June 29, 2013 at 9:32 am #9277SevMember
Hi, I have eStore and eMember. On a member-only protected page, I’m using an HTML image map with href coordinates to enable members to download documents (pdf’s, audios, video etc). I decided not to enable eMembers’ protection of the folder where the documents are stored in – because it makes the member log in twice (once to get to the download page, and another time to download a file) and this is a bit too much to ask of members.
So now for the question!…
I’m a bit worried that my full url shows the location of my downloaded files – and I’ve been told that this poses a risk (a member could hack in here and distribute the downloads on the internet).
Ideally, all I think I need is to be able to hide the url of the downloads – but I can’t find a wordpress plugin that doesn’t conflict with eMember that does this.
Even more ideal would be to have every download made into a product (for zero money) and use eStore’s excellent links to allow user to download from there – but since I’m using an image map, using WordPress short-codes doesn’t work (I’ve already asked this question on the pdf stamper forum – and the I’m told I would need to code a receiving URL page that would accept a query string- which is beyond my abilities right now).
So any suggestions on how to improve security of members’ downloads, gratefully appreciated. Thanks.June 29, 2013 at 2:43 pm #56355wzpModerator
First, please read my “concept suggestion” from this thread.
Also, I would like to make it clear that you don’t need to hide the URL of your downloadable file if you are using WP eStore’s encrypted download system.
Next, create a PHP page; say mapped_downloads.php that will process a query string as a parameter, as in: [http://mysite/mapped_downloads.php?file=3] where “3” is some hotspot ID number on your map.
Within the mapped_downloads script, use a case statement to validate the query string. This is to prevent hackers from specifying any old product ID. You may also want to validate the referrer to ensure the script was only called from the page containing your map.
Next, you need to code something that looks similar to what is contained in the Admin Functions Menu code to manually generate encrypted download links. Examine the wp_estore_admin_menu() function in wp_digi_cart_admin_menu.php and see how the $eStore_download_link is generated, based on the desired product ID and variation.
Once the encrypted download link is generated, fire it off!
Now, in the image map, use the appropriate query string call to the mapped_downloads.php file for each of your href.
If I have time, in the next few weeks, I’ll create a proof of concept script for inclusion in the eStore “view” directory.
But keep in mind; that once a member gets just one file legitimately, there is no stopping them from distributing the file themselves.June 30, 2013 at 6:31 am #56356SevMember
Hi wzp – thanks for the helpful response. You are a star! I’ll get onto it now.
- You must be logged in to reply to this topic.