Affiliate Hacks #2 – Writing a PHP Cloaker

In the next little coding tutorial, I’m going to show you how to set up a basic PHP cloaker for your landing pages/offers.

What Is An Affiliate Cloaker?

Say that there’s somebody you don’t want seeing your landing pages. A cloaker will find that person and redirect them to your “cloaked” page. This cloaked page can be a different landing page (one you don’t actually use), a different website (so maybe direct linking to the offer), or any message you want (“Hahaha I cloaked you!”).

How Does This Work?

There are a few different ways to write a cloaker, the way I’m going to show you today is a very common method called IP cloaking with the programming language PHP (so PHP must be installed on your webserver). If you’re not sure that your server has PHP installed, login to any one of your websites and create a file called ‘test.php’. In this test file copy/paste the following code:

<?php phpinfo(); ?>

Now visit test.php in your browser. If a bunch of information comes up, you have PHP installed. If not, you don’t.

Back to how it works…the cloaker is based off of a tracking link you create. So you would buy a domain like, and on that domain you’d host all of your tracking links. Your tracking link redirects to your landing page, so when creating ads you use your tracking link for the ad destination URL. Instead of your ads linking to, they now link to That php link redirects to your landing page.

The cloaker code is placed on your landing page and says “If a person hits this page through my tracking link (directly from my ad), show them the landing page. If not, redirect them to my cloaked URL.” I’ll explain more about how this works when actually showing you the code.

Why Use A Cloaker?

There are more sinister reasons for cloaking which I won’t go into, but IP cloaking is a somewhat effective way of blocking affiliates from spying on your pages. If an affiliate is able to find your landing page link through a number of spying tools and tries to visit your page, they’ll be redirected. Note that many spy tools actually grab your tracking link, and many affiliates will find your ads and click on them directly – the basic IP cloak doesn’t prevent that.

How It’s Done

Now for the nitty gritty. This all starts with creating a MySQL database on your server. Here’s a basic tutorial for creating a MySQL database and table on your server.

For the tutorials sake I’m going to keep things as simple as possible. In our example we’ll use the following information:

Database name – test_db
Database username – test_user
Database password – cloaking

In that database, make a table called ‘ips’, and give that table 2 columns called ‘ip’ and ‘timestamp’. The IP can be type varchar, and the timestamp must be type DATETIME. This database stores our IP data which helps us determine who to cloak, and who to let through.

Now that we have our database set up, the first step is writing code for the tracking link. Your should contain the following code:


$db = new PDO('mysql:host=localhost;dbname=test_db;charset=utf8', 'test_user', 'cloaking');
$q = $db->prepare("INSERT INTO ips (ip, timestamp) VALUES ('$ip', NOW())");


An explanation of what’s going on here:

Line 1 – gets the users IP address and sets it to the variable $ip so that whenever we need to use their IP, we just call that variable

Line 2 – makes the connection to your database using PDO. PDO is a secure way of connecting to databases that prevents a MySQL injection and access to your server. To briefly read why you should connect using this method, click here.

Line 3 – builds the query for taking the persons IP along with the current time and popping it into your database

Line 4 – performs the task of adding the IP and current time into your database

Line 5 – sends the person off to your landing page

Yayy, your first cool tracking link is now made. Next is the actual cloaker. This code goes as the very top of your landing page, above the opening body tag:


$wl = array("12.345.67.890");
$bl = array("123.456.789.0", "98.765.432.10");

//Cloak em
$db = new PDO('mysql:host=localhost;dbname=test_db;charset=utf8', 'test_user', 'cloaking');
$result = $db->prepare($q); 
$r = $result->fetchColumn();

if (in_array($ip, $bl)) {
else if ($r >= 1){}
else if (in_array($ip, $wl)) {}
else { 

A breakdown of what’s going on here:

Line 1 – once again we get their IP and set it to a variable.

Line 2 – build out a “white list” of IPs. If there are any IP addresses you never want to cloak, put them in this PHP array. Typically, you’ll only put your IP address here so that you can build/test your landing pages and not have to worry about cloaking yourself.

Line 3 – alternatively, you can build a “black list” of IP addresses; people you always want to cloak. For instance if you’re able to sniff out the IP address of different affiliates, you can blacklist them so that even if they go through your tracking link, they’ll be cloaked by default.

Line 4 – again we make a connection to our cloak database.

Line 5 – this determines if we cloak or not. This checks (or queries) your database and says “Select from our database where the IP address generated at the top of the landing page matches an IP address found in the database (meaning the person first came through your tracking link).” The “INTERVAL 1 MINUTE” stuff means the person just came through your tracking link. That means if this person goes through your tracking link, hits the landing page, fills out an offer, and any time 1 MINUTE after that action they try to go back to the landing page, they’ll be cloaked. That’s why we include a timestamp in our database.

Lines 6,7,8 – this executes the query and grabs the rows that satisfy the criteria (matching IP address within a 2 minute timeframe).

Line 9 (first if statement) – this looks at your blacklist array. If the persons $ip is in that array, we cloak them by default.

Line 10 – if our query returns an IP address (meaning they’ve come through the tracking link just now), do nothing (show them the landing page).

Line 11 – if the IP is within our whitelist, also do nothing and show them the page.

Line 12 – if our query returns a blank result (no matches), we cloak them.

Like I’ve said, this is not the only way to cloak using PHP, and there are other ways to cloak using things like Javascript. But this gives you a very fundamental idea of what cloaking is, and how to implement it rather easily.

Also, I do not claim to be a programming expert. If there are cleaner ways to write the cloak listed above, feel free to drop a comment or e-mail me and I’ll make an update! I always love learning new information.


  1. Mike Chiasson
    July 24, 2013

    Awesome post!!

  2. Nick
    July 24, 2013

    I’m pretty sure you need to use a prepared statement with PDO to get the benefits of escaping values. The code posted above is still vulnerable to SQL injections. But chances of someone forging the REMOTE_ADDR are pretty slim.

  3. drngo
    July 24, 2013

    Too much work, rather use LPLockdown

  4. July 25, 2013

    Yep you’re absolutely right, forgot to prepare the first insert statement. Made the edit, thanks!

  5. adam
    October 1, 2013

    Thank you a lot for all the knowledge you could share.
    iPhone screen Protectors

  6. January 10, 2014

    Terrifying Beaked Plague Mask Of Historical Europe

    See more at:

Leave a Comment