Hiding Download Files

When using PayPal Digital Goods and PHP

by Kevin Wilson


Are you using PayPal to sell digital goods and want to hide the location of your downloadable files? This is how I did it using some PHP...


Basically, after purchasing your product the user will return from PayPal to a PHP script on your site. The script will create a temporary, randomized directory and then copy your download files to the temporary directory. The user will be redirected to a "thank you" page with a link to the download files in the temporary directory. A cron job will be set up to periodically delete the temporary directories and the copy of your download files.

This technique isn't 100% secure, because it reveals the location of your php script after payment. But the revelation isn't too obvious, and you can't expect perfection from a simple and free script!


PayPal makes it easy to sell digital goods. Just set up a PayPal account (if you don't already have one), create a "Buy Now" button and add the button to your download page. When creating the button, be sure to set a URL for the "Take customers to this URL when they finish checkout" option. I'll tell you more about the return URL soon.

Users click the PayPal button, enter their payment info and are redirected back to your site where they can download your files. However, you should hide the location of your downloadable files from the user. If you simply return the users to a page with a link to your files, they can return to the page multiple times, or worse, post the URL on a forum so everyone can download your files for free! To prevent this, we'll bring the user to a PHP script that will create a randomized, temporary directory. The files will be copied to, and downloaded from the temporary directory. The user never sees the permanent directory that holds your download files.


You obviously need PHP installed on your server and available in your hosting plan. Check with your hosting provider or access your cPanel to verify.

Before using the scripts, you'll need to create some directories on your server and copy some files there.

You'll need an "assets" directory located in "/home/your_account/", so the path will be "/home/your_account/assets/". Typically, you'll place files in your "/home/your_account/public_html/" directory, but the assets directory will contain our hidden download files and the "/home/your_account/" directory should not be accessible to the user. Move (or copy) your download files to the assets directory.

You'll need a "temp" directory located in "/home/your_account/public_html/temp/".

You should set the proper directory permissions for the new directories to prevent errors when writing to them.

PHP Scripts

After paying with PayPal the user will be redirected to "make_temp.php". You can add random numbers and letters to the page name to help obscure it from the vulnerability I mentioned in the overview (example: "make_temp_s4dr6fy7kn883.php"). I'll refer to it as "make_temp.php".

The "make_temp.php" file can be placed in your "/home/your_account/public_html/" directory. This script does not generate a web page so it will not be visible to the user and it should not be available using the back button in the browser.

The "make_temp.php" file will:

The "make_temp.php" will create the temporary directory using a random number as the directory name. The randomized directory name will be passed through a URL variable to the "thank_you.php" page.

Here is the "make_temp.php" code:

// generate a random number
	$random_number = mt_rand();
// create the temp directory
// the final slash in the path may cause errors in some circumstances
	$temp_dir = "/home/your_account/public_html/temp/" . $random_number;
		echo "Sorry, something went wrong creating $temp_dir";
// copy the download file to temp directory 
	if(!copy("/home/your_account/assets/your_file.abc",$temp_dir . "/your_file.abc"))
		echo "Sorry, something was wrong copying your_file.abc to $temp_dir";
// redirect to thank you html
// pass the temp directory in the URL
// do not send echo or printf before this line (excluding error messages)
	header("Location: http://www.your_site.com/thank_you.php?dir=".$random_number);

The "thank_you.php" page will:

Here is the "thank_you.php" code:

// get the temp directory from the URL 
	$temp_dir = $_GET['dir'];
// set the path to the download file
	$file_path = "/temp/" . $temp_dir . "/your_file.abc";
// create the download link
	if (!empty($temp_dir))
		printf("Click here to download <a href=".$file_path.">your_file.abc</a>.");

The "thank_you.php" page can also contain HTML to make the page look more like the other pages in your site, rather than a few words with a link.

Deleting Temporary Files

The temporary directory and the download file will need to be deleted after some period of time. A cron job created in cPanel is probably the easiest way to accomplish the task.

The following command will delete all files and folders in the temp directory that are older than 6 hours:

find /home/your_account/public_html/temp/* -mmin +360 -exec rm -r {} \;

"-mmin" specifies the number of minutes since the file was created, don't forget the + before the number of minutes. "rm" will remove (delete) files and directories. The "-r" option will remove the directory along with all of its contents. Of course, "/home/your_account/public_html/temp/*" is the path to your temp directory. The "*" at the end of the path is a wildcard that will select every directory and file in the "temp/" directory. I set my cron job to run every 2 hours, so on average the download files will be available in the temp directory for about 7 hours.

This should delete all files and folders in the temp directory. Be sure to get this command correct, otherwise you could delete the wrong directory, maybe even your entire site! Do you have a local backup copy of your web site files? Don't confuse your temp directory with other temp directories that may already be on your server.

Thanks to Mark van Zoest for helping with the cron job command!


I'm not a PHP expert. I'm sure there are better ways to accomplish this. If this method does not work for you, I am not responsible for any loss of sales, data or anything else. I've changed the file and directory names for this tutorial, so don't expect to find them on my site.

Try It

Visit my TeslaMap page and buy a copy of my program to see the scripts in action!

Contact Me

You may contact me at kevin@kevinsworkbench.com

Donations Are Gratefully Accepted

If you found this guide helpful, please consider making a $1 donation to my coffee fund. I've invested many hours to create and maintain this page - but donating only takes a few seconds! Thanks :-)