Hi, I have a digital product for download, and I have just found out that I am letting it out for free. An incoming link to my site was found on a blackhat forum and from there someone worked out where my product was. I currently have an IPN script in place to deliver the script, however that is of no use if the product is being freely downloaded. What is the best way to secure it, and is there a way to make a protected so that it can't be downloaded, just attached in an email? Thanks, this hole has been open for 15 days without knowing, and in that period sales have been slightly down, so I really want to work out how to fix this. Thanks
Keep the file outside of the www directory & create one-time-use links to the file. The links will point to a script which fetches the file & sends it to the client, then marks the link to point to an expired page. You can let a handfull of "hey my link broke" complaint emails slip through on expired links & hand the file over, but after a certain point it becomes obvious that someone's passing the link around & you can deny further such requests for that link. You can just tell such complaints for links which had never been issued that the "check is in the mail" so to speak.
OK, I never thought of that. Should I create my own script or is there one that you would recomend. I have it set up to email the product in an attachment, so should I use expiring links or not?
Now if it's sending it as an attachment, all you have to do is move the file outside of the www directory & maybe alter a file permission depending on what accounts have access to what on the server. I thought you were emailing a link to the file.
What joebert said would do. It's more secure. But I personally prefer 1-time links for product downloads. They allow you to: a) control your customers' behaviour b) profit from "link-passers", i.e., you could redirect them to the order page, or to another of your domains.
Thanks for the help. I am sorry if this is a noobish question but how exactly do you link to files outside the public_html directory. I have search google (probably with the wrong terms) and can't find the answer.
You will not actually "link" the file per-say. When email is involved, the script which handles the emailing will work like it normally does, you'll just be changing the path of the file where the script is attaching it to the email to the files new location. When email is not involved, a script will read the contents of the file and pass them on to the visitor as basicly what is an anonymous or dynamicly generated file to download.
make a folder to your server for example "download123" then in your robots.txt include this : User-agent: * Disallow: /download123/ copy new robot.txt to your server than open notepad leave it blank and press ctrl + s now save it to your desktop as index.html copy this file index.html to that folder download123 from ur server very important...make sure you don-t have a link to your download123 directory from your site copy your download program to your new folder download123 then point it from paypal or what script u use to the new folder...eventualy give that program a new link name