Jump to content


Photo

Security, Stopping the back button from letting you go back to your last page?


  • Please log in to reply
3 replies to this topic

#1 spires

spires
  • Members
  • PipPipPip
  • Advanced Member
  • 492 posts

Posted 16 August 2006 - 08:25 PM

Hi,

I have created a shopping cart that sells MP3s.
Do you know if there is a way of stopping customers from going back a page? (once they have downloaded)

e.g
1 - Login
2 - Download track (goes to download page).
3 - once downloaded goback to Download track (with the quantity refreshed).
4 - Download next track etc

if you follow this path there is no problems, 
however, when you are at stage 3, and use the browser back button, instead of the link provided
the quantity does not refresh and you can download thousends if you choose.

Is there any way of stoping this?
Thanks
How to make over $600 a day from AdSense? Discover EXACTLY how he does it in these videos:
http://www.adsense-online.com

#2 Jocka

Jocka
  • Members
  • PipPipPip
  • Advanced Member
  • 344 posts
  • LocationDallas, Texas

Posted 16 August 2006 - 08:37 PM

save all their selected tracks in the database and call to see what tracks they have selected and how many they selected. If so many then they can't get anymore, etc.. you get the idea?

#3 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 16 August 2006 - 09:00 PM

Ok I use this script for downloading scripts and templates. You should be able to change it to suite your needs. Ok after they download a file I update a table in the db. I call my table downloads.

Here is the fields that I have in the downloads.
  • download_id
  • username
  • filename
  • date_downloaded


And here is the download.php

<?php
function getaction($action) {
    switch($action) {
	   case "download":
	      function getdownload($type) {
		      switch($type) {
			     case "free":
				     if ($_SERVER['HTTP_REFERER'] !== "http://www.yoursite.com/yourpage.php") {
					     header("HTTP/1.1 404 Not Found");
					 }	 
				     if (!$_SESSION['username']) {
					     echo "You must be a member to download this file<br />";
					     include("login.php");
						 exit;
					 }
					 $username = $_SESSION['username'];
					 $filename = $_GET['filename'];
					 $sql = mysql_query("INSERT INTO `downloads` (`username`, `filename`, `date_downloaded`) VALUES ('$username', '$filename', now())");
					 header("Pragma: public");
                                                                 header("Expires: 0");
                                                                header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 

                                                                header("Content-Type: application/force-download");
                                                                header( "Content-Disposition: attachment; filename=".basename($filename));

                                                                header( "Content-Description: File Transfer");
                                                                header('Accept-Ranges: bytes');
					header('Content-Length: ' . filesize($filename));
					@readfile($filename);
				 break;
				 case "paid":
				     if ($_SERVER['HTTP_REFERER'] !== "http://www.yoursite.com/something.php") {
					     header("HTTP/1.1 404 Not Found");
					 }	 
				     if (!$_SESSION['username']) {
					     echo "You must be a member to download this file<br />";
					     include("login.php");
						 exit;
					 }
				     $filename =  $_GET['filename'];
					 $username = $_SESSION['username'];					 
					 $sql = sprintf("SELECT COUNT(*) as `download_chek` FROM `downloads` WHERE `username` = '$%s' AND `filename` = '%s'", $username, $filename);
					 $res = mysql_query($sql) or die(mysql_error());
					 $download_check = mysql_result($res, 0, 'download_check');
					 if ($download_check > 0) {
					     echo "You may not download this file more then once";
						 include("somepage.php");
						 exit(1);
					 }
					 $q = mysql_query("INSERT INTO `downloads` (`username`, `filename`, `date_downloaded`) VALUES ('$username', '$filename', now())");
					 
					 header("Pragma: public");
                                                                 header("Expires: 0");
                                                                 header("Cache-Control: must-revalidate, post-check=0, pre-check=0"); 

                                                                 header("Content-Type: application/force-download");
                                                                 header( "Content-Disposition: attachment; filename=".basename($filename));

                                                                 header( "Content-Description: File Transfer");
                                                                 header('Accept-Ranges: bytes');
					 header('Content-Length: ' . filesize($filename));
					 @readfile($filename);					 	 				 
				 break;
				
			}
		 }
		 getdownload($_GET['type']);			 
	  break;
	}
}
getaction($_GET['action']);	    	   
?>

You may need to change the location of the download directory to your directory but this should work. I use it for my downloads. This will hide the location of your file and will prevent directlinking . Now you link to it like this
download.php?action=download&type=paid&filename=whatever.zip

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux


#4 spires

spires
  • Members
  • PipPipPip
  • Advanced Member
  • 492 posts

Posted 16 August 2006 - 09:13 PM

Cheers mate i shall try it out.
How to make over $600 a day from AdSense? Discover EXACTLY how he does it in these videos:
http://www.adsense-online.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users