I have just spent a couple of hours making some modifications to this plugin I thought I'd share with you. There are a few things in this patch linked to below:
- Changed database queries to protect against SQL injection attacks - There were some unquoted strings coming from the outside world
- Added a download count display for a specific code - if you leave this translation blank, it won't come up, but you can specify the format in the config
- Added configurable secret salt to the MD5 hash for the leases you were using
- Removed the MD5 calculation for every code in the database (could get slow when it gets big)
- Provided a more secure, encrypted leases (where available) based on the user's IP and the secret salt
- Allowed the code to be pre-filled in a post, eg.
[download-code code="MYCODE123"]just shows the download section
- Moved the download record insertion to until the file has finished streaming, to prevent incomplete downloads from using up the available downloads
Hope this helps.