Hi.. I have set up a thank you page and I have set a secret key in my account under "My site" and I am doing a TEST purchase which works fine and leads me to the thank you page. I do use the C# function that Clickbank has written below where I check: cbpop.Equals(xxpop); I suppose that if this is true, this was a real purchase because I am not redirected to www.google.com that I should have been if it was not true. Now comes the problem: In the URL on the thank you page there are all the passed parameters from ClickBank: http://www.mySite.com/ThankYou.aspx?item=1&cbreceipt=REGSAG3S&time=1300139645&cbpop=6ES3GS2D&cbaffi=0&cname=FirstName+OtherName&cemail=myEmail%40hotmail.com&ccountry=SE&czip=12458 I have extracted the nessecary parameters that is needed in the C# function correctly.(I have not written that code below as it is much) Now, I have copied this whole long URL into memory and closed ALL explorer windows. I open up a new explorer window and paste this URL in the browser and press OK. This shouldn´t be possible ofcourse? result should be: result == false in my code below as this doesn´t come after purchase. But the thank you page is shown anyway here which means that result == true So I wonder what I am doing wrong? I really need help on this one. Thank you (My code in C#) public bool cbValid(string cbreceipt, string time, string item, string cbpop) { string secret_key = "SECRET_KEY"; byte[] data = Encoding.Default.GetBytes(secret_key + "|" + cbreceipt + "|" + time + "|" + item); byte[] hashedData = new SHA1Managed().ComputeHash(data); string xxpop = BitConverter.ToString(hashedData).Replace("-", "").ToUpper().Substring(0, 8); return cbpop.Equals(xxpop); } protected void Page_Load(object sender, EventArgs e) { //I have extracted all the parameters from the URL correctly here bool result = cbValid(extractcbreceipt,extracttime,extractitem,extractcbpop); if (result == true) { //Do something } else { Response.Redirect("http://www.google.com"); } } PHP:
It is nothing wrong here what you need to do is introduce some other logic that you will additionally check. I assume you dont want your customers to go to thank you page second time after they leave the browser. For example you can write to database the email + time and then check if this is a second visit. The cbValid will always return true as this is a valid purchase done on that exact time. If you change the time then it will return false. Therefore what I would do is implement additional mechanism as explained above
Thanks slonce, Now I do understand because I thought my code was correct as it is. This explained something I didn´t know: The cbValid will always return true as this is a valid purchase done on that exact time. The time is checked against a database at Clickbank as I understand, that it exist. As you said I will save the users email together with that time. So is cbValid is true, then I will additionally check this: If 1 email on that purchase time in the database already exist, then redirect the page somewhere else. If 1 email on that purchase time doesn´t exist, then this is a real purchase. I think I have understood this?
Yes something like that, I believe by database you mean your own database where you will save customer data. This is what I meant in first place. Btw the time is not checked against Clickbanks DB time (vendors do not have any direct access to cb database) in the cbValid it only computes the hashed object and compares it. So if you try with another time stamp just for your test you will see that the function will return false. My idea is that you save to your database first time a customer accesses the thank you page then if he uses the link again you will redirect to another page or give error message.
Okay, I think I understand. The hashed object is an encrypted thing that will return true if it is correct. Shouldn´t it be okay if I create a file named: "1300139645.txt" in my own database as you said ofcourse when the customer is directed to the thank you page. Now if the user tries to change this parameter in the string to something else, for example: time=1300139777 Then cbValid should return false ? If that happens, then saving the "1300139645.txt" should be a pretty good idéa and check if that file exists. If it doesn´t exist, this is a real purchase. If the file do exist, then this is someone trying to paste the URL in the browser?
Yes that can do the job also but bear in mind the possibility that 2 people can purchase at the same moment. Although the probability is very low sometimes I have seen sales at the same second, but I doubt that will be the same ms