Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 377
  • Last Modified:

safe download in php


I want my clients to download some small scripts from my website. I will be displaying the list of scripts and after the successful payment, I want to give them a link to download.

Now, my question is how to make the download safer. The client should not distribute the link or it should not be accessed directly. Any thoughts?
CWS (haripriya)
CWS (haripriya)
4 Solutions
You can send them an email with a link that is valid for a period of time - say 72 hours.  The link is generated only for them from a random collection of letters and numbers and they use it by cutting and pasting the link from their email into the browser bar.  

You also limit the number of downloads for that link.  Say three downloads and that is it.  That should be enough for them to download and backup to CD or external hard disk.  If they require more they'll have to email and explain why.

Just make sure you make the link that you put in their email.  Best to back that up to a safe place.
Mohamed AbowardaSoftware EngineerCommented:
Generate random hash, add it to the database and send it your client email, each client will get link with different hash, the link will be as the following:


Check your database, if the key is valid allow downloading if not disallow downloading.

You can also delete the hash key after the download so the client will only be able to download it once.

I also recommend you to allow the download for 2-3 times and expire in 24-48, this will require you to add fields in the database such as "GenerationTime" so that you compare the download time and GenerationTime to check if the link was expired or not, you will also have to add another field "Count" which will increase its value each time the client request the download, so you can make the link expire after 2-3 download requests.
Beverley PortlockCommented:
The downside to what you are considering is this - no matter how you protect the download, once they have downloaded it they can do what they like with it including redistribution.

On that basis you might want to consider if it is worth the effort of protecting the download

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

If you are using php session you can use  following script based on session validation.  I'm using this for member download.
//Your session validation goes here
        $tag = fopen($name, 'rb') or die("Cannot Access File");            
        if ($tag)
            header('Content-type: application/zip');
            header("Content-Disposition: attachment; filename=".$downloadname);
            header("Pragma: ");
            header("Cache-Control: ");
            header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
            header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
            header("Cache-Control: post-check=0, pre-check=0", false);
            header("Content-Description: ".trim(htmlentities($downloadname)));
            header("Content-Length: ".(string)(filesize($name)));
            header("Connection: close");
        echo "<h1>Sorry....file does not exists.</h1>";

Open in new window

Ray PaseurCommented:
I agree with bportlock on this one, and at the same time I can understand wanting to collect payment for your work products.  Why make them download the scripts at all?  Why not just email the scripts to them once they have paid?

If you really want to create a download layer, here is what I would do.

Create a table of authorized downloads.  The table will contain a TIMESTAMP, a 32-byte key, a client id and a script id.  The 32-byte key will be created from a secret salt string, plus the client id (maybe the client email address, or whatever you keep in the session that indicates the client is logged in).  Create this key using md5().  Add a row or a few rows to this table whenever you have received payment - whatever is appropriate to associate the client with the script(s) they purchased.

When you send the email to invite the client to make a download, send a link to the download script that contains the key.  It will look something like this:

Make sure the download.php script is authenticated.  Once the client logs in, you can use the $_GET["key"] to look up the rows of the table that indicate permitted downloads.  Your query might take into account these WHERE factors:

The TIMESTAMP is not older than three days.
The client id in the data base matches the authenticated client id in the session.

If you do these things and the client who bought the script publishes it in a public place, you're still screwed, but at least you will know that you took the right measures to authenticate the client for the download.  After that your only protection is legal - make sure you have prominent copyright notices and that your copyright is registered with the right authorities.

Best of luck with it, ~Ray
CWS (haripriya)Author Commented:
Thanks all.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now