hiding the path to a file

[harmor19]

When someone is on a page where they can download files I like to prevent them from viewing the path the the files so they can't download the files without paying.

Someone is on a product page about to download software they've purchased.
They hit the submit button and the page grabs the download without refreshing.
It works a lot like Jelsoft's download system for vBulletin in the members' area.

How protected is the software the code is trying to protect?

PHP Code:

if($_REQUEST['do'] == "download")
{
    ////check if user is in usergroup for vHosting Customer
    if(!is_member_of($vbulletin->userinfo, "16"))
    {
        print_no_permission();
    }
    
    $getversions = $db->query_read("SELECT * FROM " . TABLE_PREFIX . "vhosting_versions");
    while($vhosting = $db->fetch_array($getversions))
    {
     
        eval('$options .= "' . fetch_template('vhosting_select') . '";');
    }
    
    $navbits = array(); 
    // change the line below to contain whatever you want to show in the navbar (title of your custom page)
    $navbits[$parent] = 'Download vHosting';
    
    
    $navbits = construct_navbits($navbits);
    eval('$navbar = "' . fetch_template('navbar') . '";');
    
    eval('print_output("' . fetch_template('vhosting_download') . '");');
    
    
}

if($_REQUEST['do'] == "do_download")
{
    //check if user is in usergroup for vHosting Customer
    if(!is_member_of($vbulletin->userinfo, "16"))
    {
        print_no_permission();
    }
    
    $vbulletin->input->clean_array_gpc('p', array(
    'dl_vhosting' => TYPE_STR,
    'agree' => TYPE_INT
    ));
    
    if(($db->escape_string($vbulletin->GPC['agree'])) != "1")
    {
        print_no_permission();
    }
    
   // $file = "./downloads/vHosting".$db->escape_string($vbulletin->GPC['dl_vhosting']).".zip";
    
    $dir = "fuwqenb37rt2hg3fnuwe3qhtr58923htng9qw3eht9832h/";
    $file = $dir."vHosting".$db->escape_string($vbulletin->GPC['dl_vhosting']).".zip";

    if (file_exists($file) ) 
    {
       header('Pragma: anytextexeptno-cache', true);
       header('Content-type: application/force-download');
       header('Content-Transfer-Encoding: Binary');
       header('Content-length: '.filesize($file));
       header('Content-disposition: attachment;
       filename='.basename($file));
       readfile($file);
    } 
    else 
    {
       echo 'No file with this name for download.';
    }
    
    $db->query_write("
                UPDATE " . TABLE_PREFIX . "user
                SET vhosting_agree =  '1'
                    WHERE userid = '".$vbulletin->userinfo['userid']."'  
                   ");
} 


[nico_swd]

What I usually do is, to store the files before the public directory. Eg.

/www/files/

when your site is located at for example:

/www/yoursite.com/

Then read the files with a script. This way it's impossible to leech them. I've done the same here. www.rapdrop.com

Leeching = impossible.

[harmor19]

Thanks.
I'll take it out of public ASAP.

To the best of your knowledge is the file protected well?