How to setup one time download of your files securely

If you are selling a digital product and want to offer it for download but are concerned that people will share the URL to the file, you could use a solution like ClickBank. However the advantage of setting up one time downloads from your server instead is that you have more control over what you are selling and you don't have to pay any fee's.

Let us assume that you have setup and integrated a payment solution (such as PayPal using the IPN, post coming soon on this) and you have a database setup that holds the payment information.

CREATE TABLE `transactions` (
`id` INT( 5 ) NOT NULL AUTO_INCREMENT PRIMARY KEY ,
`transaction_id` VARCHAR( 50 ) NOT NULL ,
`file_downloaded` TINYINT( 1 ) NOT NULL
) ;

Now we will create download.php which will be the link sent to the user after they have paid to download your files.

To keep it secure you would include the transaction ID (which would be unique to each payment) as part of the query string, so the link would be:

http://www.site.com/download.php?transaction_id=XX

Now you do need the files to be uploaded somewhere on your web server, however the location will never be revealed. The best way is to put them in a folder outside of the web root so that they cant be accessed via HTTP. However if this is not possible then put them in a folder name that cannot be guessed (use a random password generator if you don't have any ideas).

<?php
// Path to the files to be downloaded
$file = '/home/usr/files/blah.zip';

// Transaction ID
$transaction_id = $_GET['transaction_id'];

// Connect to database
mysql_connect('localhost', 'user', 'pass');
mysql_select_db('dbname');

// Lookup the transaction ID in the database
$query = sprintf("SELECT * FROM transactions WHERE transaction_id='%s'",
mysql_real_escape_string($transaction_id));
$query = mysql_query($query);
$row = mysql_fetch_array($query);

// Valid transaction ID?
if (!$row) {
  die('Invalid transaction ID!');
}

// File already been downloaded?
elseif ($row['file_downloaded'] == 1) {
  die('File has already been downloaded, please contact us if you have any problems');
}

else {

  // It's a valid transaction, update the database so that we know the file has been downloaded for next time
  $query = sprintf("UPDATE transactions SET file_downloaded = 1 WHERE transaction_id='%s'",
  mysql_real_escape_string($transaction_id));
  $query = mysql_query($query);

  // Now force the file to be downloaded
  header('Content-Description: File Transfer');
  header('Content-Type: application/octet-stream');
  header('Content-Disposition: attachment; filename='.basename($file));
  header('Content-Transfer-Encoding: binary');
  header('Expires: 0');
  header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
  header('Pragma: public');
  header('Content-Length: ' . filesize($file));
  ob_clean();
  flush();
  readfile($file);
  exit();

}
?>