Clickbank account:

Atrepparttar 107757 top there's a link that says "Click HERE to modify your account". Click onrepparttar 107758 link.

On this page there are two links atrepparttar 107759 top, but one says "Click HERE to modify your account." Click on this one.

You should be atrepparttar 107760 page that allows you to editrepparttar 107761 prices of all your Clickbank products. Scroll down torepparttar 107762 bottom where it says:

Secret key (up to 16 letters & digits)

You should see a text box here. If it's empty, choose a secret key, type it in and remember it. It can be anything you want, but it should be different than your Clickbank password.


If you've looked aroundrepparttar 107763 Clickbank site you'd know that Clickbank offers some friendly pieces of code in a few different programming languages like Perl and PHP that can help you protect your downloads. Basically this is what happens:

* Your order link contains what's called a "seed". This is just a word or a piece of text, which can be anything you want.

* Your customer clicks onrepparttar 107764 order link and pays.

* Clickbank takes that seed, and uses your secret key on it -- basically mashesrepparttar 107765 two together and does a bunch of crazy stuff to come up with a garbled piece of junk. But this a garbled piece of junk that can ONLY come from this seed and secret key. You changerepparttar 107766 value ofrepparttar 107767 seed or secret key even a little and this "hash" changes.

* The seed andrepparttar 107768 hash are passed back torepparttar 107769 thank you page where your Clickbank script sits. (We haverepparttar 107770 secret key added to your script, and it never changes, so it doesn't need to be handed to us by Clickbank.) This Clickbank script takesrepparttar 107771 seed andrepparttar 107772 secret key and doesrepparttar 107773 same crazy shit Clickbank did to us to compute your own hash.

Clickbank calls this their "cbpop" or Clickbank Proof of Purchase.

The hash was something we figured out on your own andrepparttar 107774 hash Clickbank are compared. If they match, we're in business becauserepparttar 107775 customer here really did buy from us.. The customer can't figure this out on his or her own because they never actually sawrepparttar 107776 secret key. (And no, you can't "reverse" a hash to figure outrepparttar 107777 original secret key.)

If you get nothing out of what I just told you, remember this: it's almost impossible for anyone to figure outrepparttar 107778 right Proof of Purchase code without that secret key.


This isrepparttar 107779 PHP function they give us:

function cbValid($seed, $cbpop, $secret_key) { // A bunch of stuff in here... }

This function cbValid takes three parameters: $seed, $cbpop, and $secret_key. The script goes through that last step of ours I explained above, doesrepparttar 107780 crazy shit and then comparesrepparttar 107781 result torepparttar 107782 one given to us by Clickbank.

Now we need to figure out what to do if your customer really didn't pay. The easiest thing to do, is just stoprepparttar 107783 script in its tracks, preventingrepparttar 107784 page under it from loading.

if (!cbValid($seed, $cbpop, $secret_key)) die();

The exclamation point means "not". We're saying, first try this...

cbValid($seed, $cbpop, $secret_key)

... passrepparttar 107785 seed, proof of purchase, and secret key into your black box. Ifrepparttar 107786 function tells us NO, dorepparttar 107787 rest. In this case, "die". Die stops everything immediately, so if you have HTML or PHP code below that line, it won't be looked at ifrepparttar 107788 Clickbank validation fails.

The "proper" way to grab $seed fromrepparttar 107789 query string is this way:

if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) die();

You could also redirectrepparttar 107790 user to an error page of yours if you like:

if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) { header("Location:"); die(); }

Instead of $seed and $cbpop we use $_GET["seed"] and $_GET["cbpop"]. This is becauserepparttar 107791 variables don't appear magically out of thin air, they really appear inrepparttar 107792 URL as http://www.your.url est.php?seed=SOMESEED&cbpop=SOMEPOP. We want these values to be taken out ofrepparttar 107793 URL.


Here's a zip file containing your cb.php script: utorials/clickbank/

Save it, unzip it, and open cb.php. Nearrepparttar 107794 top should be a line such as:

$secret_key = "YOUR_SECRET_KEY";

Change YOUR_SECRET_KEY to that secret key you set inrepparttar 107795 Clickbank control panel.

Now, for usage... your thank you pages will have to end in .php here. Like, thankyou.php (and now it doesn't matter if they have obvious names or not -- because they'll be thoroughly inaccessible to thieves. Remember, you can simply rename your HTML pages so they end in .php and they'll still work just fine.

Put this line atrepparttar 107796 top of you thank you page script:

Be sure to upload cb.php torepparttar 107797 same folder as your thank you page. Now, when someone goes torepparttar 107798 thank you page,repparttar 107799 first thingrepparttar 107800 thank you script will do is run everything in cb.php, and cb.php will takerepparttar 107801 data Clickbank has passed to see if it matches.

You're going to have to change your Clickbank order links a little. This is what they should look like now:

Replace YOUR_CLICKBANK_ID with, of course, your Clickbank ID and YOUR_SEED withrepparttar 107802 seed you want to use. This can be anything, something simple that's short and one word likerepparttar 107803 product name. But NOT your secret key.

YOUR_PRODUCT_ID isrepparttar 107804 number Clickbank shows torepparttar 107805 left of each thank you page as you add it. When you're testing, be sure to setrepparttar 107806 price at $0.00. Once everything's in place you can raiserepparttar 107807 price ofrepparttar 107808 item to $19.95 or $29.95 or whatever it's priced at. will explain everything if you're a Clickbank newbie.


You can't prevent sharing completely... after all, your customer can always downloadrepparttar 107809 file and sharerepparttar 107810 file, notrepparttar 107811 download URL, to friends. We can do one thing to give these would-be freeloaders a bit of a headache, and that is expiration.

