Posted by J.O. Aho on 10/13/81 11:31

mcyi2mr3@lycos.co.uk wrote:
> Hi ive built a site which allows users to download mp3 files, after
> having paid the fee at paypal the user is returned to my site to a page
> called "paymentreceived.php". On this page currently i have a message
> saying thank you for your payment and it displays the details of the
> transaction including item id, username etc. Now i want there to be a
> link that allows the user to click so that he can download the relevent
> file from the "mp3s" subfolder. The snag is that I need to somehow
> protect this folder so you cant just go in there and access the files
> without first paying, yet I want to be able to bypass any security on
> the folder to from the paymentreceived.php page so that the user can
> access the relevent download.

As Freebird said the user will need somehow get a "login" info and if I was
you, I would keep the mp3 folder outside the htdocs/html directory tree, so
that the songs can't be accessed from the web (no direct links).

Generate a key when you have got confirmed that they payment has been done,
this key you link to the song that has been bought (I assume you have some
database where you store the data).

The user goes to a download page and enters the key (maybe some more data,
depending on how your system otherwise looks) and the database checks for the
key and sees which file is to be downloaded and then uses the open the file
with fopen() and use fpassthru() to send the file in question.

This way you can't request for a specific file by name, there is no direct
link to the file and download is only possible if someone knows the key, if
just trying random keys, they never will know what they get if they would be
so lucky that they manage to guess one (if you have a login system for your
site, then don't forget to connect the key to a user too, this raises the
security a lot).

Of course you will need to delete keys, this can be more difficult as you need
to know if the person has managed to download the whole mp3 or not, but when
you are sure that someone has downloaded the file, then delete the key.



//Aho

• Next in forum: loading and reading a csv
• Prev in forum: Re: Storing cookie on the client
• Thread view: Re: downloading a file from a protected directory after payment

[Reply to this message]