Protecting purchased digital products from being downloaded by cheapskates?

[Spinethetic]

Hello, sorry I havent posted in a while but this is probably a simple script resolve.

lets say I am selling a digital product for download, ie: PDF ebook. After the customer pays through PayPal IPN they will be redirected to the thank you page where they can download the product....simple enough. However I soon realized that anyone who 'happens' to have the link to my thank you page can just bypass the Payment altogether!

What little snippet of code could I embed onto the thank you pages to detect whether they got to the page from Paypal then display the default content, else if they ended up on the page from some other source, whether directly or from a website other than my own, then redirect them to the payment page? Thus forcing them either to pay or leave?

Best Regards
~Ross Vaughn

[Spinethetic]

I suppose a simpler way to rephrase my query would be: how can I display custom content depending on where the visitor came from?

ie: Lets suppose Dynamicdrive.com has a link on their site to incoming.php , and so does Google right on their front page ( dont we all wish?! ;-).

How can I make it display 'Welcome Dynamic Drive people' if they clicked from dynamicdrive.com or 'Welcome Google people' if they clicked from google.com?

Best Regards
~Ross

[james438]

The following will detect the referring http address:

PHP Code:

<?php
$page_name = $_SERVER['HTTP_REFERER'];
echo $page_name;
?>

The following is a javascript redirect script:

PHP Code:

<script type="text/javascript">
window.location = "http://www.google.com/"
</script> 


Or you could use some variation of the following which loosely puts script 1 and 2 together:

PHP Code:

$page_name = $_SERVER['HTTP_REFERER'];
$page_name=substr($page_name,0,15);
if  ($page_name != 'http://www.ebay')
{
header("location: http://www.google.com");
exit();
}
?> 


I thought about using strpos($haystack, $needle), but it seems to me that it would be too easy to spoof.

[djr33]

You are not selling products, but selling licenses to products. So each time someone buys a license, give them a key to unlock it, stored in your database, that allows one download (within 24 hours, sometimes). Then if they really need to download it again, just have them give you their key and unlock it again, but you can that way limit how many times they download it.

[Spinethetic]

OK i found this tutorial That looks like it would be what I'am looking for:

PHP Code:

<?php
$goodrefer1 = "paypal.com";
$goodrefer2 = "www.paypal.com";
$goodrefer3 = "alertpay.com";
$goodrefer4 = "www.alertpay.com";

$referer = $_SERVER['HTTP_REFERER'];

// Check if browser sends referrer url or not
if ($referer == "") {
$domain = $goodrefer1;
} else {
$domain = parse_url($referer); //If yes, parse referrer
}

if($domain['host'] == $goodrefer1 || $domain['host'] == $goodrefer2) || $domain['host'] == $goodrefer3) || $domain['host'] == $goodrefer4) {

// Run your dowloading code here normally

} else {

// They have not made payment for the download so redirect them to the payment page
header("Location: http://yoursite.com/purchase.php");
exit(); //Stop running the script

}

?>

However during my search I found other forums where people questioned the security of this method. As though someone could spoof it... how can can someone spoof incoming from PayPal's "payment recieved" page?

Best Regards
~Ross Vaughn

[djr33]

There are a couple problems with that:

1. The "http referrer" is just something the browser sends-- if someone wants, they can control this (though it's not something an average user can do.. it would have to be intentional). Likewise, this value is not always reliable, so in some browser it might not transfer well and someone who actually just purchased it wouldn't be able to download it.

2. If someone who did purchase the product has connection trouble, wants to download on another machine, etc., they will only be able to download by clicking that link THEN, not by saving it and going to the URL later. If possible, it's best not to make it hard for people to download what they did purchase or your tech support issues will become complex (not to mention people being unhappy with using your services).

A license method, like I said above, would be a way to get around all of this, but it does require more work on your part.

[borikenMedia]

set a cookie tru the download and straw it on the download end.