Jump to content

Security, Stopping the back button from letting you go back to your last page?


spires

Recommended Posts

Hi,

I have created a shopping cart that sells MP3s.
Do you know if there is a way of stopping customers from going back a page? (once they have downloaded)

e.g
1 - Login
2 - Download track (goes to download page).
3 - once downloaded goback to Download track (with the quantity refreshed).
4 - Download next track etc

if you follow this path there is no problems, 
however, when you are at stage 3, and use the browser back button, instead of the link provided
the quantity does not refresh and you can download thousends if you choose.

Is there any way of stoping this?
Thanks
Ok I use this script for downloading scripts and templates. You should be able to change it to suite your needs. Ok after they download a file I update a table in the db. I call my table downloads.

Here is the fields that I have in the downloads.
[list][*]download_id
[*]username
[*]filename
[*]date_downloaded[/list]


And here is the download.php

[code]
<?php
function getaction($action) {
   switch($action) {
  case "download":
     function getdownload($type) {
     switch($type) {
    case "free":
    if ($_SERVER['HTTP_REFERER'] !== "http://www.yoursite.com/yourpage.php") {
    header("HTTP/1.1 404 Not Found");
}
    if (!$_SESSION['username']) {
    echo "You must be a member to download this file<br />";
    include("login.php");
exit;
}
$username = $_SESSION['username'];
$filename = $_GET['filename'];
$sql = mysql_query("INSERT INTO `downloads` (`username`, `filename`, `date_downloaded`) VALUES ('$username', '$filename', now())");
header("Pragma: public");
                                                               header("Expires: 0");
                                                               header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

                                                               header("Content-Type: application/force-download");
                                                               header( "Content-Disposition: attachment; filename=".basename($filename));

                                                               header( "Content-Description: File Transfer");
                                                               header('Accept-Ranges: bytes');
header('Content-Length: ' . filesize($filename));
@readfile($filename);
break;
case "paid":
    if ($_SERVER['HTTP_REFERER'] !== "http://www.yoursite.com/something.php") {
    header("HTTP/1.1 404 Not Found");
}
    if (!$_SESSION['username']) {
    echo "You must be a member to download this file<br />";
    include("login.php");
exit;
}
    $filename =  $_GET['filename'];
$username = $_SESSION['username'];
$sql = sprintf("SELECT COUNT(*) as `download_chek` FROM `downloads` WHERE `username` = '$%s' AND `filename` = '%s'", $username, $filename);
$res = mysql_query($sql) or die(mysql_error());
$download_check = mysql_result($res, 0, 'download_check');
if ($download_check > 0) {
    echo "You may not download this file more then once";
include("somepage.php");
exit(1);
}
$q = mysql_query("INSERT INTO `downloads` (`username`, `filename`, `date_downloaded`) VALUES ('$username', '$filename', now())");

header("Pragma: public");
                                                               header("Expires: 0");
                                                               header("Cache-Control: must-revalidate, post-check=0, pre-check=0");

                                                               header("Content-Type: application/force-download");
                                                               header( "Content-Disposition: attachment; filename=".basename($filename));

                                                               header( "Content-Description: File Transfer");
                                                               header('Accept-Ranges: bytes');
header('Content-Length: ' . filesize($filename));
@readfile($filename);
break;

}
}
getdownload($_GET['type']);
 break;
}
}
getaction($_GET['action']);      
?>[/code]

You may need to change the location of the download directory to your directory but this should work. I use it for my downloads. This will hide the location of your file and will prevent directlinking . Now you link to it like this
[b]download.php?action=download&type=paid&filename=whatever.zip[/b]

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.