I have coded a php script and i wish to protect it, i would like to know if it has been installed on a server ot not. I thought about putting a function that track it when someone download it on a server and wich server it is. I hope someone can understand me ! Regards Frank
If you are talking about what I think you are, no one can download or see your PHP script unless it is in a ZIP file. You don't have anything to worry about.
There are two things you have to do: let your app phone home Implement a method that send data, request your web page or send an email to your site at some rare times. Do this very carefully, if someone sees what your app is doing this will render useless because network ports and email access can be blocked! Optional obfuscate your application You can protect your php application with an obfuscator which makes the code quite unreadable. Drawback is, that good obfuscators need additionally libraries installed ob the server where the application is running - but an important application should worth that - and other obsucators are more or less useless against skilled developers.
I think she is talking about Google for PHP License System and implement them on his scripts As for the topic creator, Pudge1 or flexdex's advice! No one can download your .php files! They can only see it. See it as in form of pure HTML No need to worry about that! The processing part is done server side!
I guess luden just want to sell his php script to others and needs to restrict the usage to the paying people. As a programmer he is aware that, unless his webserver is configured the wrong way, nobody can download the source code.
The first thing people who "null" scripts do is install and run the script in a sandbox which is basically an environment that looks like a normal server setup to a script, but anything the script tries to access will be blocked and logged. While in this environment they will use every aspect of the script and see if the script tries to "phone home" as another user put it. If the person "nulling" the script knows the script is trying to phone home, it's only a matter of time before they find the piece of code that's responsible for it and patches around it. Meaning the script will never phone home. What you want to do first, is setup something that does two things. 1) Checks the last modified date of something like a config file in the script 2) Generates a random number between one and a thousand or so First, make sure the current date is at least a week or so later than the last modified date of that file. What this does is give you an estimate on how long the script has been installed. You don't want to attempt to phone home until after the person nulling the script has checked it out for awhile and thinks it's safe. If the date is far enough in the past, generate a random number, maybe between one and a thousand. Basically you want to have a one in one thousand chance that the phone home will happen. The better of a job you do at making this piece of code work with some other function and not look like something that phones home, the better. If people happen to be making updates and come across something that obviously makes a remote request, they're going to know what's up. Another thing you can do is setup a decoy, which is basically putting in a piece of code that phones home, but does so immediately and in an obvious way. If a script nuller finds this and then doesn't see anything else trying to phone home for awhile, they may never go looking for anything else. When you sell a copy of your script, have the phone home portion send a unique key when phoning home that you can look up and use to determine who is passing your script around and make sure you don't do business with them anymore after that.
There is a product called Zend Guard which is made by the people who make PHP. So far as I know, you have to have the runtime module installed on the server although that's free, but it encodes the scripts and has various other features for limiting usage. Another one is IonCube which I've never used, but have heard people using. The idea there is it turns it into bytecode so in theory might be a little quicker, but importantly it's no longer readable PHP so very hard to reverse engineer. There are of course freebies out there, but remember that whatever they do can be reversed and won't give the options such as call home and such. Probably more worthwhile if it's very cheap scripts you're selling. Trev (System won't let me link to the above products)
IonCube is the one which claims to be very safe. Drawback is, you also have to install libraries on your server .. but the installation is very very simple, i gave that a try 2 month ago. www.ioncube.com/html_encoder_sample.php?e=1 Code (markup):
Right! Sorry for the wrong thought! I was wondering if there really is a way to protect that! I have seen in many scripts which i have installed for the clients, uses a registration key for the registered domain sent back from the programmers server and that reg key is used through out the script to validate it! Have to give a try to Zend Guard and IonCube!
Take it from me...You're script is safe with sourceguardian. I have tools to decode zned and ioncube (i personally do nulling). You want to becareful with callbacks, since some are very easy to null.
@natalicwolf. Thanks a lot for your posting. Would you mind to tell us in one or two sentences where are the advantages of sourceguardian and whats the problem with ZG and Ioncube?
Could see that working as the script wouldn't run if it was null'd, but does cause problems if not written correctly in that what happens if the programmers server goes offline or is overloaded or loses connection briefly. Suddenly the client finds their wonderful web site fails to work possibly at all. Also has the problem that if you know what the domain name was that the key relates to then it should be possible to fake the domain name the script gets to send back. I guess no system is absolutely foolprooof secure, but something like that combined with ability to run if the server isn't contactable for upto X days and one of the encryption systems mentioned should provide quite a bit of protection. Then again, if you just want to put off the not very advanced user who might try to read your code you could maybe use PHAR in PHP 5.3. Not tried it and it is just a ZIP type package really, but for the uninitiated it might stop them snooping about in the scripts. Trev
Also if you're going to run PHP Scripts then no on can download them nd there is no chance for that until you do some modifications in htaccess