I’m looking to make a simple PHP microsite that allows the download of one of my bands tracks in exchange for an email address. I know I could use Bandcamp but I want to do it myself 😉
I found a microsite from a band I like that does exactly what I want so I tried to pick it to pieces. The site is http://threetrappedtigers.heroku.com. This site basically gets you to enter your email address which it then must put in a database (unless it finds a match for that email address in the DB).
You can then view the download button and downloads the file without revealing the source url of the file. The href for that button is "download/" leading me to assume that there is an index.php in the download directory, which must require some sort of session id (presumably set up when submitting your email) to stop people linking directly to it. However the file also does some work that I don’t know about in order to obscure the link.
The other aspect I don’t understand is that on the page where the email is inputted there is a hidden input that submits a random authenticity_token when submitting the email address. I can’t quite work out why that is necessary either.
Apologies for this horribly specific question but I’ve been trying to work it out all morning and can’t quite get my head around.
Thanks,
Rich
What you can do is this:
file_get_contents()and offers it as a download (see specific headers on the php.net site)The advantage is that the user doesn’t know where the file is located (it is best if you place the sample track outside of the webroot.
[EDIT]
For your hidden input field token: This might be used to confuse bots and other scripts that will only post the ’email’ field in large quantities. If the token isn’t sent and doesn’t match the
$_SESSION['token']value the request isn’t handled. This works because scripts that do these kinds of attack generally don’t accept cookies so their$_SESSIONarray is never reloaded.