Hiding Download Files

When using PayPal Digital Goods and PHP

by Kevin Wilson

Introduction

Are you using PayPal to sell digital goods and want to hide the location of your downloadable files? The technique in this page will use some simple PHP scripts to create a download page for your users while hiding the location of your downloadable files.

Overview

Basically, after purchasing your product the user will return from PayPal to a PHP script on your site. The script will create a temporary, randomized directory and then copy your download files from a protected location to the temporary directory. The user will then be redirected to a "thank you" page with a link(s) to the downloadable files in the temporary directory.

What do you do about all the temporary directories? And how do you prevent users (and their friends) from going back to the directories to re-download your files? A cron job will be set up to periodically delete the temporary directories and the copies of your downloadable files.

This technique isn't 100% secure because it reveals the location of your php script after payment. However, the revelation isn't obvious, and it's been working well for me.

Preparations

On Your Server

You need PHP installed on your hosting server and available in your hosting plan. Check with your hosting provider or access your cPanel to verify.

Before using the scripts, you'll need to create some directories on your server and copy some files there...

Note - you can change these file and folder names if you'd like.

You'll need an "assets" directory located in:

"/home/your_account/"

So the path will be:

"/home/your_account/assets/"

Typically, you'll place files in your directory located in:

"/home/your_account/public_html/"

But the "assets" directory will contain our hidden download files. The directory located at:

"/home/your_account/"

is typically not accessible to the user, so it should be a safe place to keep your downloadable files. You'll need to put a copy of your downloadable files in the "assets" directory.

You'll need a "temp" directory located in:

"/home/your_account/public_html/temp/".

You should set the proper directory permissions for the new directories to prevent errors when writing to them. I set my permissions to "0755".

PayPal

PayPal makes it easy to sell digital goods. Just set up a PayPal account (if you don't already have one), create a "Buy Now" button and add the button to your download page. When creating the button, be sure to set a URL for the "Take customers to this URL when they finish checkout" option. I'll tell you more about the return URL soon.

PHP Scripts

After paying with PayPal the user will be redirected to "make_temp.php". You can add random numbers and letters to the page name to help obscure it from the vulnerability I mentioned in the overview (example: "make_temp_s4dr6fy7kn883.php"). I'll refer to it as "make_temp.php".

The "make_temp.php" file can be placed in your directory here:

"/home/your_account/public_html/"

This script does not generate a web page so it will not be visible to the user and it should not be available using the back button in the browser.

The "make_temp.php" file will:

The "make_temp.php" will create the temporary directory using a random number as the directory name. The randomized directory name will be passed through a URL variable to the "thank_you.php" page.

Here is the "make_temp.php" code:

		<?php
		// generate a random number
			$random_number = mt_rand();
			
		// create the temp directory
		// the final slash in the path may cause errors in some circumstances
			$temp_dir = "/home/your_account/public_html/temp/" . $random_number;
			
			if(!mkdir($temp_dir))
			{
				echo "Sorry, something went wrong creating $temp_dir";
			}
			
		// copy the download file to temp directory 
			if(!copy("/home/your_account/assets/your_file.abc",$temp_dir . "/your_file.abc"))
			{
				echo "Sorry, something was wrong copying your_file.abc to $temp_dir";
			}
			
		// redirect to thank you html
		// pass the temp directory in the URL
		// do not send echo or printf before this line (excluding error messages)
			header("Location: http://www.your_site.com/thank_you.php?dir=".$random_number);
		?>
		

The "thank_you.php" page will:

Here is the "thank_you.php" code:

		<?php
		// get the temp directory from the URL 
			$temp_dir = $_GET['dir'];
		// set the path to the download file
			$file_path = "/temp/" . $temp_dir . "/your_file.abc";
		// create the download link
			if (!empty($temp_dir))
			{ 
				printf("Click here to download <a href=".$file_path.">your_file.abc</a>.");
			}
		?>
		

The "thank_you.php" page can also contain HTML to make the page look more like the other pages in your site, rather than a few words with a link.

Deleting Temporary Files

The temporary directory and the download file will need to be deleted after some period of time. A cron job created in cPanel is probably the easiest way to accomplish the task.

The following command will delete all files and folders in the temp directory that are older than 6 hours:

find /home/your_account/public_html/temp/* -mmin +360 -exec rm -r {} \;

"/home/your_account/public_html/temp/*" is the path to your temp directory. The "*" at the end of the path is a wildcard that will select every directory and file in the "temp/" directory.

"-mmin" specifies the number of minutes since the file was created, don't forget the + before the number of minutes.

"rm" will remove (delete) files and directories.

The "-r" option will remove the directory along with all of its contents.

I set my cron job to run every 2 hours, so on average the download files will be available in the temp directory for about 7 hours.

This should delete all files and folders in the temp directory. Be sure to get this command correct, otherwise you could delete the wrong directory, maybe even your entire site! Do you have a local backup copy of your web site files? Don't confuse your temp directory with other temp directories that may already be on your server.

Thanks to Mark van Zoest for helping with the cron job command!

Disclaimer

I'm not a PHP expert. I'm sure there are better ways to accomplish this. If this method does not work for you, I am not responsible for any loss of sales, data or anything else.

Contact Me

You may contact me at kevin@kevinsworkbench.com