Handling Purchased File Downloads

Making it so your website can handle file downloads is very important now-a-days. Either it be when you are giving out your free CD or if you want to distribute your software. The above two are simple, you simply link to a public location where the file is accessible. But what if you want users to buy your software or music? Now it gets a little more interesting.

The first obvious solution is to find a service that handles this, such as iTunes or a software distributor. But if you want a system built into your own website, we can help you.

Step 1: Payments

You will need a way to handle payments. Using PayPal is one of the easier ways to have your customers place orders and then for your website to know how much they paid, when they bought it, their address and other information. This tutorial isn’t about processing payments, but you should look at the IPN API over at PayPal to learn more, and maybe a future tutorial here…

But after you verify that your visitor has successfully bought the product (with the correct amount of money), you should link that user as to “owning the product” inside of your database. Make a table that has the columns of user_id, order_id, product_id, unique_url and any other information you may need. The unique_url column is a randomly generated string used to identify the download. You could also just assign a auto increment ID, but character URL’s will end up being shorter in length.

Step 2: Giving the user a Link

You now need to tell the user that they can download your goods. Sending an e-mail to your customer with a link to the download is the best idea. Along with sending an e-mail you should have a way so your user can sign in and see all the products they bought and be able to download them for future use. You can have the link named pretty much anything, but make sure you have a way to identify it, such as using the unique_url column in the database. Don’t use things such as the transaction ID to make the URL because that could be considered sensitive information.

An example of a URL I often use for downloads is as follows.

www.example.com/download/[unique_id].[file_extension]

Now the file_extension isn’t required but it helps give the user an idea of what they are downloading if they are familiar with file extensions. It’s a simple way to tell the user if it’s going to be a compressed folder, video, audio file, text document or what have you.

Step 3: Read the File

Now this is where the real handling of the file happens. Since your downloadable file should be out of the public directory of your website and located in a location that isn’t accessible from the internet, we have to read the file using a scripting language such as PHP. Once you verify that the user is logged in and you match them with the unique_url, read the file and display it to the user. Since functions like fread() can easily access files that are on the system but not in the website directory.

Also make sure you properly set the header of HTTP Response or else the user will just get a blank screen of funky text. You will want to change the header value of “Content-type”.

And that is how file download works with paid downloads. You should be very cautious when working with payments and downloads. The above solution is a quick flowchart of how the process should be handled to prevent users from being able to download any file on the website that they wish.