download link...

Hi,

Before posting this question, I browsed around google and forums, but couldn't seem to find what I was looking for, mostly because I didnt know how to search for it.

Basically I have a site where ppl will login to download some .pdf. Very simple, but my problem is how to make sure its secure.

lets say the files to download are in files/ folder, how to i make sure nobody can just put in their address bar www.site.com/files and download it without becoming a member?

My first thought was to use htaccess, but I am using PHP/MySQL, and I want to implement a system with that. Can anybody help me?

Thank you

You need to disallow http access to the folder that contains the pdfs, so people cant get to domain.com/folder. Then write a php script that gets the pdf file the user requested and outputs it. Something like this:

<?php

if($loggedin) {

$pdf = file_get_contents('pdfs/'.$_GET['file']);
header('Content-type: application/pdf');
echo $pdf;

}
else {

echo 'You need to log in.';

}

?>

That basically checks if the user is logged in and if so will return the pdf file data, you also need to set the header content-type so the browser knows its getting a pdf back rather than an html file.

Well thats the thing, there wont be any login....the user will be redirected after payment...the redirection page will have the link (from mysql) that he can click and download

Then have thee script create a session for the user upon payment and do something like:



<?php

session_start()

if(isset($_SESSION['paid_file'])) {
$file = $_SESSION['paid_file'];
if($contents = file_get_contents('../f/pdf/' . $file)) {
header('Content-type: application/pdf');
echo $contents;
} else {
header('Location http://example.com/dlerror.shtml'); // Some file explaining possible problems why the file wasn't downloaded.
}
} else {
header('Location: http://example.com/dlerror.shtml');
}

?>



This file should be placed in a false download directory, like downloads/index.php

If you are using Apache then there are different methods to disable file downloads.

you could chmod the folder so that browsers do not have access
or you could use .htaccess to add protection.