Here's a way to protect products you sell with Clickbank, using their built-in protection and by implementing a 30-day expiration, all without having to worry about managing databases or customer lists.THE FIRST STEP
First of all, Clickbank protection is decent as it is. If you want to keep your customers from passing thank you page URL around to friends, there are a couple of things you can do.
Login to your Clickbank account: http://www.clickbank.com/login.html
At top there's a link that says "Click HERE to modify your account". Click on link.
On this page there are two links at top, but one says "Click HERE to modify your account." Click on this one.
You should be at page that allows you to edit prices of all your Clickbank products. Scroll down to bottom where it says:
Secret key (up to 16 letters & digits)
You should see a text box here. If it's empty, choose a secret key, type it in and remember it. It can be anything you want, but it should be different than your Clickbank password.
"COOKIE CUTTER" TOOLS
If you've looked around Clickbank site you'd know that Clickbank offers some friendly pieces of code in a few different programming languages like Perl and PHP that can help you protect your downloads. Basically this is what happens:
* Your order link contains what's called a "seed". This is just a word or a piece of text, which can be anything you want.
* Your customer clicks on order link and pays.
* Clickbank takes that seed, and uses your secret key on it -- basically mashes two together and does a bunch of crazy stuff to come up with a garbled piece of junk. But this a garbled piece of junk that can ONLY come from this seed and secret key. You change value of seed or secret key even a little and this "hash" changes.
* The seed and hash are passed back to thank you page where your Clickbank script sits. (We have secret key added to your script, and it never changes, so it doesn't need to be handed to us by Clickbank.) This Clickbank script takes seed and secret key and does same crazy shit Clickbank did to us to compute your own hash.
Clickbank calls this their "cbpop" or Clickbank Proof of Purchase.
The hash was something we figured out on your own and hash Clickbank are compared. If they match, we're in business because customer here really did buy from us.. The customer can't figure this out on his or her own because they never actually saw secret key. (And no, you can't "reverse" a hash to figure out original secret key.)
If you get nothing out of what I just told you, remember this: it's almost impossible for anyone to figure out right Proof of Purchase code without that secret key.
USING SOMEONE ELSE'S CODE
This is PHP function they give us:
function cbValid($seed, $cbpop, $secret_key) { // A bunch of stuff in here... }
This function cbValid takes three parameters: $seed, $cbpop, and $secret_key. The script goes through that last step of ours I explained above, does crazy shit and then compares result to one given to us by Clickbank.
Now we need to figure out what to do if your customer really didn't pay. The easiest thing to do, is just stop script in its tracks, preventing page under it from loading.
if (!cbValid($seed, $cbpop, $secret_key)) die();
The exclamation point means "not". We're saying, first try this...
cbValid($seed, $cbpop, $secret_key)
... pass seed, proof of purchase, and secret key into your black box. If function tells us NO, do rest. In this case, "die". Die stops everything immediately, so if you have HTML or PHP code below that line, it won't be looked at if Clickbank validation fails.
The "proper" way to grab $seed from query string is this way:
if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) die();
You could also redirect user to an error page of yours if you like:
if (!cbValid($_GET["seed"], $_GET["cbpop"], $secret_key)) { header("Location:http://www.your.host/error.html"); die(); }
Instead of $seed and $cbpop we use $_GET["seed"] and $_GET["cbpop"]. This is because variables don't appear magically out of thin air, they really appear in URL as http://www.your.url est.php?seed=SOMESEED&cbpop=SOMEPOP. We want these values to be taken out of URL.
USE MINE
Here's a zip file containing your cb.php script: http://www.jumpx.com utorials/clickbank/cb.zip
Save it, unzip it, and open cb.php. Near top should be a line such as:
$secret_key = "YOUR_SECRET_KEY";
Change YOUR_SECRET_KEY to that secret key you set in Clickbank control panel.
Now, for usage... your thank you pages will have to end in .php here. Like, thankyou.php (and now it doesn't matter if they have obvious names or not -- because they'll be thoroughly inaccessible to thieves. Remember, you can simply rename your HTML pages so they end in .php and they'll still work just fine.
Put this line at top of you thank you page script:
Be sure to upload cb.php to same folder as your thank you page. Now, when someone goes to thank you page, first thing thank you script will do is run everything in cb.php, and cb.php will take data Clickbank has passed to see if it matches.
You're going to have to change your Clickbank order links a little. This is what they should look like now:
http://www.clickbank.net/sell.cgi?link=YOUR_CLICKBANK_ID/YOUR_PRODUCT_ID/YOUR_PRODUCT_NAME&seed=YOUR_SEED
Replace YOUR_CLICKBANK_ID with, of course, your Clickbank ID and YOUR_SEED with seed you want to use. This can be anything, something simple that's short and one word like product name. But NOT your secret key.
YOUR_PRODUCT_ID is number Clickbank shows to left of each thank you page as you add it. When you're testing, be sure to set price at $0.00. Once everything's in place you can raise price of item to $19.95 or $29.95 or whatever it's priced at.
http://www.clickbankguide.com/merchant.htm#account will explain everything if you're a Clickbank newbie.
COULDN'T THE DOWNLOAD URL, HASH, AND RECEIPT BE SHARED?
You can't prevent sharing completely... after all, your customer can always download file and share file, not download URL, to friends. We can do one thing to give these would-be freeloaders a bit of a headache, and that is expiration.