PHP:只允许用户下载购买的文件 [英] PHP: Let user download purchased file ONLY
问题描述
我正在观看一个问题,允许通过PayPal从我那里购买一些内容的客户。我会提供多种无形商品。当有人为其中一个商品完成购买时,他们将被重定向到一个着陆页 - 我们称之为thank_you.php - 这将自动排队下载,并允许链接排队下载,以防万一不自动启动这将通过将唯一的项目ID传递到下载页面(download.php)来完成。
I am forseeing a problem with allowing customers who purchase some content from me via PayPal. I will offer multiple, intangible goods. When someone completes their purchase for one of these goods, they will be redirected to a landing page - let's call it "thank_you.php" - which will automatically queue up a download and allow a link to queue up download in case it doesn't start automatically. This will be done by passing the unique item ID to the download page ("download.php").
此方法基本上是这些线程的顶级答案的模拟:
This method is essentially a mimic of the top answers from these threads:
一个PHP脚本,让用户从我的网站下载文件,而不会透露我的网站中的实际文件链接?
但是,我担心,一旦用户在thank_you.php上,他们可以下载他们的项目,然后使用Firebug(或等同的)编辑项目ID并下载另一个不同的项目:
However, I fear that once the user is on "thank_you.php" they can download their item, then use Firebug (or equiv.) to edit the item ID and download another different item:
<a href="download.php/38a205ec300a3874c867b9db25f47c61">Download Here</a>
至
<a href="download.php/7c8ddc86c0e4c14517b9439c599f9957">Download Here</a>
我需要你们的想法和帮助,他们比我好多了:什么(&如何实现这一解决方案,仍然允许相同的客户访问和休闲,但防止这种操纵?
I need ideas and help from you guys who are far better at this than I: what (& how) could I implement as a solution that would still allow the same customer access and leisure, yet prevent this manipulation?
编辑:ID - hash用于预览和引用整个网站的项目,我不怕人们猜测,而是他们在一个单独的选项卡中浏览该网站,以获取其他ID,只是继续下载不同的项目。
EDIT: The ID-hashes are used to preview and reference the item throughout the site, I have no fear of people guessing but rather them browsing the site in a seperate tab to get the other IDs and just keep downloading different items.
推荐答案
付款时,可以将支付的可用下载的ID和随机哈希存储在付款表中。使用 哈希来获取ID。然后哈希应该不会与特定产品相关,而是与付款相关。
When they make the payment, store the ID of the download available to them, and a random hash - both in the payment table. Use that hash to then get the ID. The hash should then never relate to a specific product, but instead to a payment.
这篇关于PHP:只允许用户下载购买的文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
