NYCPHP Meetup

NYPHP.org

[nycphp-talk] protecting download directory in PHP app on Unix box?

Justin Dearing zippy1981 at gmail.com
Wed May 28 11:41:02 EDT 2008


Kristina,

A proxy is the best way to go.

1) Create a table that has userid, pdfid (or jsut pdf filename)  and
transactionid (from paypal). You don't need the transactionid fro
this, but its good for auditing

2) Creat a simple php prody for serving the pdfs. It will take a
pdfid, or file name as a parameter. Have it set the mime type, open
the file and write the file contents to the web client. This allows
you to move the pdfs out of the web readable directory. Of course you
have no added security, yet.

3) At the top of the file make sure of 2 things
   1 - The user is logged in
   2 - There is an entry in that table where userid and pdfid(or pdf
filename) matches.

People can then download as much as they want but only the files they
bought. You can add a timestamp to the above table and allow them
downloads for a limited amount of time.


On Wed, May 28, 2008 at 11:28 AM, Ben Sgro <ben at projectskyline.com> wrote:
> Hello Kristina,
>
> First off, don't have the PDF's "serveable" from Apache.
> Have them OUT of the web root.
>
> Second, after they pay, and get the IPN feedback to validate the sale,
> you could copy the pdf from your safe directory (outside of apache)
> to the webroot and rename it something unique.
>
> You could go so far as creating a maze of unique directories:
>
> ie: /ra123/poo/fluff/uuid123123123123.pdf
>
> Then remove it after 24 hours or something.
>
> - Ben
>
> Kristina Anderson wrote:
>>
>> This might be off topic as well...but I have a PHP app that submits to
>> Paypal and then on the "thank you" page, I provide a link to a PDF that they
>> bought.
>>
>> The server is Unix based, and before submitting the sale, I collect
>> various information about the user, and then when the transaction is
>> complete, I get a unique transaction ID from Paypal.
>>
>> What's the easiest, quickest way to provide some level of complexity to
>> the downloads so that people can't just go back into the directory and
>> download every PDF without paying?  It doesn't have to be 100% secure but
>> should be secure enough to keep out "most" people.
>>
>> I've been looking into .htaccess but wondering if that's overkill and
>> there isn't some way to authenticate against my DB information before
>> allowing the download?
>>
>> -- Kristina _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>>
>>
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



More information about the talk mailing list