Generating One-Time URLs with PHP - Summary (Page 3 of 3 )
This article has presented a quick tip of how you could generate URLs that only can be used one time. It should be said, however, that for a real implementation of this function in a business environment, there are a few additional considerations to take. When the number of active keys grows past a few hundred, is it a good idea to read the whole file directly into memory? Is it wise even to store them in a plain-text file in the first place?
Maybe a MySQL database would be a better choice? Additionally, consider the possibility of getting tokens "hijacked" directly from the urls.txt file. For getting this 100 percent secure, you either need to protect the file by setting very restrictive permission on it, only allowing the user executing your PHP scripts to read it. Or, you can simply dump the plain-text solution, and convert to a SQL-database instead.
The code in generate_url.php, of course has to be protected, too. The easiest way of doing that is probably to include it in the "thank-you-for-ordering-page" of your orderflow and make this file accessible only for clients coming from the secure-payment-complete-page. The core concept, though, will probably work very well in any production environment.
DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware.
PHP 
