Selling membership access with PHP-SecureArea

Membership sites make up some of the biggest and most lucrative websites online and with PHP-SecureArea, the benefits are well worth the initial time investment.

How Much Can You Make?

The income potential of a membership site can be unlimited. If your website or service is valuable and you have enough traffic then your monthly income can be enormous.

A good example of a large membership site is RapidShare ( which allows people to share their files with everyone and anyone. At around $10 per month with thousands of members, RapidShare is currently the 12th largest website on the net (according to Alexa) so you can bet they make a packet.

How Much Work Is Involved?

Setting up the technical side of selling membership and subscriptions on a website is relatively easy using PHP-SecureArea. PayPal has a built in subscription function which is relayed back to the application script on your site which allows or refuses access based on whether the user paid the bill that month.

The real work is in finding a market and creating a service worth subscribing to. Iif you really have something to offer or something that people need, then subscription can be an excellent approach.

While membership sites like RapidShare don’t involve any time or effort on the part of the administrator, many membership sites do. A common practice is to sell subscription to a blog or a section of a blog and to serve up content there on a continual basis. An alternatively ingenius idea is to rely on user interaction to sell membership. An example of this is Experts Exchange ( which worked in a similar manner to Yahoo! Answers where anyone could post a question and then other members could reply with their answers. However, only people who paid for a subscription could view the answers. This caused a lot of frustration for people who came in through Google and eventually Google cracked down on these sites, but they still exist and still make plenty of money. They rely on the users to create content that other people are willing to pay for and so the upkeep and maintenance of these sites is minimal.

To sell membership and subscription you need to know the basics of how to make money online. If you’re familiar enough with selling products online then there are a number of options to sell subscriptions or membership online.

PayPal has a very nice Recurring Payments suite. PHP-SecureArea uses this feature. You can create a button or series of buttons where your users can pay set prices for set time periods of membership. The IPN is used to keep track of your users after they pay. IPN is simply a method whereby PayPal sends a notice to a URL of your choice with the details of each payment you receive. For example when someone buys a months worth of subscription the IPN sends out a notice to your page with the price, time period, email address, etc of the user. PHP=SecureArea uses this to automatically control the access to the defined section of your web site. PayPal will continue to bill the person until they decide they no longer wish to subscribe, at which point PHP-SecureArea will simply drop them from your membership list.

This is a rough outline of how recurring payments for online sites works but using these basic steps you can set up subscription or membership for virtually anything you can think of. In most cases the products and services offered will be electronic and cost you nothing to issue or maintain, and so other than the minimal PayPal fees it’s 100% profit.

Logging in and session errors

With PHP-eSeller, PHP-SecureArea or PHP-KeyCodes, if you get an error during installation where the admin keeps on logging out, it is usually because there is an issue with session variables on your server.

First check using the test file a_session_test.php  When the page is first loaded there will be a link, click the link and it should say ‘Welcome back’.  If it does not, then it means there is a sessions issue on your server.

There could be a number of reasons for this, usually it is caused by a configuration problem on the server.  There should be a folder on the server which is used to store sessions and somtimes the host has not set this correctly.  Or it could be that it is a shared server and the server does not know the path.

Contact your hosting and ask them to investigate.

Sometimes they will reply that you include the following code at the top of any PHP script that uses sessions:

session_save_path(“path to session folder”);

If you use session_save_path on the page that registers a variable, you have also to use session_save_path on all the pages, where you access the session-variable. Under win32 you can use the double \\ to specify eg “c:\\temp\\”

This is possible to do but is not really practical.

If they do reply with the above, it is worth asking them again to check the php.ini configuration and also ask if there is a global method where you can set the path and where you do not have to change every instance in the application.

One possible solution is to set the session.save_path in an .htaccess file.  You may not have access to the php.ini file so this may be the way to do it.  You can do that in the .htaccess file, which is kind of configuration file for Apache, and put it in your root web folder. 

If you add :

php_value session.save_path /home/groups/f/f4/f4l/tmp/

where the folder name is the absolute path to the folder.  You should be able to get the absolute path by logging into your control panel.

Why do I get asked twice to log in to secure area

With PHPSecureArea, when you set up a secure area protected by a htaccess / htpasswd file you may find that you have to login twice.

The probable reason is that you have linked to the protected area as


Change this to the full file url for example :

What is IPN

Instant Payment Notification (IPN) is the method that PayPal uses to automatically notify a defined web page when a PayPal payment has been made. For a complete description refer to the PayPal IPN Manual which you can find on the site.

The principle that PayPal uses is as follows : You first create a PayPal ‘buy now’ button and place it on your web page or create the buttons dynamically from a database. When someone clicks on your ‘buy now’ button, (or ‘proceed to checkout’ button in the case of a shopping cart system), PayPal posts data to the web page you defined during IPN set up. Your web page must then respond back to the paypal site.

After PayPal has confirmed the payment, it posts data back to your web page. Your web page then sends the data back to PayPal to act as a security handshake. Then PayPal will send ‘completed’ if payment has been correctly completed.

Once ‘completed’ has been received by your web page, you process the data in whatever way you want. The IPN method provides a relativly simple method of checking when a purchase has been made but remaining secure. The handshake principle of IPN makes it impossible to trick a web site that payment has been completed.

