Hi, I am working on a fairly simple web application in PHP - about 15 pages in all, but I'm adding to it and improving it regularly. I decided to create the script for my own use but figured I might as well sell a few licenses when it's stable. I don't want to sell the script as raw source code as I've worked really hard on it, and to see somebody ripping me off and reselling it for just a few penny's would really hit hard. I want to do the following; A) Encrypt the source code (or some of it) so that the buyer only has limited ability to edit the script and cannot copy my code. & B) Distribute the script with licenses, so the buyer can only use the script on specified domains. I have found a few options to suit my needs; ZendGuard seems perfect for my requirements, the downside is of course it is $600/year, which for one script is too much. ionCube PHP Encoder seems like another good option and it's $299 (Pro version). Although it's a lot less than ZendGuard, it's still a big chunk of money. PHP Obfuscator looks like the best "FREE" option for encoding scripts, and of course I expect it to be less secure than bought software. This also lacks the ability to implement/manage licenses. If anyone could cast a little light on the following questions, it will be appreciated; - Are there any other options that are worth looking at? - Does PHP Obfuscator require any sort of Loader/Decoder on my clients server like the other two options? - Is there a way to hard code license details (Expiration, Domain etc) into the source and then encode with PHP Obfuscator? - Any other hints/tips? Kind Regards, --Mike
Maybe you can check sourceguardian.com for other options. All of encryption must decrypt to can be reading. So, PHP Obfuscator still require any sort of Decrypter. And of course if you want to specify domain, you can do that. For example: if(!($_SERVER['HTTP_HOST'] != 'domainname')) exit(); Encrypt that page, and your customer can't change that.
Sorry, I was wrong about that. I just find these output on their website function FC7321B391B6EF18F0711B835402E91D1($RE91192A00FF990477EE414AD5D708F08) { global $db_prefix; global $R695CD54D1F9CB31C11C71AF5EF74FDDB; $R9E9F3EDB7A84E99A0567F313F4EAC1BA = $RE91192A00FF990477EE414AD5D708F08; $R37A721F3B04CA577A7730084048F2BE3 = array_keys($R695CD54D1F9CB31C11C71AF5EF74FDDB); foreach($R37A721F3B04CA577A7730084048F2BE3 as $R90E8291866BD6CB7ED5089CE7E833D11) { $R9E9F3EDB7A84E99A0567F313F4EAC1BA = str_replace($R90E8291866BD6CB7ED5089CE7E833D11, $db_prefix . $R90E8291866BD6CB7ED5089CE7E833D11 , $R9E9F3EDB7A84E99A0567F313F4EAC1BA); } return $R9E9F3EDB7A84E99A0567F313F4EAC1BA;}. Maybe the code is weird, but you still can read it. I don't recommend you to use this.
I can't decipher that, can you? Does anybody else have experience with encoding PHP scripts? I imagine it will take quite a long time for somebody to decode my script if it is encrypted like the above example. I don't plan on selling hundreds of licenses and I'll be setting the price moderately as to only interest serious buyers, what are the chances somebody will actually buy it and decode it? --Mike
The script above only makes a person more hard to reading the code, by extending the variables used. The script above may be difficult to read, but what if we made it to be like this: <?php function func1($b) { global $db_prefix; global $c; $d = $b; $e = array_keys($c); foreach($e as $f) { $d = str_replace($f, $db_prefix . $f , $d); } return $d; } Code (markup):
Forgive my naivety, but wouldn't that still be pretty difficult to decode, especially in a larger script. If I was going to only sell a dozen or so licenses, would that be enough security? I'm not keen on investing too much of my own money into this project, however I am more than happy to re-invest any revenue from it. In which case I'm thinking of using PHP Obfuscator for the first few sales until I generate enough revenue to invest in a better security option (such as ionCube). The problem is, I don't know exactly how many "hackers" and "crackers" are out there, and how likely it is that one of them will get hold of one of my "first few" copies. How common is it for small time scripts to get hacked? --Mike
I was just browsing the ionCube site and noticed they offer an Online PHP Encoder which basically allows developers the service of encoding a script using "the same mechanisms used in the standalone Encoder" but without buying the software. From what I can make out from their price guide, it would cost me around $30 to encode my script, but does this include License creation/management or would I have to hard code this? I suppose another option is to Download ionCube PHP Encoder on Trial, use it on my script and try to sell a handful before my Trial runs out. Then with the sales revenue I could upgrade to the Pro version. --Mike
For PHP Obfuscator, yes, it still difficult to decrypt if you don't have time to do that. But if he intend, maybe he can build a script to automatically find-and-replace that length texts to more readable text You can try that ioncube online php encoder
If you use anything other than ioncube you will regret it! For licensing use http://www.solidphp.com/ For encoding use http://www.ioncube.com/ Take my word for it, I have sold hundreds of encoded scripts, my sales went up 75% once I used ioncube and a licensing system which prevented people from pirating. The sad truth is if you don't protect your property for every one buyer you'll have ten people who steal ... they think it's entitled to them "since it's the internet it should be free" this is the mentality I seen quite a bit!
I use ioncube too. But the licenseing system should be hardcoded by you. And encode it by ioncube. Except you want to make every single script to work only specific domain, which is included on ioncube's default feature. So if the buyer wants to transfer the license to other domain, you should give him new encoded script
Interesting I've been wanting to do similar though turned to providing clients api access instead. I found this a little while back looks like it's either semi-abandoned or newly developed open source encoder/decoder ombudi.com I'd look though his code though just to make sure there's no exploit. I'm guessing either base64 or md5 for encoding and if so both of these are readable with the right tools, though in a limited capacity for the md5. Regarding the md5, I don't think the hacker db's facilitate anything beyond 8/9 chars and I don't think there's to many php syntax decodes (if at all) ROOFIS