1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to protect your clickbank thank you page from download fraud (really)

Discussion in 'ClickBank' started by tom11011, Aug 14, 2012.

  1. #1
    Ok, I'm really excited about this because I have spent the better part of today trying to figure this out. I need someone to try and poke a hole in this because I'm really tired.

    We all know about the problems of the clickbank thank you page. There is nothing to stop a buyer of your ebook from posting the thank you page that has your ebook download link on various forums. A huge problem since now anyone can download your ebook for free knowing the link.

    So, the typical solution to the problem is you got to go out and buy DL Guard for $147 to create temporary download directories. The solution does work very nicely.

    But there is another way, a free way. The folks over at DL Guard are probably not going to like me very much.

    We know we have to create a thank you page for clickbank outside of wordpress. http://www.yourstuff.com/download.php

    Now everyone already knows what's coming next, on the very first line of the download page, we put this code in there.

    
    <?php
    
    function cbValid() {
       $key='yoursecretclickbankkey';
       $rcpt=$_REQUEST['cbreceipt'];
       $time=$_REQUEST['time'];
       $item=$_REQUEST['item'];
       $cbpop=$_REQUEST['cbpop'];
       $xxpop=sha1("$key|$rcpt|$time|$item");
       $xxpop=strtoupper(substr($xxpop,0,8));
    
       if ($cbpop==$xxpop) {
          return 1;
       } else {
          return 0;
       }
    }
    
    if (cbValid() == "0") {
       header("Location: http://www.yourstuff.com");
    }
    
    ?>
    
    Code (markup):
    As we all know, the download page cannot be opened unless clickbank themselves has directed the user here after a sale. If someone goes to this page without coming from clickbank checkout first, they are redirected to the home page.

    No problem so far, we've all done this.

    I'm not a php coder, but I have managed to cobble together this function from various sources. Here is why it is a function though, it keeps the code on the same clickbank protected page instead of calling the download link from another file that is not protected.

    
    <?php
    function download()
    {
    $path = '/home/jsmith/ebookdownload/file.pdf'; // the file made available for download via this PHP file
    $mm_type="application/octet-stream"; // modify accordingly to the file type of $path, but in most cases no need to do so
    
    header("Pragma: public");
    header("Expires: 0");
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
    header("Cache-Control: public");
    header("Content-Description: File Transfer");
    header("Content-Type: " . $mm_type);
    header("Content-Length: " .(string)(filesize($path)) );
    header('Content-Disposition: attachment; filename="'.basename($path).'"');
    header("Content-Transfer-Encoding: binary\n");
    
    readfile($path); // outputs the content of the file
    
    exit();
    }
    
    if (isset($_GET['run'])) $linkchoice=$_GET['run'];
    else $linkchoice='';
    
    switch($linkchoice){
    
    case 'first' :
        download();
        break;
    }
    ?>
    
    Code (markup):
    Then, we call the function in the weblink itself. The really great part of this is that the file location can be placed outside of of the web directory where it will never be spidered. It is working for me with my PDF ebook.

    
    <a href="?run=first">Click Here To Download</a>
    
    Code (markup):
    Again, it's really late and I have been at this all day. Need someone with php knowledge to see if this is safe.

    Tom
     
    tom11011, Aug 14, 2012 IP
  2. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #2
    I got some sleep and found 2 flaws here, but I think they are both correctable. A php wizard could probably do this in a few minutes but I'll just have to muddle my way through unless someone steps in.

    The 2 flaws are this.

    1.) clickbank doesn't exactly send an uncoded link back, it has their cbpop info in the link. This means my download link has to have this same info in it, that is doable, just have to figure it out.

    2.) This coded download link can still be copied to a forum for all to see. I'm not sure if CB times these links out of their system but I'm not going to wait around to find out. I'm going to put an expiration inside the CB code, I found an old example of someone doing something similar, just have to figure it all out.
     
    tom11011, Aug 15, 2012 IP
  3. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #3
    I've figured out how to expire the coded link that clickbank sends. Revised code is below. This will render the link invalid after 15 minutes. I suppose somone could adjust the unix time stamp in the link that cb sends but I'm not sure as there is some encryption pieces going on.

    Now I have to have a look at the link itself to download the product. Back shortly.

    
    <?php
    function cbValid() {
       $key='yoursecretkey';
       $rcpt=$_REQUEST['cbreceipt'];
       $time=$_REQUEST['time'];
       $item=$_REQUEST['item'];
       $cbpop=$_REQUEST['cbpop'];
       $xxpop=sha1("$key|$rcpt|$time|$item");
       $xxpop=strtoupper(substr($xxpop,0,8));
    
       #set expiration time
       $exp = strtotime("+15 minutes", $time);
    
       if ($cbpop==$xxpop && time() < $exp) {
            return 1;
       } else {
          return 0;
       }
    }
    
    if (cbValid() == "0") {
       header("Location: http://www.yourstuff.com");
    }
    ?>
    
    Code (markup):
     
    Last edited: Aug 15, 2012
    tom11011, Aug 15, 2012 IP
  4. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #4
    Well, it looks like I solved it.

    Add the following to the cb code, right after where it says function cbValid() {

    add this

    global $item, $rcpt, $time, $cbpop;
    Code (markup):
    Then, adjust your link to read like this.

    <a href="?item=<?php echo $item; ?>&cbreceipt=<?php echo $rcpt; ?>&time=<?php echo $time; ?>&cbpop=<?php echo $cbpop; ?>&run=first">Click Here To Download</a>
    Code (markup):
    A full clickbank test with test credit card worked as expected.

