Re: download page

Beth, If you think about it, whats to stop people from also giving out the password to their friends or publishing in blogs or forums and gaining access......there is no foolproof way of protecting anything thats on the web.
You can only make it as difficult as you can, so that its not worth the effort.

Re: download page

Hi George, I agree that it is always good to have an exchange of opinions.

Ok, let's see your points:

Yes, true. As long as it is a couple of files, then yes, that's acceptable. If you make a living by selling sogtware or images or e-books, you certainly do not leave these links in the air.

These links are not in the air, they are contained within a PHP file and as you yourself have pointed out in the past, server sided PHP scripts are more secure than html pages.(you cannot view the source code)


Protection in this case doesn't mean having a pass protection It means a whatever protection, usually by verifying the payment with PayPal. A simple protection, which does not require information from PayPal, is to see if the link that has led to the page, truelike. (The links from PayPal are of a certain type). This will at least protect you from amateur attempts of illegal download.

People normally use and pay paypal a commission on each sale in order to assure themselves that paypal has verified the payment, and will only return the client to the return page after verification.
This return page on the clients site Then leads to the download page.

I know that if someone uses a paypal cheque that you should wait until its cleared before allowing a down load, but how is this overcome without upsetting the client?? and why dosnt paypal advertise this fact ?

Not 100% True (in my opinion) . I don't know how and why, but Google has found many of my "hidden" (meaning without links to them) PDF's that i uploaded on my site for my client's to access simply giving them the direct link.

Nowadays, you can also instruct Google to ignore the links to files ending with .pdf or any other file type ending you wish.

Correct. Only that i (personally) don't like to change my return page every once in while. I prefer spending my time in other things.

A lot of sites use the time elapsed or 1 time download links for further protection, and I make a habit of not only changing my passwords from time to time but also my download links. In my opinion, its worth the small extra effort.

Beacuse i have built that page. And, i didn't make the link (with that strange name) public. And, remember, CiCi is worried about his security, since the page has been accessed a number of times. I will now set it so that the page is protected (using the IDC core for this purpose).

Be aware George, that your page has been replaced, as at the time, abvfp was not capable of storing the form details in a database, and this lady wished to have that facility which also includes a backend to view, update, delete etc, etc.
Your latest creation now takes care of all those functions......


David, please understand that i am, most of the times, speaking strictly from the technical point of view. I will also have a free version of my IDC limited to a single product, available for VH users as soon as possible. But, when it comes to sites that live from automatic downloads, then the above solutions are simply not acceptable. You need to have the links protected by a script, you need to NOT have the files stored in the site, and you need to verify that the client has paid before you can allow him to download.

George, from a technical and logical point of view, if the PHP script which controls access to and from the database is not secure, then how can the database itself be secure ???

A PHP script is a PHP script and whether it controls access to a database or access to a download link, then as server sided PHP IS secure then both types of script are secure...............

Yours cordially

Re: download page

Hi David,



These links are not in the air, they are contained within a PHP file and as you yourself have pointed out in the past, server sided PHP scripts are more secure than html pages.(you cannot view the source code)

Wrong: the php code is not visible, the html output of a php file is perfectly visible. So if the script creates the links duynamically after payment verification, tht's perfectly ok because no links will be there if payment has not been verified. But if the links are there, as html, they will be visible.


People normally use and pay paypal a commission on each sale in order to assure themselves that paypal has verified the payment, and will only return the client to the return page after verification.
This return page on the clients site Then leads to the download page.

I know that if someone uses a paypal cheque that you should wait until its cleared before allowing a down load, but how is this overcome without upsetting the client?? and why dosnt paypal advertise this fact ?

PayPal verifies the payment (if completed) or sends you (if you have the appropriate script for receiving the info) a "payment pending" notice. But this is not what i was refering to, i was refering in the case of a direct link to the page if someone malicious posted the link to a blog or forum.



Not 100% True (in my opinion) . I don't know how and why, but Google has found many of my "hidden" (meaning without links to them) PDF's that i uploaded on my site for my client's to access simply giving them the direct link.

Nowadays, you can also instruct Google to ignore the links to files ending with .pdf or any other file type ending you wish.

As said before, that is ok if the link to the download page is not published anywhere by malicious persons.

Correct. Only that i (personally) don't like to change my return page every once in while. I prefer spending my time in other things.

A lot of sites use the time elapsed or 1 time download links for further protection, and I make a habit of not only changing my passwords from time to time but also my download links. In my opinion, its worth the small extra effort.

Well, that's personal opinion. I would like having my files protected and just forget about them. Indeed that's why i states "personally".

Beacuse i have built that page. And, i didn't make the link (with that strange name) public. And, remember, CiCi is worried about his security, since the page has been accessed a number of times. I will now set it so that the page is protected (using the IDC core for this purpose).

Be aware George, that your page has been replaced, as at the time, abvfp was not capable of storing the form details in a database, and this lady wished to have that facility which also includes a backend to view, update, delete etc, etc.
Your latest creation now takes care of all those functions......

Please note that she has mailed me back, asking me to restore it back to what it was, with the new ABVFP, just 10 days ago. I have not had any further updates.


David, please understand that i am, most of the times, speaking strictly from the technical point of view. I will also have a free version of my IDC limited to a single product, available for VH users as soon as possible. But, when it comes to sites that live from automatic downloads, then the above solutions are simply not acceptable. You need to have the links protected by a script, you need to NOT have the files stored in the site, and you need to verify that the client has paid before you can allow him to download.

George, from a technical and logical point of view, if the PHP script which controls access to and from the database is not secure, then how can the database itself be secure ???

Who said that it isn't ? it takes a hell of a hacker to break it, and he certainly would not lose his time for an e-book.

A PHP script is a PHP script and whether it controls access to a database or access to a download link, then as server sided PHP IS secure then both types of script are secure...............

I agree, but as said, that kind of links (as in cici's download page) is NOT php.

Re: download page

What ive done before is store the files on the site, but have the php script rename them to a md5 string (so they are 32 characters long). When someone wants to download the files they click a link which just has a url variable to the row of the table in the database that contains both the original file name and the actual file on the site. It then creates a file for them to download using the php header() function that has the original name. This doesn't reveal the actual file location, and you can track how many times it been downloaded by a user either by their ip, or if you have a login system setup. I also chmod the directory that contains the actual files to where people can't access the directory or anything in it with their broswer (744 if I remember correctly).

This can prevent multiple downloads, unauthorized downloads, people letting their friends use their account to download, but no matter what, as people have already said, its impossible to prevent people from downloading the ebook and then sending it to their friends. (Short of embeding it in a program that requires them to enter an activation key that will check with the server before allowing the contents to be read, which still won't be 100%)

Re: download page

I use instead to store the files in the database, and output them also using the header funcion. That is also necessary for other reasons: if you have the application that opens the file installed on your computer, the files will be opened instead of saves. The header function allowes to save.
As for the unauthorized download, i have the scaript check with PayPal's database ALL the parametres of the payment, as well as the variables related to the order, which i pass to payPal. When the customer comes back to the return page, the script checks the payment details as well as the order deatails, and allowes or disallowes download. The first download date is stored in the database, and additional downloads are allowed for a Administrator defined period of days.