Re: [nyphp-talk] protecting download directory in PHP app on Unix box?

Wed, 28 May 2008 08:47:28 -0700 

We did it this way:
1) when the paypal IPN comes back make an entry a database table that lists customers and pdf's. 


2) Point the download link to a php program, like 
download.php?file=x.pdf.  There are tricks here with doing it like 
/downloads/filename.pdf, but that can easily be added once you get the 
download.php program working.



3) The download.php checks the database table to see if they are 
allowed.  If not, return some kind of error.



4) If the user is clear, run code like this below, be sure not to send 
anything at all to the browser before this code runs, not even a blank line:


   $path = '....';
   $filename = '....';
  header('Content-Type: application/x-pdf');

  header('Content-Disposition: attachment; 
filename="'.strtolower($filename).'"');

  header('Content-Length: '.(string)(filesize($path.$filename)));
  readfile($path.$filename);


Kristina Anderson wrote:

This might be off topic as well...but I have a PHP app that submits to 
Paypal and then on the "thank you" page, I provide a link to a PDF that 
they bought.



The server is Unix based, and before submitting the sale, I collect 
various information about the user, and then when the transaction is 
complete, I get a unique transaction ID from Paypal.



What's the easiest, quickest way to provide some level of complexity to 
the downloads so that people can't just go back into the directory and 
download every PDF without paying?  It doesn't have to be 100% secure 
but should be secure enough to keep out "most" people.



I've been looking into .htaccess but wondering if that's overkill and 
there isn't some way to authenticate against my DB information before 
allowing the download?



-- Kristina 
_______________________________________________

New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

  



--
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php






















					Reply via email to