ASPit - Totally ASP JSit - Totally JavaScript
Search PHPit

Use this textbox to search for articles on PHPit. Seperate keywords with a space.


Clickbank Security Using PHP

(Page 5 out of 5)

You can't prevent sharing completely... after all, your customer can always download the file and share the file, not the download URL, to friends. We can do one thing to give these would-be freeloaders a bit of a headache, and that is expiration.

Here we can say, 30 days after someone buys your product, the thank you page will be inaccessible to them. If they buy on October 25th, they can bookmark and revisit that thank you page up until November 25th at the exact time they made their purchase. It's kind of a nice compromise because it gives honest people enough time to get what they need but at the same time it becomes impractical to share the URL.

In chapter 9 of my book, Simple PHP (, I explained how time works on computers, they use a big number which is just a count of how many seconds have passed since January 1st, 1970. I also explained that there was a function, called strtotime(), which we could use to determine this "number" or timestamp of a certain date. For example, 30 days ago or 1 year ago.

30 days sounds about right. To figure out the Unix timestamp of this moment, minus 30 days is:

strtotime("-30 days")

Now, to store it in a variable called $expire:

$expire = strtotime("-30 days");

But you're saying, how do I know when these people purchased? I don't have that kind of information. Aha! But you can. Remember, the seed you put in your order links can be anything you want. So let's just make it the timestamp of this exact moment.

When the customer revisits the thank you page, they can't change the seed, because as I mentioned, if you change *either* the seed or the secret key, the resulting hash (proof of purchase) will be different. So you see, they're stuck with it. But, the current time always changes!

All we have to do, in cb.php, are these two steps:

* Figure out what the timestamp was exactly 30 days ago, and store this value in $expire.

* Compare the seed and $expire. If the the value of the seed is less than that of $expire, it means that the product was purchased more than 30 days ago and the visitor shouldn't be given access to the page. Die.

We've already taken care of step one by saving the timestamp 30 days prior in $expire. Now, we compare the seed (it's $_GET["seed"], remember, because we're grabbing it out of the URL string) and $expire like:

if ($_GET["seed"] Order Now

Instead of YOUR_SEED we want PHP to call the function mktime(), which gives us the current timestamp, and output it, using echo.

echo mktime();

Now just put around it...

And shove it in there.

">Order Now

Now setup a link for $0.00 in your Clickbank control panel and try it. You can be sure it works by changing that "-30 days" in strtotime to "-5 minutes". Then try accessing the download page, then wait 5 minutes and try again. Neat, isn't it?

You say, I've done this, but I have more than one product. How do I keep someone from grabbing everything once they've grabbed one?

Have your links look like the following: ">Order Now

This way the seeds will look like "stringbeans445433" if you're selling stringbeans. Then again if you're selling corn on the cob on another sales page, you can change "stringbeans" to "cornonthecob". Now the seeds for each product will be different.

Those seeds won't be all numbers, will they? So, in cb.php, do this:

$timestamp = ereg_replace("[^0-9]","",$_GET["seed");

I won't go into a lot of detail about pattern matching, but the [^0-9] means "NOT anything from 0 to 9. It basically goes through every letter and number of $_GET["seed"], and if what's there isn't a 0, 1, 2, etc. it's replaced with nothing (hence the ""). The final result is saved in a variable called $timestamp.

Since now we're looking at $timestamp and not $_GET["seed"], let's change that if-statement:

if ($timestamp

When I extracted the timestamp from the seed, I simply removed all characters that were not numbers, leaving just the numbers contained within that string. Now I want to do the opposite. Here's an example seed:


I take out all the numbers and am left with "test". Next I figure out which script called cb.php (which is stored in the variable $_SERVER["SCRIPT_NAME"]). Then the script takes out everything up to the last slash (/) and everything before the first dot (.). If the script was located at "/clickbank/test.php", all that's left is "test".

If you give each thank you page a different name, and make sure all your seeds reflect the correct page, i.e. if your thank you page is called "carrots", the part of that order link containing the seed should appear as:


If you don't care how Clickbank's protection works, that's your derogative. Just get the zip file and follow the instructions I've provided in cb.php.

As far as scripts that handle several Clickbank products -- I can't recommend any at this time, since I've never across any good ones. (But you should check out Harvey Segal's free site,, which can answer most of your questions about Clickbank.)

Here's that script again in case you missed it:

Make sure to read the instructions I've supplied in cb.php, get everything setup and on your web server, and you'll be well on your way to having bulletproof protection on your Clickbank products.

« Previous: Use mine!

Leave a Reply

About the author
Dennis Pallett is the main contributor to PHPit. He owns several websites, including ASPit and Chill2Music. He is currently still studying.
Article Index
  1. Introduction
  2. "Cookie Cutter" tools
  3. Using someone else's code
  4. Use mine!
  5. Couldn't the download url, hash and receipt be shared?
Bookmark Article
Download Article
Download this article as a PDF file