HTACCESS Wrappers with PHP

Written by Robert Plank

HTACCESS is a remarkable tool you can use for password protection, error handling (like custom 404 pages), or HTTP redirects. It can also be used to transform whole folders in seconds: adding headers to all your HTML documents, watermarking all your images, and more.

A wrapper is like a middleman. Using htaccess you can tell your web server to "forward" certain files to PHP scripts of yours. When a visitor tries to load an image in their browser, you could activate a script that adds a watermark torepparttar image. When an HTML page is loaded you could query an IP-to-country database and have your HTML pages translated intorepparttar 107755 native language of your visitor's country-of-origin.

Every file in a folder, or all files of a certain type in a folder, can be instructed to go through a PHP script.


Pretend you host several affiliate sites, or a full-blown hosting service like Geocities. Most sites running on free hosting services have some kind of advertisementrepparttar 107756 owners use to generate revenue. These aren't applied voluntarily byrepparttar 107757 users of these services. The ads don't even show up on their source files, just when displayed onrepparttar 107758 web.

It's possible to replicate this feature using less than 10 lines of PHP and htaccess code. To start off, make a folder on your web host called "header". Create a new text file and enterrepparttar 107759 following:

AddHandler headered .htm AddHandler headered .html

Action headered /header/header.php

This designates files withrepparttar 107760 extension ".htm" and ".html" to a type called "headered". The name "headered" can really be anything, it's just a way of labeling a group of files. The last line there tellsrepparttar 107761 web server that if any ofrepparttar 107762 file types inrepparttar 107763 group called "headered" are called, we should instead executerepparttar 107764 script "/header/header.php". This isrepparttar 107765 relative path, so if your URL is, this will run

That's all you've got to do forrepparttar 107766 htaccess file. Save that as "htaccess.txt" -- we'll get back to it later.

Forrepparttar 107767 actual wrapper, create a new text file withrepparttar 107768 standard tags, then assign your header and footer file names to variables called $header and $footer.

$header = "header.html"; $footer = "footer.html";

Redirecting a user to our script doesn't pass its contents to it, justrepparttar 107769 filename. If you call phpinfo() in your script and scroll torepparttar 107770 bottom you can see allrepparttar 107771 server variables which give usrepparttar 107772 name. The element "REQUEST_URI" in $_SERVER gives usrepparttar 107773 relative path (/header/sample.html), but we wantrepparttar 107774 full system path since we're going to be readingrepparttar 107775 actual file (/home/username/wwwroot/, which is "PATH_TRANSLATED".


The name ofrepparttar 107776 file that just tried to be shown is now stored inrepparttar 107777 variable $file. Three simple things are left: outputrepparttar 107778 header, outputrepparttar 107779 actual file, then outputrepparttar 107780 footer.

readfile($header); readfile($file); readfile($footer);

That's it. Here'srepparttar 107781 entire header.php file:

$header = "header.html"; $footer = "footer.html";

$file = $_SERVER["PATH_TRANSLATED"]; readfile($header); readfile($file); readfile($footer);


All that, in just nine lines of code. Download it here: utorials/wrapper/

That containsrepparttar 107782 htaccess file and PHP wrapper script, along with a sample header, footer, and a test page. Upload all five files to your web host, chmod htaccess.txt to 0755 then rename it to ".htaccess". It might disappear from your directory listing which is okay, it should still be there.

Load, in your browser,repparttar 107783 copy of sample.html residing on your web server. The text "This is my header" should appear atrepparttar 107784 top while "This is my footer" should show onrepparttar 107785 bottom. If you open uprepparttar 107786 actual file called sample.html, you'll see that these actually aren't there. They've been added in byrepparttar 107787 script all HTML files inrepparttar 107788 folder "header" must now pass through.

This is how wrappers work. Certain things, like adding custom headers and footers are done "onrepparttar 107789 fly" without modifying your original file. You'll getrepparttar 107790 same effect if you create other HTML files and upload them to this folder.

Files without ".html" or ".htm" extensions, such as text files or images, won't show these headers or footers. This is a good thing because text files aren't part ofrepparttar 107791 presentation on a web site and adding extra text to images will corrupt them. It affects all HTML files within your /headers folder, and none ofrepparttar 107792 files outside of it.

If you wanted, you could add or remove any file extensions you want, just by adding or taking away those "AddHandler" lines.

To get everything back to normal, either delete your .htaccess file or upload a blank .htaccess file in that folder, and all will be well again.


The same basic formula can be applied again for other uses -- HTTP compression, for example. This was an idea that used to be impractical because computers ran at slower speeds, and is now obsolete because of broadband technologies (DSL and cable).

It works like this: when an HTML page is loaded,repparttar 107793 web server instead givesrepparttar 107794 visitor a zipped or compressed version of that page. The visitor downloads that file, which of course takes up less space thanrepparttar 107795 real thing and downloads in less time, then unzips it and displaysrepparttar 107796 original page.

In this age of lighting fast DSL lines, there's almost no noticeable difference. However, if you have a site that hosts large files whose audience is mostly dialup users, it might be something to look into.

Make a new folder called "compress". Create your htaccess file again, just as before, but setrepparttar 107797 extensions to include .htm, .html, and .txt. (The group name, folder name, and script name have nothing to do with one another, you can name any of these whatever you like -- I just like things to match.)

Our wrapper script for this should be called "compress.php". That's what I'm naming mine. This meansrepparttar 107798 htaccess file you have should look as follows:

AddHandler compress .html AddHandler compress .htm AddHandler compress .txt

Action compress /compress/compress.php

If our wrapper were simply going to pass throughrepparttar 107799 file (in other words, just read its contents into a variable and display it), our handler script would look like this:

Cont'd on page 2 ==> © 2005
Terms of Use