Your approach to this is entirely wrong.
If you don't want the user to have something, then just don't give it to them. Don't give it to them wrapped in some form of encryption.
If you don't want the link to work without the user paying then use server side code which has logic along the lines of:
if (!userHasPaid()) {
redirect(sales_page);
exit;
}
provideDownload();
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…