For digital goods, PHP-eSeller takes the IPN data from PayPal, carries out security checks to make sure the details are correct, then emails the purchaser with a username/password, all without any intervention by yourself. The purchaser is then able to login to a secure area where they can download their items.

The list of items which the purchaser sees does not have any urls as that could compromise the security. The list is made up of buttons which are then translated into filenames by PHP.

The purchaser only sees the files he has purchased and cannot access the file in any other way.

For physical goods the processing is not as complicated. It checks the details received from PayPal, sends a confirmation email to the purchaser if there are no problems, and stores the sales details in the database. Obviously, there is no login process required for physical goods.

Create a drop down option list with PHPSecureArea

If you have a number of membership options in PHP-SecureArea, these can be all displayed and selected from one drop down list.

For example :

<form action="/phpsecurearea/ipn/process.php" method="post">
<select name="item_number">
<option value="Memb01">1 month membership (£10.00)</option>
<option value="Memb03">3 month membership (£20.0)</option>
<option value="Memb06">6 month membership (£35.00)</option>
<option value="Memb12">12 month membership (£60.00)</option>
<input type="image" src="/phpsecurearea/images/btn/x-click-butcc-subscribe.gif" border="0" name="submit" alt="" title="Make payments with PayPal - it's fast, free and secure!" />

You first have to create separate product items in PHPSecureArea, for 1, 3, 6 and 12 months.

Entering them into the drop down list will provide the customer with an easy way to select instead of creating a button for each product.

Creating a database user with myPHPAdmin

PHP-eSeller, PHP-SecureArea and PHP-KeyCodes all require a mySQL database and hence require a database username and password. Normally you will interact with the mySQL database using a control panel which will incorporate tools to easily create database and users. These facilities are provided by your web host and will be the best way to create database users.

However, with some web hosts it may be necessary to to create a user using myPHPAdmin.

To creating a user using the myPHPAdmin interface, asuming that you are logged in to myPHPAdmin with full previleges :

In a sql text box enter :

GRANT SELECT, INSERT, UPDATE, DELETE ON eseller.* TO eselleruser@localhost IDENTIFIED BY 'piggy911';

This above assumes that ‘eseller’ is the name of the database, ‘eselleruser’ is the name of the database user and ‘piggy911’ is the password.

This will create a user with select, insert, update and delete previlages which is all that is required for a normal user.

NOTE that to create tables the user needs to have create table privileges which can be given by changing the the sql to

GRANT ALL PRIVILEGES ON eseller.* TO eselleruser@localhost IDENTIFIED BY 'piggy911';

PayPal and eChecks

An eCheck is when the customer only has a bank account, and not a credit card or additional form of payment to back up their account should their account be overdrawn when PayPal tries to debit it, so PayPal doesn’t pay you for 3-5 days while they wait for the money to transfer.

All withinweb applications (PHP-SecureArea, PHP-eSeller, or PHP-Keycodes) are able to handle Checks and in addition, will automatically send an email to the purchaser informing them that they have paid by eCheck and that there will be a delay before purchase is complete. Once the eCheck has cleared the application (PHP-SecureArea, PHP-eSeller, or PHP-Keycodes) will complete the process in the normal way and send the appropriate emails to the customer all without intervention by yourself.

When we recieve an eCheck purchase we often send an additional email to the customer just to further explain the situation and maintain a relationship with the customer.

In fact there are many situations where there can be a delay in payment being completed. All these situations are automatically handled by applications.

There can be customer service nightmares when people use eChecks in PayPal. Most customers don’t know what it is, and PayPal appears not to warn them. Providing that you inform the customer, there should not be a problem and you can maintain your relationship with the customer.

Finding the full path name (absolute path) of a folder

With many applications it is neccessary to find the full path name of a folder and then enter it into the admin area of the application. This is required in PHP-eSeller to identify the location of the digital files, and it is required in PHP-SecureArea to define the secure folders.

Download, unzip, and ftp to the location of the folder and then call the file in your browser –

Click here to download the file

Another way of finding the full path name is to log in to the admin pages of PHP-eSeller or PHP-SecureArea and click on the menu item ‘PHP Info’ and look for SCRIPT_FILENAME. That will give you the full file name of that file you are looking at. From that you should beable to work backwards to the root of your web site or to any other part of your site.

Note that the full path name of the folder is not the same as the http url of the folder directory – it will not work.

How do I reset the admin password in my application?

I have had a few users forget their password that they use to login to the admin area of either PHP-eSeller, PHP-SecureArea or PHP-KeyCodes.

The best way to reset the admin password is by using the myPHPAdmin facility in your server control panel. If you log in to your server control panel and find myPHPAdmin, then find the database for the application, and then click on SQL tab you will be presented with a box to enter sql.


UPDATE name_of_password_table_here SET userpassword = md5('admin') WHERE username = 'xxxxxx'

The name of the password table will either be ipn_tblpasswords, or sec_tblpasswords or key_tblpasswords depending on the application, and xxxxx is the username which is in the table.

This will then set the password to ‘admin’ for that username.