Best practice to / How do you protect files above root and hash the links for displaying to customers in a restricted login account area?

Question

I have files in folders placed above the web public_html root and wish to echo out hashed links to customers whom have purchased products (digital downloads on an eCommerce store).

The account area page is .php and of course customers will access this page using their login/password and have access to view/download only their purchased products which are set to be displayed by getting the orders from the database using function call and echo'ing table row information on the page. The page is restricted access via authenticated customer(client_id) login/password.

My files url paths are written in MySQL database so should be accessible on echo, but I want to hash the links so customers cannot simply share direct url's on the web (as they do... pirates arrahhh!).

Am I ok placing said files simply above the root, or is it best practice to hash those links for added protection to avoid SQL injection as well... and if so, what code do I need to implement to protect things?

What I'm ultimately looking to do is is protect the files server side and display a hashed link to those and only those customers that have purchased a/the product. But, I'm not sure (how to) what best protects me, my files and the customers investment...?

Thanks!

What code can I use to distribute/print files securely to users, using PHP? I'm stuck for an answer.

Hashing the links won't solve the problem. A hashed link is still a link. Putting the files outside the document root just means that you need to use some other mechanism to give the URLs. — Quentin, Aug 16 '15 at 21:27
I've updated and added more information for requirements; for advice and assistance. Thanks. — Ashley Smith, Aug 17 '15 at 22:41

score 0 · Answer 1 · answered Aug 17 '15 at 22:53

0

I've solved this exact problem before. My strategy was to host files on Amazon CloudFront and use signed URLs. When the page is loaded a URL is created for that user. You can restrict sharing this links by allowing the URL to be useful for a specific amount of time or by a specific IP, etc.

answered Aug 17 '15 at 22:53

hirowatari

3,195
2
14
15

Thanks but I don't wish an additional cost of hosting as I have paid for that through GoDaddy. The links must have no expiry for customers to access as and when they please (login to account) and can't be stuck to an IP address as I'm sure most ISP use dynamic and not static. Any other options, I'm looking for code? Cheers – Ashley Smith Aug 18 '15 at 20:21

Best practice to / How do you protect files above root and hash the links for displaying to customers in a restricted login account area?

1 Answers1