The Easy Way To Protect Your Digital Download With Paypal IPN


If you sell ebooks or software, you need a way to protect your download page from prying eyes. Many of us use Paypal. It’s easy and it’s convenient. I use them too. And the easiest way to use start using Paypal to accept payment is to create a Buy Now Button from within your Paypal account.

But to protect your digital product, you need to do something extra.

The sad truth is, Paypal’s Buy Now Button doesn’t actually protect your downloadable products. By viewing the HTML source code of your website, people can see where they will be redirected after making a payment using Paypal. And knowing this information, people can just type that address in the browser, skipping the part where they make the payment.

But Paypal has implemented (since years ago) a mechanism that you can use to verify and approve orders before allowing access to your download page. And all that can be automated, so you don’t have to do it manually.

This is known as the Paypal IPN (Instant Payment Notification). You can get a manual at Paypal at Paypal’s IPN page.

Before I tell you about how to implement this with your product, let me first tell you how it works.

Let say that you created a Buy Now Button. And you have defined where customers will be redirected after making a payment. Let’s call it the “thank you page”. Now, normally the thank you page is the web page that contains the download links to your products. Instead of doing that, we will use the thank you page as the IPN handler.

Using the Buy Now Button, Paypal will be sending purchase information like the customer’s email address, purchase amount, currency, date, time and other information to your thank you page. The thing is, those information could also have been created by a third party. I mean, I can create those information and send them to your thank you page.

That is why we need Paypal IPN. Your thank you page, which is also the IPN handler, will take those information, send it back to Paypal for verification. If it is legit, Paypal will tell you that it is. And you can load the “real” download page and display it to your customer.

If it is not, then you can be sarcastic and send them some nasty messages. Or you can be nice and tell them that they don’t have permission to access the information.


Alright, we know how it works, let me show you how to do it.

First we need to create the Buy Now Button. Here’s a normal code for the Buy Now Button. You can start with this and make changes as you need.

<form action="" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="">
<input type="hidden" name="item_name" value="Your Product Name">
<input type="hidden" name="item_number" value="Item-Code-123">
<input type="hidden" name="amount" value="27.00">
<input type="hidden" name="no_shipping" value="1">
<input type="hidden" name="return" value="">
<input type="hidden" name="no_note" value="1">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="lc" value="MY">
<input type="hidden" name="rm" value="2">
<input type="hidden" name="bn" value="PP-BuyNowBF">
<input type="image" src="" border="0" name="submit">
<img alt="" border="0" src="" width="1" height="1">
<b>Don't forget to click on the <u>Return To Merchant</u> button when you are done with Paypal</b>

Towards the end of the code, I have a little reminder for the customers. We want the customer to click on the “Return To Merchant” button when they are done with Paypal. Because if they don’t, they won’t get to our IPN handler.

Looking at the code again, the return information has been set to ipn-handler.php. Here’s the code for your ipn-handler.php. As you can see, I am using PHP as my scripting language. So you would need a web hosting that supports that. If you are familiar with other languages like ASP, CFM or Perl, you can check out more IPN sample codes from Paypal.

If you study my code, it’s not much different from the PHP sample code in the web page above.

// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
foreach ($_POST as $key => $value) {
$value = urlencode(stripslashes($value));
$req .= "&$key=$value";
// post back to PayPal system to validate
$header .= "POST /cgi-bin/webscr HTTP/1.0\r\n";
$header .= "Content-Type: application/x-www-form-urlencoded\r\n";
$header .= "Content-Length: " . strlen($req) . "\r\n\r\n";
// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];
$fp = fsockopen ('', 80, $errno, $errstr, 30);
if (!$fp)
print "<b>Error Communicating with Paypal.<br>";
print "Please contact Admin -</b>";
fputs ($fp, $header . $req);
while (!feof($fp))
$res = fgets ($fp, 1024);
if (strcmp ($res, "VERIFIED") == 0)
else if (strcmp ($res, "INVALID") == 0)
print "<b>We cannot verify your purchase<br>";
print "Please contact Admin -</b>";
fclose ($fp);

The next thing to do is to create your “real” download page. In the code above, you can see that you called up download-page.php using the include() function. You can put anything that you want in your download-page.php. But since it is also a PHP file like any other, people can also put that file in the web browser and see what you have. We don’t want a direct access to download-page.php. We only want it to be called from ipn-handler.php. So here’s a way to protect that.

