Overview
The parameters included in your Upsell Flow Pages, Vendor-Provided Confirmation Pages, and Thank You Page URLs can include personally identifiable information (PII). You can enable encryption for these parameters to provide additional security. If you do so, you must decrypt the parameters to access the information.
The following subjects are covered in this article:
- Encryption Algorithm
- Encrypted Parameter Format
- Testing Encryption
- Enabling Encryption
- Code Samples
- Related Articles
Encryption Algorithm
ClickBank uses the CBC-AES-256 encryption algorithm to secure the parameters. This helps prevent customer information from being passed in clear text The parameters are encrypted using a secret key, of up to 16 characters, and an initialization vector. The encrypted text is then encoded using the java.net URL encoder.
If you enable encryption, you must decode and un-encrypt the parameters using the initialization vector and your secret key before you can process them.
See the Instant Notification Service article's Code Samples section for example methods for unencrypting parameters.
Encrypted Parameter Format
The base format for a URL with encrypted parameters is:
https://<Pitch Page, Thank You Page, or Confirmation Page URL>/?<other variables>
&iv=ENCODED_IV_VALUE¶ms=ENCODED_AND_ENCRYPTED_PARAMETERS
Testing Encryption
You can encrypt PII for test transactions only, to verify that your decryption is working before you encrypt PII for live data.
Step 1: Log in to your ClickBank account.
Step 2: Click the Vendor Settings tab.
Step 3: Click My Site.
Step 4: Locate the Advanced Tools section and click Edit.
Step 5: Check the Encrypt TEST Transaction URLs checkbox.
Step 6: Enter a secret key if you do not have one. Your secret key can be up to 16 characters long, including digits and capital letters.
Step 7: Click Save Changes. Your Upsell Flow Page, Thank You Page, and Vendor-Provided Confirmation Page URLs for test transactions are now encrypted.
Enabling Encryption
To enable encryption for URLs that are used in actual transactions (rather than test transactions), follow these steps.
Step 1: Log in to your ClickBank account.
Step 2: Click the Vendor Settings tab.
Step 3: Click My Site.
Step 4: Locate the Advanced Tools section and click Edit.
Step 5: Check the Encrypt Transaction URLs checkbox.
Step 6: Enter a secret key if you do not have one. Your secret key can be up to 16 characters long, including digits and capital letters.
Step 7: Click Save Changes. Your Upsell Flow Page, Thank You Page, and Vendor-Provided Confirmation Page URLs are now encrypted.
Code Samples
Java Decryption Code Sample
The following code sample uses Java to decode and decrypt the Upsell Flow parameters.
NOTE – This code sample is included as an example. It may require modification to work with your environment.
package com.package.name;
import java.net.URLDecoder;
import java.security.MessageDigest;
import javax.crypto.Cipher;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.json.JSONObject;
import org.json.JSONTokener;
import org.junit.Test;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.fail;
public class Decrypt {
public static String decryptAESWith256BitKey(final String encryptedString, final String secretKey, final String iv) throws Exception {
try {
final MessageDigest digest = MessageDigest.getInstance("SHA-1");
digest.reset();
digest.update(secretKey.getBytes("UTF-8"));
final String key = new String(Hex.encodeHex(digest.digest())).substring(0, 32);
final IvParameterSpec ivParameterSpec = new IvParameterSpec(Base64.decodeBase64(iv));
final SecretKeySpec keySpec = new SecretKeySpec(key.getBytes(), "AES");
final Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, keySpec, ivParameterSpec);
return new String(cipher.doFinal(Base64.decodeBase64(encryptedString)));
} catch(final Exception ex) {
throw new Exception("Unable to decrypt string: " + ex.getMessage(), ex);
}
}
@Test
public void testUrlDecryption() {
final String encryptedUrl = "http://www.example.com/download.html"
+ "?iv=OTc4NDcxMDdBMDc2NjY4OQ%3D%3D"
+ "¶ms=53OG25PsV%2FYXr16cluQx6CSZ9mEovQm9plTbd0RztlBQM8czOyrT%2BTV0iWJmhz0fYc6YgKhOlEmWKUYHg"
+ "QvLgxgCKeN4MGNyJnbj%2FqiCfR6Ddyv38ecrz%2Fd1OlJqgABN9x1aGSe23%2Br4NIvh26HRtCewy1ELq%2BmL%2FaXp"
+ "YySCuJpRUL5ynS3msYl5nI7i4PGHv27zb8F38hwy%2F05Ly1XeEyVN%2BprpO2yXz8PnLoLGkCYot%2FcFqd622%2BO13ATo5fK7";
try {
// Expected URL format: [/URL/...]iv=SOME_IV_VALUE¶ms=ENCRYPTED_PARAMS
final String[] vals = encryptedUrl.split("[&=]");
final String encryptedString = URLDecoder.decode(vals[vals.length-1], "UTF8");
final String iv = URLDecoder.decode(vals[vals.length-3], "UTF8");
final String decryptedString = decryptAESWith256BitKey(encryptedString, "MYSECRETKEY", iv);
final JSONObject jsonParams = new JSONObject(new JSONTokener(decryptedString));
assertEquals("JohnDoe", jsonParams.get("cname"));
assertEquals("john@doe.com", jsonParams.get("cemail"));
} catch(final Exception ex) {
fail("Decryption failed: " + ex.getMessage());
}
}
}
PHP Decryption Code Sample
The following code sample uses PHP to decode and decrypt the Upsell Flow parameters.
NOTE – This code sample is included as an example. It may require modification to work with your environment.
<?php
$encrypted = rawurldecode($_GET['params']);
$iv = rawurldecode($_GET['iv']);
$secretKey = "MYSECRETKEY";
$decrypted = trim(
openssl_decrypt(base64_decode($encrypted),
'AES-256-CBC',
substr(sha1($secretKey), 0, 32),
OPENSSL_RAW_DATA,
base64_decode($iv)), "\0..\32");
echo($decrypted);
//EXAMPLES OF DATA FROM DECRYPTED URL PARAMETERS $email = $order->{'cemail'}; $receipt = $order->{'cbreceipt'}; $full_name = $order->{'cname'}; $item = $order->{'item'}; $cbpop = $order->{'cbpop'}; $phone = $order->{'cphone'}; $country = $order->{'ccountry'}; $affid = $order->{'cbaffi'}; $zip = $order->{'czip'}; $time = $order->{'time'};
http_response_code(200);
?>
Additional Resources & Related Articles
- Query String Parameters – This article explains the parameters that can be passed to and from the order form.
- Instant Notification Service (INS) – This article explains how to configure instant notifications for events such as transactions that impact your account.