I have noticed on a lot of applications you need to pay for (vBulletin, Interspire Shopping Cart, etc) they all have some type of serial number or code that you get when purchased with your liscence. How can you create something like this with PHP that won't get hacked or changed in your code once it's purchased? I am assuming the serial numbers need to reside in a database on your personal site that nobody else has access to, but I am wondering how you would be able to create an algorithm for it and check against it and stuff like that.
Short answer? You can't. If you can code it, someone can break it. If you want to have truly open source programs, it's next to impossible. You can lock down a single file, or the whole thing, but someone could just decode it. Zend is better than IonCube for this, as Zend Optimizer removes a lot of "white space" while encoding so it's more efficient. Something decoded from Zend is next to unreadable, but a very determined person could still hack it. In any case, if you want to go that route, you'd create a hash with a constant "salt" to generate the license key (easy) or you could "phone home" to your server for authorization (difficult). I've never done the latter, as I don't have the attention span to do so. That's the process you were describing above (with the serial numbers stored) but it can still be "hacked" or "changed in the code." Someone could just remove the section that "phones home" or make the response always true. The salt method could include the domain name for the script (website.com) with the salt (mysalt). md5 these two together [md5($website.$salt);] or whatever hash methodology you want to use. Upon installation, the user would enter their domain name (website.com) and the license key, and the program would compare the license key to the generated hash at install. Your program would need to have the salt built-in, making the fully open source option moot, since someone could just go in and remove the salt. It could look something like this in its most simplistic form // use $postVars, or $values, or some other variable, instead of $_POST in case you ever want to change the method function validateKey($postVars) { $website = $postVars['website']; // input by the user $key = $postVars['key']; // input by the user $salt = "mysalt"; // set by you $hash = md5($website.$salt); // what the license key for the domain should be if($hash != $key) { return false; // if what the license key should be doesn't match the input, fail } else { return true; // if it does, continue! } } PHP:
I get what you're saying, it does seem almost impossible to hide anything like this. Thanks for sharing the example of code though, this was something I was looking for and just couldn't come up with how to create the logic. Thanks!
I've pondered using a similar system to the one Altari described, but like he said, if someone can code it, someone can break it. I figure in the end, I'd be inconveniencing the people who bought it from me legitimately more than the pirates.