Here’s a few lines that you need to have in your download-page.php before revealing download links to your product.

if ($_SERVER['SCRIPT_NAME'] != '/ipn-handler.php')
print "Ah-ah! Hack attempt. Stop and close this browser right now!";


What I am try to show you is the simplest method that you can use to protect your products from unwanted downloads. There are more that can be done. So right now, even though I am not showing you how to do it, I will tell you about some weaknesses and more things that you can do.

As you can see we did not store information in a database or files. And because of that, customers will only have that one time to view the download page. When they have closed the browser, they won’t be able to see the download information again, unless they make another purchase. That can be a problem if the customer don’t have time to download your product now and needs to do it later.

You can further expand this script by storing purchase information in a database like MySQL. And you can even send emails informing customers again about their purchase.

One problem that you may encounter is about the download link itself. If you are using a direct link to your products, customers may save that URL and pass it along to friends. A manual method to protect this is to frequently move your products. You can do this by changing its file name or location.

But this can be solved by creating a download handler. With a download handler, you can relay files from a location unknown to the customers. Instead linking directly to a myproduct.pdf, you can link to download.php?order_id=21471725MA497540A, and the same PDF file will be delivered.

And if we stored information in a database, the download handler can first verify download attempts before relaying bytes of the actual file. Let say that you set customers can only download files for a number 10 times within a 30-day period. By looking at the stored purchase information, the download handler will know to allow it or to refuse it.


If you are getting started, this simple method is good enough to handle your orders. But as you get bigger, you may want to consider a more advanced solution like I mentioned above.

And there’s always two ways to do things. Do-it-yourself or outsource. If you are looking a for a good solution to handle your digital orders online, there are a few that I can recommend.

For hosted solution, you can consider and The good thing is that it is quick to setup. You don’t need to install anything on your server.

Another option is to get a ready script like DLGuard (aff). I use DL Guard on most of my products like and They work great and I can’t complain.

It comes with a web installer, but you may still require some technical expertise about PHP, uploading, etc. It’s not too difficult though. And once you have it online, it’s easy to use and it supports a number of payment methods including Paypal, ClickBank, 2CheckOut, WorldPay, and a lot more.

Now, everytime I want to sell something new, I just load the products over to my DLG installation and DLG will generate my payment link. It will also handle product delivery, customer list, etc… I can set to allow for 1 time download or 1000 times download. I can even set to allow access to the download page for one day or a year. It all can be done in DLGuard.

But of course, when I do something different like a membership site like, I will go back to the old Paypal IPN and put in some extra coding as required.

I wrote a simple tutorial on how easy it is to use DLGuard to protect your digital products. Make sure you check that out after you read this.

UPDATE – August 18, 2009: I just created Simple IPN, a free Paypal-IPN PHP script. Click here to read more about it.


27 Responses to “The Easy Way To Protect Your Digital Download With Paypal IPN”

  1. » Blog Archive » How To Use DLGuard To Protect Your Digital Products said:

    [...] Recently I talked about protecting your digital products with Paypal IPN. Using Paypal IPN is the simplest way to protect your digital products that you sell online. Without something like Paypal IPN, you are exposing your product to unauthorized downloads. [...]

  2. Robert Reuter "Black Belt Bob" said:

    That was an excellent article, just what I needed to read. Maybe you can shoot a video tutorial for me?


    Robert Reuter “Black Belt Bob”

  3. bokjae said:

    Hey Kidino this is a great post! Learnt something today! Thanks!

  4. Jack said:

    This is really good information and should not be ignored. Really helpful information like this is unusual to find on many blogs.
    Thanks for your help.

  5. John Wilson said:

    There are some really great looking minisites here and some useful information as well.

    Get a $9.95/month Reseller Hosting Package to host your minisite creations. Host unlimited domains. Setup your own hosting accounts or give away as incentives to others. You get your own WebHostManager control panel and give each account that you create their own CPanel control panel.

  6. Bill (MaxHomeBits) said:

    I have been looking for this information for ages, so thanks for the lesson, still undecided on which direction to take but it all comes down to price and quality.
    I would venture DL guard would be more cost effective in the long run, i presume they have yearly licenses for upgrades.

