I am forseeing a problem with allowing customers who purchase some content from me via PayPal. I will offer multiple, intangible goods. When someone completes their purchase for one of these goods, they will be redirected to a landing page – let’s call it “thank_you.php” – which will automatically queue up a download and allow a link to queue up download in case it doesn’t start automatically. This will be done by passing the unique item ID to the download page (“download.php”).
This method is essentially a mimic of the top answers from these threads:
PHP generate file for download then redirect
However, I fear that once the user is on “thank_you.php” they can download their item, then use Firebug (or equiv.) to edit the item ID and download another different item:
<a href="download.php/38a205ec300a3874c867b9db25f47c61">Download Here</a>
to
<a href="download.php/7c8ddc86c0e4c14517b9439c599f9957">Download Here</a>
I need ideas and help from you guys who are far better at this than I: what (& how) could I implement as a solution that would still allow the same customer access and leisure, yet prevent this manipulation?
EDIT: The ID-hashes are used to preview and reference the item throughout the site, I have no fear of people guessing but rather them browsing the site in a seperate tab to get the other IDs and just keep downloading different items.
When they make the payment, store the ID of the download available to them, and a random hash – both in the payment table. Use that hash to then get the ID. The hash should then never relate to a specific product, but instead to a payment.