safe download in php

Posted on 2011-04-25
Last Modified: 2013-11-18

I want my clients to download some small scripts from my website. I will be displaying the list of scripts and after the successful payment, I want to give them a link to download.

Now, my question is how to make the download safer. The client should not distribute the link or it should not be accessed directly. Any thoughts?
Question by:Haripriya Sathiish
    LVL 47

    Assisted Solution

    You can send them an email with a link that is valid for a period of time - say 72 hours.  The link is generated only for them from a random collection of letters and numbers and they use it by cutting and pasting the link from their email into the browser bar.  

    You also limit the number of downloads for that link.  Say three downloads and that is it.  That should be enough for them to download and backup to CD or external hard disk.  If they require more they'll have to email and explain why.

    Just make sure you make the link that you put in their email.  Best to back that up to a safe place.
    LVL 12

    Assisted Solution

    by:Mohamed Abowarda
    Generate random hash, add it to the database and send it your client email, each client will get link with different hash, the link will be as the following:

    Check your database, if the key is valid allow downloading if not disallow downloading.

    You can also delete the hash key after the download so the client will only be able to download it once.

    I also recommend you to allow the download for 2-3 times and expire in 24-48, this will require you to add fields in the database such as "GenerationTime" so that you compare the download time and GenerationTime to check if the link was expired or not, you will also have to add another field "Count" which will increase its value each time the client request the download, so you can make the link expire after 2-3 download requests.
    LVL 34

    Expert Comment

    by:Beverley Portlock
    The downside to what you are considering is this - no matter how you protect the download, once they have downloaded it they can do what they like with it including redistribution.

    On that basis you might want to consider if it is worth the effort of protecting the download

    LVL 8

    Assisted Solution

    If you are using php session you can use  following script based on session validation.  I'm using this for member download.
    //Your session validation goes here
            $tag = fopen($name, 'rb') or die("Cannot Access File");            
            if ($tag)
                header('Content-type: application/zip');
                header("Content-Disposition: attachment; filename=".$downloadname);
                header("Pragma: ");
                header("Cache-Control: ");
                header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");
                header("Cache-Control: no-store, no-cache, must-revalidate"); // HTTP/1.1
                header("Cache-Control: post-check=0, pre-check=0", false);
                header("Content-Description: ".trim(htmlentities($downloadname)));
                header("Content-Length: ".(string)(filesize($name)));
                header("Connection: close");
            echo "<h1>Sorry....file does not exists.</h1>";

    Open in new window

    LVL 107

    Accepted Solution

    I agree with bportlock on this one, and at the same time I can understand wanting to collect payment for your work products.  Why make them download the scripts at all?  Why not just email the scripts to them once they have paid?

    If you really want to create a download layer, here is what I would do.

    Create a table of authorized downloads.  The table will contain a TIMESTAMP, a 32-byte key, a client id and a script id.  The 32-byte key will be created from a secret salt string, plus the client id (maybe the client email address, or whatever you keep in the session that indicates the client is logged in).  Create this key using md5().  Add a row or a few rows to this table whenever you have received payment - whatever is appropriate to associate the client with the script(s) they purchased.

    When you send the email to invite the client to make a download, send a link to the download script that contains the key.  It will look something like this:

    Make sure the download.php script is authenticated.  Once the client logs in, you can use the $_GET["key"] to look up the rows of the table that indicate permitted downloads.  Your query might take into account these WHERE factors:

    The TIMESTAMP is not older than three days.
    The client id in the data base matches the authenticated client id in the session.

    If you do these things and the client who bought the script publishes it in a public place, you're still screwed, but at least you will know that you took the right measures to authenticate the client for the download.  After that your only protection is legal - make sure you have prominent copyright notices and that your copyright is registered with the right authorities.

    Best of luck with it, ~Ray
    LVL 16

    Author Closing Comment

    by:Haripriya Sathiish
    Thanks all.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    This article covers the basics of the Sass, which is a CSS extension language. You will learn about variables, mixins, and nesting.
    Browsers only know CSS so your awesome SASS code needs to be translated into normal CSS. Here I'll try to explain what you should aim for in order to take full advantage of SASS.
    Viewers will learn about if statements in Java and their use The if statement: The condition required to create an if statement: Variations of if statements: An example using if statements:
    Viewers will learn about basic arrays, how to declare them, and how to use them. Introduction and definition: Declare an array and cover the syntax of declaring them: Initialize every index in the created array: Example/Features of a basic arr…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now