Hi,

I'm trying to figure out how I can have it so that a user buys a download.

For example, they buy a product through Paypal or whatever. Then, it redirects them to their downloads page where they can download the products that they have purchased.

As I was researching, no one has any tutorials on how this could be accomplished.

But here's what I came up with:

Maybe have a downloads.mysite.com where I have all of my files, and then have it be protected with a .htaccess file (so what would this .htaccess file have to say that makes it deny access to all files?). But then, could PHP allow access to a one-time download of a file?

Let me know your thoughts, and if you have any ideas on how this can be accomplished.

Thanks!

Maybe make a file that self destructs itself after 1 visit?

But if it has to be downloaded from different users... that won't exactly work. People will be able to buy the product and then go to a download page.

Copy the file each time for each user. More realistically, use PHP to generate an indirect link that only works once, based on a file whose URL is never shared.

OK, how could PHP create an indirect link like that?

If the file is purchased by a user save their ip address and if the user does not have that ip address or the ip address stored is more than a day old then redirect to the home page.

The ip address is stored in the database or a text file with an expiration date of 24 hours. I am more comfortable with using a database, but a simple text file should work just as well.

But how could you stop a user from downloading a, say PDF file?

I am not so sure redirects would work in this instance. If a person knows the file location he could just type in the file name directly and download the file. htaccess tends to relate to the entire folder and redirects can be evaded with knowledge of the file location. Storing the file in the database might work, but is impractical due to the size limits on the database.

SSL or TSL certificates might be the way to go here. I have not had the need or opportunity to use one myself, but involves a type of server side security. After going to godaddy to look at the cost it is about $99 for one year or 2 years for $75/year.

Another option is to encrypt the file names making it difficult to stumble upon the name by accident. Then, with another program, you can rename the files once a week or so.

There's actually a simple way to do this.

1. Create a database (or, if you absolutely can't use a database, a system of text files) storing unique codes for each user-- codes relate to a particular file.

2. Create a PHP page that recognizes these codes in the URL. For example mypage.php?code=12345. Of course you could also make this based on user logins, or anything else you'd like for security. But the code itself will essentially act as an indirect filename.

3. Based on the file that code relates to, serve that file (rather than HTML) to the user.
3a) You'll need to probably submit a correct header() to the user so they know what kind of file it is. You can look up more information on specific types of headers as needed.
3b) Use readfile() to actually output the whole file.

http://php.net/manual/en/function.header.php
http://php.net/manual/en/function.readfile.php

4. After you've sent them the file, delete the database entry for that code and it will no longer exist so the link won't work. I'm not sure I'd recommend doing this immediately-- maybe give them 24 hours before the link expires so it can continue to work if they need to save it twice (if the first download didn't work or something). Or maybe limit it to 3 instances. Your choice. It's easy enough with a database to do anything like that. Just add a new field for new information and do what you need with it.


As James mentioned, the one warning might be that if the file is very large it may slow down the server or be rejected based on memory limits. I'm not sure exactly how PHP performs this so if you plan to do anything larger than images or PDF files (like audio or video or programs) you'll probably want to look into some of the details on system resources related to that.

Brilliant! I can't think of a way around the security for that either. Thank you for that answer :)

Also, by the way, although the URLs for the actual files will never be shown to anyone, so they are probably completely safe, you can also place them in a protected directory. You can use .htaccess (or other methods) to hide it. Then PHP will still have permission to read the file because it operates within the server rather than through HTTP where htaccess is active.