I don't like the idea of encoding my PHP files because a) Ioncube is far too expensive and b) it hinders individual development of the script. Recently I've been trying to think of a better solution. The best I can come up with, is to de-localize the administrative panels of a script. For example, administrators of a live script would have to log into my website in order to control their systems, which are located on a different domain. The communication between my website and their script would be via cURL or similar, and it would obviously be password protected. If a pirate were to purchase a copy of the script, they would have to write all the administrative tools from scratch before redistributing because he would only have access to the admin panel for whatever domain he licensed. The issue with this is the dependency on my server. I'd rather not force users to depend upon my server... Also it's possible someone might put the time into creating a server with "pirate" admin panels, a little like illegal game servers. What do you think? Looking for a new and unique idea...
Ioncube if you do it to a few files at a time is very cheap. Use the web encoder. I think it is 10 cents per a file. If your selling scripts at 30-100 a copy then it is worth the cost. Also, I have been using http://www.olate.co.uk/products/iono/ for license keys for a few of my recent scripts. That is a great idea. Lots of overhead though. The users website would be eating up bandwidth and so would your site. Over all it could possible work. It would give your website a bunch of control over there hosting though. I am not sure if they would go for that. Plus, a lot of users would hate the idea of not having control over the whole script. Great idea though.
Wow, I hadn't realized a one-off cheap encoding option was available! Here's some more information for anyone else interested: http://www.ioncube.com/online_encoder.php Regarding my idea of de-localizing some functions, I agree that the overhead would be an annoyance for me. That is why I was thinking of de-localizing the admin panel - this isn't likely to get much traffic relative to the end user side of any website. I agree the reliance upon my server being active would turn some potential clients away (I personally wouldn't want a dependency like that) so I may just stick with this web encoder. If anyone else wants to discuss this I'm very interested to hear your ideas!
Note that cURL isn't installed by default, and that a lot of servers don't support it. And for those who don't, they may as well have allow_url_fopen disabled in php.ini, so there'd be no way to communicate between the servers. Plus who would it work on the client's website? There must be a file which handles all requests sent by your site. I think it'd be even easier to modify this file and manage the site locally than decoding Ioncube or similar. How would you verify that the request comes from the panel on your site? How would you verify if the user who's sending the request is the actual owner and if he's logged in? Sounds like a lot of security issues there. While this would be very easy to bypass too, but how about if you embed 1x1 pixel images secretly somewhere in your code, which points to a source on your page, like: $src = 'http://example.com/image.jpg?h=' . urlencode($_SERVER['HTTP_HOST']); PHP: Then you can track the URLs passed and see who of the domains has permission to use the script. The image could be hidden in the admin panel where it's not that obvious. As said, it'd be super easy to bypass, but people would have to know about it. (You could also track the referrer of the image request to make it even less obvious. It could be the logo of your website or something that doesn't look suspect to the users)
Cool questions. Some of these I've mulled over in the past couple of days thinking about this. Plus [how] would it work on the client's website? I was thinking of attempting one after the other. cURL, file_get_contents, file. I suppose a number of servers will have this disabled, so yes - this will create a new server requirement. I would have thought most people would allow some sort of external include though. How would you verify that the request comes from the panel on your site? First of all I had planned to encrypt communications through blowfish. When a user first downloads my script, their account is created on my site along with a special system-generated passphrase. This passphrase is stored in both my database, and inside their script. This would be used to encrypt / decrypt the messages at both ends, and should prevent a third party from remotely controlling an admin system. If the client wanted to create their own panel, there would be nothing stopping them, but it would be a big task which is the main deterrent in this piracy-combating idea. How would you verify that the request comes from the panel on your site? As above there is no real way to ensure requests ONLY come from my site. Even if I were to do https certificate checks and whatnot, the source code would be visible and editable by the client anyway. How would you verify if the user who's sending the request is the actual owner and if he's logged in? This would all be tied into my website. I like phpBB and was thinking of converting it to a secure support system as well as an admin control panel for clients. When a client logs in, their admin communication hash is loaded from my database and used to encrypt messages sent to the domain (s)he is licensed for. No two different users will ever be able to send messages to a different domain a) due to restrictions I'd put in place (restrict communications to the domain they paid to license) and b) because they will not have the unique key to send correctly encrypted requests to other websites. The image idea is a well known one and good for letting me know who is pirating my scripts, but I want to stop piracy attempts all together, not just know where they're occurring.