PHP File Download Security

[jamiet757]

I have a PHP file that allows users to download a file if they purchased it, however I want to secure it a bit more, as of right now, the download link is something like download.php?id=1234

 

It selects the file to download based on the id, but I would like to add something else like &ticket=asdflkj34087FDJH80734j

 

that will make it more secure. I can do something like making an encoded string with 1234username or something similar, but I am not sure what method to use. I want it to be easy for me to figure out how to generate the encoded string (i.e. function($id,$username) will output what I want.

 

Basically I just need something that will be checked so a wise person cannot just enter download.php?id=1235 and download other files than what they purchased.

[JustLikeIcarus]

Well you would want to use some type pf random hash then store it in the database.  Then if the "ticket" var you have in the url exists for that user in the database the link is valid. Here is a way to generate it.

 

$salt = rand(1000000,99999999);
$ticket = sha1($user . $salt);

[jamiet757]

I would like to do that, but some files are free, some users have subscriptions that allow them to download anything, and others have to purchase the item, so it is not feasible to use the database to store anything for the download links. Is there something that can be handled just in PHP that will have the same result?

[JustLikeIcarus]

Well you could create a random hash for each song and use it in the link... The more secure method however is a uniquqe random has for each allowed download link.  This lets you expire the links, etc...