发表新帖
发表新帖

PHP: Let user download purchased file ONLY

后端 未结
关注
5 1115
天命终不由人
天命终不由人 2021-02-06 13:32

I am forseeing a problem with allowing customers who purchase some content from me via PayPal. I will offer multiple, intangible goods. When someone completes their purchase for

5条回答
  • 温柔的废话
    温柔的废话 (楼主)
    2021-02-06 14:27

    My original answer:

    You will need to store (be in database or session variable) what items the user can access, for each you will generate a unique random token. That token will be used to identify the purchased item. Pass the token to the page where they will be able to download (either in a session variable, a POST argument or, as last option in the url, ie GET). In the page when you need to download you will query the database/session variable using the session information to identify the customer and the passed token (however did you pass it) and with that retrieve what file to download.

    If you need to keep a list of purchased items for re-download, you can do so too, but remember to create the tokens again when the user requests the download. You can also add an expiration date if you feel like it.

    Now I've mentioned a couple alternatives, then again by the nature of the cited answers I guess you will need more detail in how to do that.

    May be ernie is right, and I should not assume you have a session. May be I should show you how to do a session.

    So I'll take one of the option to implementation, the simplest option.

    Now in the download page....

    Please observe that I do allow access to the file only from PHP, so I can verify first if the user has access. You should not allow the user to just put the url (even he cannot guess it) and access the file. So if you are running your server, you want to put those files outside of the server web folder, or if you are using a hosting protected them with .htaccess (or another mechanism your hosting provides).

    Comenting on this solution:

    It is simple, easy to implement. Yet it has some drawbacks:

    • If the session is terminated before the download, the user lost his money*.
    • There is no clear way implement a re-download.
    • It is still vulnerable to session hijacking (far fetch'd, I know, but better be safe).

    *: Say the connection was lost, and the session expired in the client. Oh, no, we don't need no happy customers.

    So, you really, really, need to back this up with a database and create random tokens, preferibly with an expiration date.

    0 讨论(0)
 看不清?
提交回复
热议问题