I have a directory in my web space with images that I sell. PHP code validates payment through PayPal and then delivers the purchased image as an email attachment to the buyer. My concern is someone gaining access directly to the folder of images and downloading everything.
I can give the folder an unguessable name so no one can enter
But if someone got a hold of the PHP code they would see there the unguessable name. My understanding, though, is that Apache won't serve up any .php files so even if they knew the php file they needed was "fulfillorder.php" they couldn't get it from the server.
Am I thinking straight here or is there something else I should be doing to protect the images?
Thanks for any ideas.