PHP: Let user download purchased file ONLY

Question

I am forseeing a problem with allowing customers who purchase some content from me via PayPal. I will offer multiple, intangible goods. When someone completes their purchase for

Answer 1

While these other answers assume you have a session, with a username, it sounds as if you've just created a hash to a file to hide the filename. In other words, you might as well have a monkey hammer away on a keyboard and have that be your file name for each file you have.

It then sounds like you're concerned that a user will come by, pound on the keyboard, and somehow end up with an exact match to what your monkeys did. This is not likely.

What is more likely is that someone will copy and paste your link and share it. It sounds as if you need to add at least one more layer to your auth scheme (e.g. hash off of both a username and the item ID), or have links expire once used.

From your comment, it also sounds as if you're using the hash to identify the item on another part of your website, which means that users can determine the hash of an item by looking at the source on another part of your website. At this point, your security through obscurity is much like my using code words (e.g. "fish means John, cat means Lisa") while gossiping with someone and saying "the fish and the cat were making out", all while having a sheet of paper on the side with the mappings written down that anyone can see. It sounds like you're just trying to hide the file names so people can't guess them. This is known as security through obscurity, and doesn't really buy you much.

Most of the other answers are assuming that an item exists, and it will have multiple, different hashes pointing to it (e.g. file1, will have hash1, hash2, and hash3 all being valid links to it). In this case, they've created multiple hashes and each hash is unique to a certain user + item. I think they're also assuming that everyone on the website you would refer to the download item as item1 not hash1, which it sounds like you're doing?

You might be better off just creating a dictionary somewhere in your code that has mappings between the name of the item, and the hash, and then only on the download page, substitute the hash for the name. Again, this is only security through obscurity, the link could be shared, but people wouldn't be able to get the hash just be browsing your site.