NYCPHP Meetup

NYPHP.org

[nycphp-talk] protecting download directory in PHP app on Unix box?

Kenneth Downs ken at secdat.com
Wed May 28 11:44:33 EDT 2008 

We did it this way:

1) when the paypal IPN comes back make an entry a database table that 
lists customers and pdf's.

2) Point the download link to a php program, like 
download.php?file=x.pdf.  There are tricks here with doing it like 
/downloads/filename.pdf, but that can easily be added once you get the 
download.php program working.

3) The download.php checks the database table to see if they are 
allowed.  If not, return some kind of error.

4) If the user is clear, run code like this below, be sure not to send 
anything at all to the browser before this code runs, not even a blank line:

    $path = '....';
    $filename = '....';
   header('Content-Type: application/x-pdf');
   header('Content-Disposition: attachment; 
filename="'.strtolower($filename).'"');
   header('Content-Length: '.(string)(filesize($path.$filename)));
   readfile($path.$filename);


Kristina Anderson wrote:
> This might be off topic as well...but I have a PHP app that submits to 
> Paypal and then on the "thank you" page, I provide a link to a PDF that 
> they bought.
>
> The server is Unix based, and before submitting the sale, I collect 
> various information about the user, and then when the transaction is 
> complete, I get a unique transaction ID from Paypal.
>
> What's the easiest, quickest way to provide some level of complexity to 
> the downloads so that people can't just go back into the directory and 
> download every PDF without paying?  It doesn't have to be 100% secure 
> but should be secure enough to keep out "most" people.
>
> I've been looking into .htaccess but wondering if that's overkill and 
> there isn't some way to authenticate against my DB information before 
> allowing the download?
>
> -- Kristina 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>   


-- 
Kenneth Downs
Secure Data Software, Inc.
www.secdat.com    www.andromeda-project.org
631-689-7200   Fax: 631-689-0527
cell: 631-379-0010

More information about the talk mailing list