serving purchased files

[eluser]slowgary[/eluser]
You'd probably need to have the user set up an account, capturing their email address (preferably sending them an email with a confirmation link). Then you'd use a payment gateway to collect their payment. Upon completed payment transaction you would set the file as downloadable for that user, using a date stamp for expiration.

So you'd have a few database tables:

Code:

Users
----------------------------------------------------
| user_id  |   name  |  email           | email_ok |
----------------------------------------------------
| 0        |   bob   |  [email protected]     | true     |
| 1        |   joe   |  [email protected]     | false    |
| 2        |  wendy  |  [email protected]   | false    |
----------------------------------------------------

Files
------------------------------
| file_id | file_name | cost |
------------------------------
| 0       | file.pdf  | 2.5  |
| 1       | pic.jpg   | .75  |
------------------------------

Downloadables
-------------------------------
| user_id | file_id | expiry  |
-------------------------------
| 0       | 1       | 3/24/09 |
| 0       | 0       | 3/10/09 |
-------------------------------

You'd have the user fill out a form, store the info in the 'users' table, and send them an email with a link in it back to a script on your site to confirm the email address. The link could have a few parameters like:

http://www.yoursite.com/email_confirm.ph...NLABSUFD7G

The validation string could be a hashed string, created from their user_id, username, and email address. So you'd do something like:

Code:

//get user info from database
//WARNING:  This is a terrible way to do this!!  NO SECURITY  (just an example)
$results = mysql_query("SELECT `name`, `email` FROM `users` WHERE `user_id` = '{$_GET['user_id']}'");

$results = mysql_fetch_assoc($results);

$hash = md5($results['name'].$results['email']);

if($_GET['validation'] == $hash)
{
     mysql_query("UPDATE `users` SET `email_ok` = 'true' WHERE `user_id` = '{$_GET['user_id']}'");
}

So now the user has an account with a confirmed email address. After selecting a file and paying through your gateway, you'd check which file they purchased and put an entry into the downloadables table:

Code:

mysql_query("INSERT INTO `downloadables` VALUES('{$_GET['user_id']}', '{$_GET['file_id']}', '".strtotime('+2 days')."'");

Then when a user logs in you'd have a script check the downloadables table for that user's files:

Code:

$results = mysql_query("SELECT `file_id`, `file_name` FROM `files` WHERE `file_id` IN (SELECT `file_id` FROM `downloadables` WHERE `user_id` = '$_GET['user_id']' AND `expiry` > '".time()."'"));

if(mysql_num_rows($results))
{
   echo "Select a file to download:<br/>";

  while(
     list(
          $file_id,
          $file_name
          ) = mysql_fetch_array()
     )
  {
      echo "$file_name <a href='downloader_script.php?file_id=$file_id&user;_id=$user_id'>download file</a><br/>";
  }
}
else
{
   echo "You have no files to download";
}

Then downloader_script.php would have to check the downloadables table again to make sure the user wasn't fudging the system, then it would have to check the files table and force-download the file, like so:

Code:

$result = mysql_query("SELECT `file_name` FROM `files` WHERE `file_id` IN (SELECT `file_id` FROM `downloadables` WHERE `file_id` = '$file_id' AND `user_id` = 'user_id')");

if(mysql_num_rows($results))
{
  $file_name = mysql_fetch_assoc($results);
  $file_name = $file_name['file_name'];

  $file_contents = read_file($file_name);  //some function to read file contents
  header('content-type/mime/type/blah blah:attachment');  //force download
  echo $file_contents //spew file contents
}

It would be good practice to keep the files above the web root, so that people can't just type in the url to your files. Also, the junk above is just a basic idea, don't in any way copy the code because it will make me puke for sure.

Hope that helps