NYCPHP Meetup

NYPHP.org

[nycphp-talk] protecting download directory in PHP app on Unix box?

Kristina Anderson ka at kacomputerconsulting.com
Wed May 28 13:49:34 EDT 2008 

The entire app is written except for this part of it, and I am 
expecting to be able to implement something with medium security in a 
reasonable period of time, like, today :)

And the client has stated they do not want any solution where the 
customer has to be emailed, they want a direct link for the download 
right after payment.

I like the idea of using the transaction id/PDF id pair in a lookup 
table to authenticate the redirect to a file download URL...

-- Kristina


> my question is do you really need to custom roll this out - there are 
a
> few apps (which are slipping my mind atm) that do exactly this out of
> the box..... ?
> 
> 1) customer order is directed to paypal
> 2) on payment complete paypal notifies your script
> 3) customer receives download link via email
> 4) customer has X times to download the file within Y time
> 5) Admins can reactivate the order allowing X more times or Y time to
> download
> 6) works with any number of download products
> 
> and that's just the framework method... you could use a zencart /
> freeway /x-cart if you needed a more robust solution
> 
> Dan Horning
> 
> American Digital Services - Where you are only limited by imagination.
> direct 1-866-493-4218 . main 1-800-863-3854 . fax 1-888-474-6133
> dan.horning at planetnoc.com
> http://www.americandigitalservices.com
> 
> 
> -----Original Message-----
> From: talk-bounces at lists.nyphp.org [mailto:talk-
bounces at lists.nyphp.org]
> On Behalf Of Ajai Khattri
> Sent: Wednesday, May 28, 2008 12:18 PM
> To: NYPHP Talk
> Subject: Re: [nycphp-talk] protecting download directory in PHP app on
> Unix box?
> 
> On Wed, 28 May 2008, Kristina Anderson wrote:
> 
> > Hmm... I like this... if I copy the file to the web server I can 
name 
> > the directory after their transaction ID....make unique directory 
for 
> > each customer...then delete them after a day or so...we have lots 
of 
> > room..is this doable on a shared host?  ...outside "public_html" is 
> > outside the root, or no?
> 
> As someone else pointed out, you probably should NOT have Apache serve
> the 
> PDF directly. Much better to generate a token that gets emailed to 
them 
> when they checkout. During the checkout, you would need to make a 
record
> 
> of the transaction and token. You will need to write a download 
script 
> that takes the token, does some checks in your database and then 
returns
> 
> the PDF directly with the correct MIME type.
> 
> 
> 
> -- 
> Aj.
> 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 
> 
> 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
> 
>

More information about the talk mailing list