Allow a download only after someone paid?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ChrisF79
Forum Commoner
Posts: 26
Joined: Tue Apr 01, 2008 8:26 pm

Allow a download only after someone paid?

Post by ChrisF79 »

Greetings:

I'm finishing up a site where people can buy an ebook. The payments come through and I can see that they paid and everything is good there. The question is, how do I then, and only then, allow them to download the ebook. If I have the ebook in mywebsite.com/ebook/ as an example, how would I prevent someone from just going there and downloading it? Not sure how developers usually handle this so any best practices, examples would be very helpful!

Thanks!
tvdhoff
Forum Newbie
Posts: 3
Joined: Fri Sep 18, 2009 3:04 pm

Re: Allow a download only after someone paid?

Post by tvdhoff »

Hi,

I've been experimenting with something like that too.
One of the things I came up with is generating a unique identifier for each file a user has permission for and then using mod_rewrite (http://httpd.apache.org/docs/1.3/mod/mod_rewrite.html) to link those identifiers to the actual file. This way the user doesn't get to see the actual URL and can only use his identifier, which you can revoke anytime when his alloted timeslot is up or when he doesn't pay his monthly fee or whatever.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Allow a download only after someone paid?

Post by Eran »

The most common practice is to use identifiers (hashes), but stored in a database and not through apache. The files themselves are stored outside the document root and are served through PHP which checks for valid identifier in the database (and can expire it afterwards).
ChrisF79
Forum Commoner
Posts: 26
Joined: Tue Apr 01, 2008 8:26 pm

Re: Allow a download only after someone paid?

Post by ChrisF79 »

pytrin wrote:The most common practice is to use identifiers (hashes), but stored in a database and not through apache. The files themselves are stored outside the document root and are served through PHP which checks for valid identifier in the database (and can expire it afterwards).
Could you give an example of this? So if I put the file outside of my public_html folder, do I just move it somewhere temporarily for them to download it and then delete it once the download is finished? I'm pretty new to this part of things.
tvdhoff
Forum Newbie
Posts: 3
Joined: Fri Sep 18, 2009 3:04 pm

Re: Allow a download only after someone paid?

Post by tvdhoff »

Got a nice explanation with useable code here: http://www.ardamis.com/2008/06/11/prote ... nique-url/
It's the same technique pytrin mentioned. Only thing to improve on this example is the protection of the key generator page.
Post Reply