Digital commercial products that customers pay for download link.
I have put all the zipped files (products) outside of web document root and buyers download them via a php script which is integrated with paypal IPN to make sure the downloader is a paying buyer.
Sort of like: http://www.mysite.com/download.php?buyer_id=xxx
Thus far it all works with only one problem. The zip files I download via the URL above is corrupted and can't be opened correctly with WinRAR. However, directly downloaded zip is fine.
My code:
$path = WAREHOUSE_PATH.'/products/'.$identifier.'.zip';
$mm_type="application/octet-stream";
header("Pragma: public");
header("Expires: 0");
header("Cache-Control: must-revalidate, post-check=0, pre-check=0");
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Type: " . $mm_type);
header("Content-Length: " .(string)(filesize($path)) );
header('Content-Disposition: attachment; filename="'.basename($path).'"');
header("Content-Transfer-Encoding: binary\n");
$fp = @fopen($path,"rb");
if ($fp) {
while(!feof($fp)) {
print(fread($fp, 1024*8));
flush();
if (connection_status()!=0) {
@fclose($fp);
die();
}
}
@fclose($fp);
}
What could be wrong? Thanks!

use file_get_contents and file_put_contents in binary mode, theres issues with fread being binary safe.

Just something you might want to take note of, it's possible to modify the paypal headers sent and therefore change the payment amount. So if you have it set to charge $100, I could select that option, modify the headers sent and it'd register as only $0.01 due, but still count as an order for the full amount, so I could obtain your package that way. It's impossible, as far as I know, to avoid. Might want to look into manually verifiying the product has been paid for, or check that the user has paid the specific amount, but you'd need to access your paypal account with PHP (cURL?) for that.

I would use the manually accept order, makes things a little more complicated but a lot more secure and reliable. Nobody can say they did not get the product and things like that ;)

Just something you might want to take note of, it's possible to modify the paypal headers sent and therefore change the payment amount. So if you have it set to charge $100, I could select that option, modify the headers sent and it'd register as only $0.01 due, but still count as an order for the full amount, so I could obtain your package that way. It's impossible, as far as I know, to avoid. Might want to look into manually verifiying the product has been paid for, or check that the user has paid the specific amount, but you'd need to access your paypal account with PHP (cURL?) for that.
Umm, paypal's IPN returns the amount paid, as well as the fees assessed for payments made to your account. No need to go fiddling with Curl. Simply check what paypal says was paid against what the user should have paid. I don't see how you can get around that? Perhaps you've encountered poorly written IPN processing scripts?

No need to go fiddling with Curl.Absolutely. And not just unnecessary - it would be dangerous. Accessing your PayPal account using PHP / cURL would mean storing the password in plain text on your hosting server. Bad, bad idea...

This is true :)

Umm, paypal's IPN returns the amount paid, as well as the fees assessed for payments made to your account. No need to go fiddling with Curl. Simply check what paypal says was paid against what the user should have paid. I don't see how you can get around that? Perhaps you've encountered poorly written IPN processing scripts?
That must be the case then, I've never used paypal with an automated system so I don't know how it works, I can only assume, but I've seen sites boasting about how they can get "any paypal product for $0.01" so I went ahead and tried it with something that was only $1 and it worked, I assumed that the site I was using was in fact well secured and it was a paypal 'exploit', obviously I was wrong :) If that's not the case, I apologise for being wrong :D
Absolutely. And not just unnecessary - it would be dangerous. Accessing your PayPal account using PHP / cURL would mean storing the password in plain text on your hosting server. Bad, bad idea...
Indeed.

PayPal IPN basically gets every single bit of information back from paypal that you could possibly need.
There is no way anyone could underpay you as long as you set it up correctly and securely.