NYCPHP Meetup

NYPHP.org

[nycphp-talk] protecting download directory in PHP app on Unix box?

Ben Sgro ben at projectskyline.com
Wed May 28 11:28:52 EDT 2008


Hello Kristina,

First off, don't have the PDF's "serveable" from Apache.
Have them OUT of the web root.

Second, after they pay, and get the IPN feedback to validate the sale,
you could copy the pdf from your safe directory (outside of apache)
to the webroot and rename it something unique.

You could go so far as creating a maze of unique directories:

ie: /ra123/poo/fluff/uuid123123123123.pdf

Then remove it after 24 hours or something.

- Ben

Kristina Anderson wrote:
> This might be off topic as well...but I have a PHP app that submits to 
> Paypal and then on the "thank you" page, I provide a link to a PDF that 
> they bought.
>
> The server is Unix based, and before submitting the sale, I collect 
> various information about the user, and then when the transaction is 
> complete, I get a unique transaction ID from Paypal.
>
> What's the easiest, quickest way to provide some level of complexity to 
> the downloads so that people can't just go back into the directory and 
> download every PDF without paying?  It doesn't have to be 100% secure 
> but should be secure enough to keep out "most" people.
>
> I've been looking into .htaccess but wondering if that's overkill and 
> there isn't some way to authenticate against my DB information before 
> allowing the download?
>
> -- Kristina 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
>   



More information about the talk mailing list