    Thanks again kidino

  7. Ejad said:

    This might be useful to some here as well

    I just bought the Easy Kiss PayPal Download Manager tonight after days of looking for an easy solution. I’m a writer not a coder and I got it setup with my wordpress site very easily.

    Best thing I’ve found online so far in this area. The site where I picked it up is at

  8. Andy said:

    I use File Download HQ and can’t fault it, it has a built in cart, affiliate system, OTO upsell and uses encrypted and expiring links and you can store your files below your public webspace.

    You can find it here:


  9. E-book delivery after payment confirmed said:

    [...] E-book delivery after payment confirmed Here’s a quick Paypal IPN tutorial from my blog. The Easy Way To Protect Your Digital Download With Paypal IPN — Hope this [...]

  10. Quantum PHP said:

    The easiest solution to this is with the Easy Kiss PayPal Download Manager.

    That’s my two cents after much searching.

    I did notice a get it free button as well for it.

  11. Install Your Resell Rights Package With This Video Course. | said:

    [...] Profitable Internet Business Ideas @ Profits.CC Blog Archive How to Resell Products Online: watch someone else do it in real time!Review Blog System – Let Others Do Your Selling! | NewsDecember 2008 PLR Video Series | PLR Video Direct The Easy Way To Protect Your Digital Download With Paypal IPN — [...]

  12. Andrew said:

    I’m a developer. What is the equivalent of the php code:



  13. Andrew said:

    I’m a developer. What is the equivalent of the php code:

    if ($_SERVER['SCRIPT_NAME'] != ‘/ipn-handler.php’)

  14. Kidino said:

    Try this …

    if Request.ServerVariables(“script_name”) “ipn-handler.asp” then
    … do your stuff …

    end if

    I haven’t code ASP for ages…

    Read more about ServerVariables at …

  15. Andrew said:

    Thanks Kidino for your reply but your code won’t work because Request.ServerVariables(”script_name”) referes to the current script and not to the script that redirected us to the current page. I was told that Request.ServerVariables(”http_referer”) might do the trick but it refers to the domain that redirected to the current page and not to the script. What about the usage of a session variable to protect the download page? Any thoughts on that? Thanks

  16. Kidino said:

    I don’t know about ASP, Andrew, but that’s how I do it in PHP. You see, we use this, as in example, in download.php. But we don’t want to call download.php directly. We only want it to be called using include() (or #include in ASP) by ipn-handler.php.

    When being called using include, $_SERVER['SCRIPT_NAME'] returns the name of parent script, which is ipn-handler.php. When being called directly, of course it will return its own name, like download.php…

  17. Andrew said:

    Thank you very much for your explanation Kidino.

  18. BNC Paypal IPN - with encrypted links said:

    Here is a new script

  19. debo said:


    Parse error: syntax error, unexpected ‘>’ in D:\Myweb\Apache2.2
    \htdocs\essms2\extra\ipn-handler.php on line 24

    i’m testing it currently on my localhost. I tried using it on a live site, got the same error.


  20. Kidino said:

    With WordPress, they change my quote with something weird. Try changing the quotes to a normal text quote and upload again.

  21. John said:

    Great writeup!

    If you want a easy tot setup hosted solution I would recommend Dbox App That makes protecting your downloads a breeze

  22. mark said:

    i get the

    “We cannot verify your purchase
    Please contact Admin –


    even thought the funds are transfered and transaction completed!?!

  23. Kidino said:


    I think you are at the wrong blog post. You must be talking about SimpleIPN. However, that could probably that the script failed to write purchase files. make sure that the folder where you installed the script has write permission.

  24. Nell Kushlan said:

    Though I’m no authority about this issue, I believe that I can often spot a bullshitter. On this occasion I have yet to do so. Either the joke is on me, or you have cracked the code.

  25. Aaron B said:

    Mark, I had this happen too, even after altering the permissions on the folder. This script is strange

  26. ali said:

    Mark and Aoron B, I have the same problem. any idea?

  27. Aaron said:

    Not sure what to make of this, I have this code and the simple ipn script on several servers with no success, so I am using another php system.

Leave a Reply