protect files with password in PHP

Question

i need a program which allows users to download files with password, here's my algorithm:

user buys license and gets a code like A_Long_And_Not_Guessable_Key
then user goes to my program, e.g. site.com/index.php?id=12
User can see details about the file
user sends the code and gets the file

Files are here: home/files and script is here home/public_html/

all the steps are easy to write except the last step! when password is checked, how can i get the file from home/files and give to user?

here is what i got with search but didnt help that much:
Making a downloadable file password protected on webpage
how to password protect downloadable pdf files in website
PHP Downloading a file from a different password protected server

BTW all files have .zip extension

[`readfile()`](http://php.net/manual/en/function.readfile.php) The example shows how to setup headers too, switch to `Content-type: application/zip`, although `octet-stream` should also work. — Jared Farrish, Oct 01 '17 at 15:00
In the first question you linked, JTC's answer is good. Have you tried it? Did it work, why/not? — klenium, Oct 01 '17 at 15:24
@MatinGholami It should work fine. Post your code, so we can help you. — klenium, Oct 01 '17 at 22:24

score 0 · Answer 1 · answered Oct 01 '17 at 15:21

Your steps don't protect the files itself, rather, don't allow the user to download a file if he doesn't have the password/key. These are different things.

You can encode files in sevenal ways.

You could use AES file format, here is a PHP library that can do it: AESCrypt-PHP. But your users will have to install some programs to decode those files.
ZIP file format supports password. You may need to re-create the zip file. Read more at ZipArchive::setPassword. Most likely all of your users will have a program that can open and decode the ZIP file.

If you don't want to change the files, rather, just don't allow everyone to download it, that can be done in sevenal ways too. But note that if you require the user to enter the password in your page, you should use HTTPS, so others will not able to steal the password. You should transfer the files over HTTPS too.

If you don't know how to start file downloading in PHP, you should read this question: How to force file download with PHP.

I believe the "password" is the code that's sent; I don't believe this user wants to encrypt the zip file, just wants to protect the endpoint from drive by and/or unauthorized downloads. — Jared Farrish, Oct 01 '17 at 15:25
thank u for the answer but u misunderstood me. i dont want to decode/encode files! i dont want that level of security, i just want the file to be downloaded after the payment is done :) btw i will use https for sure, thank u for noticing — Matin Gholami, Oct 01 '17 at 17:38

protect files with password in PHP

1 Answers1