Facebook
Twitter
YouTube
Flickr
Shop
Ebay
Rss Feed5 Security
We are almost ready to go online!The best approach in our case might be the use of the .htaccess files but this solution will not work under Windows hosting, at least on cheap webhosting providers since you have to modify the httpd.conf file of apache in order to get it work.
So the .htaccess solution is not platform independent. Another big problem with the htaccess is that the buyer does not want to write down passwords and logins for just downloading an e-book, he wants an easier and more direct way. So it is decided that, even if htaccess is the best way to secure a folder in the web, to not apply it on this type of business plan.
Let's take a look again at the figure fig:20. The only way to access to our secret files is through the pdthtml.php page. So the big problem is that a search engine could crawl this page and find our secret link. The good news are that the pdthtml.php is not crawlable since it has in it's corp the NOINDEX, NOFOLLOW code. This means that search engine robots will not index (NOINDEX) the pdthtml.php or follow (NOFOLLOW) the links of that page.
<META NAME="ROBOTS" CONTENT="NOINDEX, NOFOLLOW">pdthtml has NOINDEX and NOFOLLOW attributes
Even if the pdthtml.php is crawled by an evil-bot the same page will control your transaction id. You will get an error if one of these things result true
- no transaction id
- incorrect transaction id
- incorrect Product id
- incorrect Product Name
- incorrect Product Price
- incorrect Product Currency
- controls if the invoker was the page pdthtml.php
- controls that the max downloads for each valid transaction in not reached
If you want the maximum security go to the PayPal settings.php file and set the 'Max_downloads' attribute to one.
A low number of download attempts is recommended for each valid transaction id but you can easily select to not put a really low number like one download for each valid transaction and this will be explained to you right now. Let's say that someone has made a valid transaction and accessed at the pdthtml.php page, he will pass all the tests correctly and the DownloadManager.php will give to him a valid download link. We suppose on our example that 'Max_downloads'=2.
He downloads his copy and then mails the secret url at a friend.
The new person will click on the link but this link will not respond because the invoker is not the page pdthml.php so let's say that he reaches the pdthtml.php page directly.
The page will not respond to him either, because he has a not valid transaction id. If you are not sure go with firefox to this link :
http://localhost/05Demo/PayPal/Code/pdthtml.php
You will get this message : 'Your transaction has been failed. Please contact with us at company@email.com'.
So as you can see there are a lot of restrictions in order to get a valid download link. All this comes for free with this e-book. So the access through the pdthtml.php page is pretty secure. Now let's cover the case of the direct attempt to find the zipped files. Search engines crawl everything so we must be very careful into this. It is time now to use the robots.txt. Robots.txt is a file that prevents web spiders and other web robots from accessing all or part of a website which is otherwise publicly viewable. A lot of people uses robots.txt in a wrong way. One quick example based on the '05Demo'.
User-agent: * Disallow: /SecretDownloads/556622/abggretttt77/jjMMn54VrtP/xyz321/ Disallow: /PayPal/Wrong use of robots.txt
This robots.txt is valid but it is a very high risk file. It is true that search engines when will see this file will exclude from indexing the folders /SecretDownloads/556622/abggretttt77/jjMMn54VrtP/xyz321/ and /PayPal/ but remember that the robots.txt file is a public text file located at the root of your site. So anyone can just type www.yoursite.com/robots.txt and he will see these sensitive informations. This is a really bad way of making robots.txt .
Let's investigate now the example '06Demo' (download demo 06). It is same as '05Demo' with the difference that has three new folders, public , tmp and stats. The SecretDownloads folder exist but it is empty. The product files are now located at
/stats/59M/AA4446669033/556622/abggretttt77/jjMMn54VrtP/xyz321 .
User-agent: * Disallow: /public/ Disallow: /tmp/ Disallow: /SecretDownloads/ Disallow: /stats/ Disallow: /PayPal/Correct use of robots.txt
The robots.txt in the listing "Correct use of robots.txt" is way better than that at the listing "Wrong use of robots.txt". The SecretDownloads and folders are fake (empty) in order to distract the hackers. Our programs are located on stats folder! Pay attention that we only included the first path of the secret path (stats) on the robots.txt so all the sub paths won't be indexed by the crawlers. As we can see the disadvantage to have a public robots.txt with the sensitive paths available became a disadvantage for the hackers! Remember to go to PayPal\settings.php and edit the SettingsDownload['file_path'] like the listing "Update the secret Path"
$SettingsDownload['file_path'] = '../../stats/59M/ AA4446669033/556622/abggretttt77/jjMMn54VrtP/xyz321/'Update the secret Path
$SettingsDownload['file_path'] = '../../public/59M/AA4446669033/ 556622/abggretttt77/jjMMn54VrtP/xyz321/'Update the secret Path Under Windows
Of course you are not obligated to select as main secret path the 'stats' path we just giving some examples here. Just use your imagination. Important notice : At '06Demo' we added three more CSS alternatives, other than BlueStyle.css, you can find GreenStyle.css, RedStyle.css and YellowStyle.css. If you want to try this style just change on every php page (like the index.php page) the style attribute from BlueStyle.css to one that you like to try.