Leaderboard

Or I could just use the Print option and print the web page to a PDF file! In this case the decision on "HOW" to store the content is irrelevant from a security concern. Determien the best format based on the best delivery method for the user. Since the intent is not for the user to download for later use, then PDF is probably not the option. But, if I was a user on your site I would think it is pretty stupid that I can't download the content I paid for to read when it is convenient for me (i.e. on a plane for example). But, you just need to decide what makes sense for you. The security is irrelevant because each method can be adequately 'protected' from direct access: Static HTML, Dynamic HTML (from database) or PDF files. It just doesn't matter. If you take this approach the Chapters/sections should just be the raw HTML markup. They should all use a common stylesheet. Here is a very generic example. User goes to a url such as getbook.php?bookid=3&chapter=5 (a chapter/section id is only needed if the book is split up). <?php $bookId = intval($_GET['bookid']); $chapter = intval($_GET['chapter']); if (user has permission to $bookId) { //Define path to the content $bookContent = "/my_secured_directory/{$bookId}/{$_GET['chapter']}.htm"; } else { //Error condition - redirect user to an error page } ?> <html> <head> //Include common stylsheet </head> <body> //HTML that comes before the book output <div id="book_content"> <?php include($bookContent); ?> </div> //HTML that comes before the book output </body> </html>

And what is to stop someone from saving the content displayed in the webpage and sharing that just as they would with a PDF? Heck, the user can just "print" the web page to a file (PDF, HTML, etc.). Anything that is viewed on a webpage can be copied (even if you try to implement some javascript hacks - which you should NOT do). Storing the content in a database does nothing to prevent this type of tampering either. Regardless of whatever method used to deliver your content (PDF or HTML) - it doesn't matter. I think your concern is about people directly accessing the content. That is easy to control - don't put the files in publicly accessible areas! Put them in a directory that is outside of the public folders. Your PHP files when being processed will be able to access the files, but a user could not access them through a URL. After you validate that the user can view a particular resource) just include the file in the output. That will prevent unauthorized access to the content from your web server. But, as stated previously, once you present content to a user, there is really nothing you can do to prevent them from copying/saving the content.

Not even close. This code... $product_details = "SELECT * FROM product WHERE product_id=".$_GET['product_id']; $prepare = $connect->prepare($product_details); $prepare->execute(); ...would embed any SQL injection code contained in the GET into the query which would then be executed. (Just as an unprepared query would) In the correct version the injection code would only be treated as data and not part of the SQL code.