    This might be the wrong forum for this but since it is clickbank related....
     
    tom11011, Aug 15, 2012 IP
  5. bolo181

    bolo181 Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #5
    If my question eventually appears I have already figured out the answer.

    media temple have slightly different file paths than what I am used to with hostgator

    (can;t post links yet so try this) search media temple knowledge base for How+to+find+your+Cluster+and+Storage+Segment
     
    bolo181, Aug 29, 2012 IP
  6. claygc

    claygc Greenhorn

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    11
    #6
    To hide the location of you actual file like an ebook I use this script I hacked up:


    <?php
    function SendFile()
    {
    $newname = "give-the-file-a-new-name.pdf";
    $FileName = "./some_dir/your-e-book.pdf"; // this is a secret directory on your server with the file
    //header("Content-Type: " . mime_content_type($FileName));
    // if you are not allowed to use mime_content_type, then hardcode MIME type
    // use application/octet-stream for any binary file
    // use application/x-executable-file for executables
    // use application/x-zip-compressed for zip files
    header("Content-Type: application/octet-stream");
    header("Content-Length: " . filesize($FileName));
    header("Content-Disposition: attachment; filename=\"$newname\"");
    header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
    $fp = fopen($FileName,"rb");
    fpassthru($fp);
    fclose($fp);
    }

    function cbValid()
    { $key='secretkey';
    $rcpt=$_REQUEST['cbreceipt'];
    $time=$_REQUEST['time'];
    $item=$_REQUEST['item'];
    $cbpop=$_REQUEST['cbpop'];

    $xxpop=sha1("$key|$rcpt|$time|$item");
    $xxpop=strtoupper(substr($xxpop,0,8));

    if ($cbpop==$xxpop)
    echo '
    Thank you for purchasing .


    <form action="download.php" method="post">
    <input type="hidden" name="download" value="download"><br>
    <center><input type="submit" value="Download your E-book"></center>
    </form>

    '; //return 1
    else echo '

    Error you cant access this page you have not made a purchase!

    '; //return 1
    }
    if (isset($_POST["download"]) && ($_POST["download"] == "download"))
    SendFile();
    cbValid();

    ?>
     
    claygc, Aug 29, 2012 IP
  7. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #7
    claygc, no need, my script does the same above.
     
    tom11011, Aug 30, 2012 IP
  8. tonysanders

    tonysanders Member

    Messages:
    306
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    48
    #8
    a really simple way is to use download guard or even just use wordpress at the download page and then install the wishlist plugin.
     
    tonysanders, Aug 30, 2012 IP
  9. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #9
    True, but as the post says, my method allows you to accomplish the same goal without paying DLGuard $147.
     
    tom11011, Aug 30, 2012 IP
    claygc likes this.
  10. Levanah

    Levanah Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Here's my big question - where do I put this PHP coding - if you pardon my ignorance! :) There are different PHP codes mentioned above, for different purposes. Where do they go? That's the point in which I get lost.:confused:
     
    Levanah, Sep 9, 2012 IP
  11. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #11
    That's the beauty of it, it's all on the same page. This is the page that clickbank directs your user to after a sale, you get to choose the name in clickbank such as www.mysite.com/download.php
     
    tom11011, Sep 10, 2012 IP
  12. Levanah

    Levanah Peon

    Messages:
    2
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #12
    I have just signed up for a clickbank account. I guess I have to wait for their approval of my site/product before I can get their page. Many thanks.
     
    Levanah, Sep 10, 2012 IP
  13. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #13
    No, you don't have to wait for their approval. In fact, they won't approve your product until you have done some test credit card transactions. You need to go to the section of your account where you generate a test credit card. You can do this all right now.
     
    tom11011, Sep 10, 2012 IP
  14. righthand

    righthand Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #14
    Thanks tom11011 and claygc, but I have the same question - If I'm using WordPress, can someone detail where/how to insert this code?
    Thanks
     
    righthand, Sep 11, 2012 IP
  15. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #15
    This is not designed to work in WordPress. I'm sure it can be done but it is outside the scope of this because themes are all different, plugins are different etc. You can include your CSS/HTML though in your download page.
     
    tom11011, Sep 11, 2012 IP
  16. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #16
    Claygc comments do not add anything to this thread as the proper code is already included.
     
    tom11011, Sep 11, 2012 IP
  17. grafxgold

    grafxgold Peon

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #17
    Thanks for all the codes and info. I am building a new site and will try this.
    Is it best to use php pages or can it work with html pages?
     
    grafxgold, Sep 11, 2012 IP
  18. tom11011

    tom11011 Well-Known Member

    Messages:
    1,117
    Likes Received:
    25
    Best Answers:
    0
    Trophy Points:
    165
    #18
    No, this must be a php page.
     
    tom11011, Sep 11, 2012 IP
  19. nosyaj

    nosyaj Greenhorn

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #19
    Hi Tom11011,
    I have followed everything and the validation script works fine for me but the download script won't. It appears the pop-up saying "download.php" means the script itself will be downloaded and not the file :( by the way, my file was a zip file. Please help.
     
    nosyaj, Jun 4, 2013 IP
  20. nosyaj

    nosyaj Greenhorn

    Messages:
    7
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    21
    #20
    also, I changed my script then it goes almost good except one thing - it was corrupted and while downloading it doesn't indicates the filesize details.
     
    nosyaj, Jun 4, 2013 IP