Digital download product without enough php.ini max upload size

  • masqutti

    (@masqutti)


    8 years, 4 months ago

    Hi!

    So I’m having big issues with digital products (that I’m basing my whole site on). My website host has a upload size limit for php set to 96MB and I need to have larger files uploaded. I can’t access the server php.ini file, so I asked the host, they won’t change the upload size since it’d change it for all their customers apparently. I’ve tried all these hacks to .htaccess file and creating my own php.ini etc. and none works. So I need a different approach to upload files to woocommerce store.

    Just uploading via ftp uploads the file, but then the issue is that woocommerce doesn’t seem to know what to do with it. You see I need the file to be in secure folder(like woocommerces uploads that has deny from all .htaccess -line), but If I don’t upload the file via woocommerce add file-button -> wp uploader system, woocommerce doesn’t seem to apply the same settings to the file. The plain http://address set in downloadable product hits a security barrier when a customer tries to download the file..

    So, any solutions? I’m quite amazed I haven’t been able to find one since this must be a constant problem amongst digital webshops in cheap domain hosts…

Viewing 7 replies - 1 through 7 (of 7 total)
  • FancyThought

    (@psiico)

    8 years, 4 months ago

    Hey!

    I’ve tried (locally) to create a downloadable product without uploading it through WP, simply pasting the link into the “File URL” field and doing the checkout process and I didn’t found any trouble with it.
    Since you are uploading it via FTP, probably your file permissions aren’t correct or are too restrictive to http access which makes WP throw that error.

    If not, try to specify what “security barrier” it hits.

    PS: Since your host isn’t willing to work with you or apparently can’t, you should move your business elsewhere.

    Thread Starter masqutti

    (@masqutti)

    8 years, 4 months ago

    Ok. Did you try to download your test product with direct link when it worked?

    The “barrier” is a folder-based restriction from .htaccess (deny from all). If I upload the file somewhere else, sure, the link works for woocommerce but then it’s not secured from direct downloads. It needs to be.

    I even tried to change the file permissions to match of those uploaded by the woocommerce add file -button… Doesn’t help. It’s folder-based restriction… And somewhere deep in woocommerce there must be something that grants woocommerce special access to those files it uploads as downloadable products. simple http:/address doesn’t cut it. 🙁

    FancyThought

    (@psiico)

    8 years, 4 months ago

    Did you try to download your test product with direct link when it worked?
    – Yes, yes I did.

    The “barrier” is a folder-based restriction from .htaccess (deny from all).
    – There you have it, if it is denying all, you can’t access then. You would have to create some sort of ticket/session system and obfuscate the path with the header() function, I guess, so you could give out any name/path you wanted and still preserve the original path.

    (…) deep in woocommerce there must be something that grants woocommerce special access to those files (…)
    – I seriously doubt it because that restriction is applied by the web-server itself (through .htaccess) and not WP or WC, so I think there’s not much you can do about it. Even if you could make WP/WC access it, most likely the access would be local therefore an external user (visitor / buyer) would still face the same problem.

    My advice is change to a better provider (or other plan in that company), in which you can control your own PHP config ou be able to change whatever parameter you need and save yourself the headache.

    Thread Starter masqutti

    (@masqutti)

    8 years, 4 months ago

    There you have it, if it is denying all, you can’t access then. You would have to create some sort of ticket/session system and obfuscate the path with the header() function, I guess, so you could give out any name/path you wanted and still preserve the original path.

    Would this be something woocommerce does? I mean, the woocommerce uploads to the same folders I uploaded the file (uploads/woocommerce/year etc), and still woocommerce can access the file it uploaded itself, but I can’t direct access it in any way. So this confuses me and there must be something woocommerce does for it’s own uploads to access them..

    But I guess you’re right if there’s no “easy” solutions. It’ll delay the shop opening and a hassle to transfer the domain & setting up the whole shop elsewhere and I would’ve liked to avoid that.. 🙁

    • This reply was modified 8 years, 4 months ago by masqutti.
    FancyThought

    (@psiico)

    8 years, 4 months ago

    I mean, the woocommerce uploads to the same folders I uploaded the file (uploads/woocommerce/year etc), and still woocommerce can access the file it uploaded itself, but I can’t direct access it in any way.

    The WC runs locally (side by side with the web-server) on the server, .htaccess doesn’t affect it, it’s the reason why WC can write there.

    It’ll delay the shop opening and a hassle to transfer the domain & setting up the whole shop elsewhere and I would’ve liked to avoid that.. 🙁

    You can keep the domain registered where you have it and only point the domain DNS to the new server. Takes up to 12-24h to redirect it.
    Regarding the setting up, everything is on the DB, export it and import it else where, fix the wp-config.php & wp-settings.php to reflect the new server credentials and you are most likely ready to go.

    Thread Starter masqutti

    (@masqutti)

    8 years, 4 months ago

    Ok thanks for the tips! 🙂

    Thread Starter masqutti

    (@masqutti)

    8 years, 4 months ago

    OK! Turns out there’s a way to do this securely!

    First a HUGE WARNING to everyone who uses straight http://address in their product downloads! a Customer can see the original URL from example Google Chrome Console when the download starts, EVEN IF the orifinal URL is scrambled by woocommerce! It’s a light protection that can be overridden by anyone who knows a little how to use a browser debug tools(about every teenager these days).

    If you still use this, couple of settings gives you some protection but won’t save your day:

    – Use .htaccess with Options -Indexes -line that prevents your website’s folder browsing.

    – in woocommerce you must use “Downloads Require Login”-setting to prevent Guest-links that will work for anyone too.

    – propably a wise idea to limit the download amount to something other than infinite if something like group payment happens and lots of people download your product. but this isn’t that much about the security but a partial countermeasure to abuse..

    My advice: don’t EVER USE http:// -address based download product files!

    Correct solution for small php max upload size-servers:
    Always use this. I tested and it works & gives you safe download files that cannot be breached through without heavy hacking (or at least not every kid can get your product for free…)

    Always use the woocommerce Add File Button. Always upload a new download product file through that to make sure the woocommerce folder protection applies to it. You can check it in you website’s file manager that the file uploaded into uploads/woocommerce/year/month -folder, and that the uploads/woocommerce -folder has .htaccess in it that has a line “deny from all”. This makes sure no-one will get your files without a bought product.

    Here’s the interesting tip:
    – If your download product file is too large for your server to handle via HPH (woocommerces add file-function), create a “fake file” that has the name of the product you wish it to have. The file extension HAS to match too, so for example it could be a dummy object named “mybook.pdf” or “productX.zip”. The dummy object should have something in it to prevent it being 0 size, it needs to have a couple of bytes for wordpress to accept it. But when it does accept a small file, the file will upload correctly to woocommerce as a download product.

    – Now, just open your website’s filebrowser or FTP-software of your choice, connect, delete the dummy file, and upload the large (the real one) download product into the same exact folder where the dummy file was in.

    – Voilá! You now have a large file, finished product, available for your customers to download, even if your server’s PHP upload max filesize would be under a megabyte!

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Digital download product without enough php.ini max upload size’ is closed to new replies.