NYCPHP Meetup

NYPHP.org

[nycphp-talk] protecting download directory in PHP app on Unix box?

Kristina Anderson ka at kacomputerconsulting.com
Wed May 28 14:25:39 EDT 2008 

OK so something in the script like $filepath = ../pdf_folder/$filename

this is what I was asking about...how to reference that 
specifically...is there a specific function I need to call that uses 
this filepath or...?

> Have the files lie in a folder outside of public_html and reference
> the files via  ../pdf_folder/$filename.
> 
> 
> 
> On Wed, May 28, 2008 at 2:02 PM, Kristina Anderson
> <ka at kacomputerconsulting.com> wrote:
> > This is similar to what I was planning on doing...
> >
> > http://www.proofmagazine.com/getfile.php?
> > tx=funkypaypaltransid&PDFid=1234&file=file.pdf
> >
> > authenticates against the transaction id / pdf id pair and then 
serves
> > up a file...but where does the file live and how does this page know
> > where to find it and etc...that's what I'm not clear on, can anyone
> > further explain this file=file.pdf aspect?
> >
> >> The entire app is written except for this part of it, and I am
> >> expecting to be able to implement something with medium security 
in a
> >> reasonable period of time, like, today :)
> >>
> >> And the client has stated they do not want any solution where the
> >> customer has to be emailed, they want a direct link for the 
download
> >> right after payment.
> >>
> >> I like the idea of using the transaction id/PDF id pair in a lookup
> >> table to authenticate the redirect to a file download URL...
> >>
> >> -- Kristina
> >>
> >>
> >> > my question is do you really need to custom roll this out - there
> > are
> >> a
> >> > few apps (which are slipping my mind atm) that do exactly this 
out
> > of
> >> > the box..... ?
> >> >
> >> > 1) customer order is directed to paypal
> >> > 2) on payment complete paypal notifies your script
> >> > 3) customer receives download link via email
> >> > 4) customer has X times to download the file within Y time
> >> > 5) Admins can reactivate the order allowing X more times or Y 
time
> > to
> >> > download
> >> > 6) works with any number of download products
> >> >
> >> > and that's just the framework method... you could use a zencart /
> >> > freeway /x-cart if you needed a more robust solution
> >> >
> >> > Dan Horning
> >> >
> >> > American Digital Services - Where you are only limited by
> > imagination.
> >> > direct 1-866-493-4218 . main 1-800-863-3854 . fax 1-888-474-6133
> >> > dan.horning at planetnoc.com
> >> > http://www.americandigitalservices.com
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: talk-bounces at lists.nyphp.org [mailto:talk-
> >> bounces at lists.nyphp.org]
> >> > On Behalf Of Ajai Khattri
> >> > Sent: Wednesday, May 28, 2008 12:18 PM
> >> > To: NYPHP Talk
> >> > Subject: Re: [nycphp-talk] protecting download directory in PHP 
app
> > on
> >> > Unix box?
> >> >
> >> > On Wed, 28 May 2008, Kristina Anderson wrote:
> >> >
> >> > > Hmm... I like this... if I copy the file to the web server I 
can
> >> name
> >> > > the directory after their transaction ID....make unique 
directory
> >> for
> >> > > each customer...then delete them after a day or so...we have 
lots
> >> of
> >> > > room..is this doable on a shared 
host?  ...outside "public_html"
> > is
> >> > > outside the root, or no?
> >> >
> >> > As someone else pointed out, you probably should NOT have Apache
> > serve
> >> > the
> >> > PDF directly. Much better to generate a token that gets emailed 
to
> >> them
> >> > when they checkout. During the checkout, you would need to make a
> >> record
> >> >
> >> > of the transaction and token. You will need to write a download
> >> script
> >> > that takes the token, does some checks in your database and then
> >> returns
> >> >
> >> > the PDF directly with the correct MIME type.
> >> >
> >> >
> >> >
> >> > --
> >> > Aj.
> >> >
> >> > _______________________________________________
> >> > New York PHP Community Talk Mailing List
> >> > http://lists.nyphp.org/mailman/listinfo/talk
> >> >
> >> > NYPHPCon 2006 Presentations Online
> >> > http://www.nyphpcon.com
> >> >
> >> > Show Your Participation in New York PHP
> >> > http://www.nyphp.org/show_participation.php
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > New York PHP Community Talk Mailing List
> >> > http://lists.nyphp.org/mailman/listinfo/talk
> >> >
> >> > NYPHPCon 2006 Presentations Online
> >> > http://www.nyphpcon.com
> >> >
> >> > Show Your Participation in New York PHP
> >> > http://www.nyphp.org/show_participation.php
> >> >
> >> >
> >>
> >> _______________________________________________
> >> New York PHP Community Talk Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/talk
> >>
> >> NYPHPCon 2006 Presentations Online
> >> http://www.nyphpcon.com
> >>
> >> Show Your Participation in New York PHP
> >> http://www.nyphp.org/show_participation.php
> >>
> >>
> >
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> >
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> >
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> >
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 
>

More information about the talk mailing list