I make my own php scripts and lately I noticed many of them on warez sites. I need to come up with a way of protecting them. I know there are tools like sourceguardian.com but most require additional software installation on the server. My script buyers are basic users and most will not be able to get the script running without sending 50000 support questions. Any ideas will be greatly appreciated.
Very difficult if you sell them. There is some free options but it does not work on all servers. The best thing to do is to put in some code or something that send a ping back to you or a word or picture you can trace. IT will be a full time work to run around looking for them once they start spreading. There is some PRO software you can use but it can be cracked and they will cost you alot of money.
My scripts don't cost much but still I want to protect them somehow. I have some ideas but wnat to hear yours too. Not too much experience with that, Thanks
Well ask everyone to register there site if its not register then its wares. Give no resell rights what so ever.
the truth is that there is no feasible easy solution. the fact that it's written in a script as compared to a proper compiled language means there is no protection. even my free script - indexscript is 'abused'. some sites use the script without the 'powered by' link.
Have you consider using IonCube to protect your stuff? There is a option that you pay only what you need to encode.
I was thingking about using IonCube but I think they require an aditional software installation and is not for basic users. Most of my buyers are basic users.
Although you want to write something that will ping your server on a fresh install, you also want to protect your code. Now, like you said, ioncube and those expect something installed on a server. If you want to do something to protect your code, and your code doesn't use variable variables or expect register_globals set to on, then you can always obfuscate your code. I have written an obfuscator called YAPHPO that I use on my projects. Essentially on obfuscator changes your variable names, function names, class names and constants to something meaningless. It will then go and remove all of your comments and whitespace so your code runs on to itself. However, the outcome is still completely valid PHP (as opposed to something that needs a server side loader). If you're interested, you can read about my implementation at http://www.asistechnologies.com/home/products/yaphpo/yaphpo-information.html and download it from a link there, too.
Encrypt it in hexadecimal. I've done it in javascript, I'm not sure if you can do the same in PHP: It looks like this: \x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x22 Most people don't understand how it works and I havn't been able to find a converter online, so it helps a lot.
http://www.phplock.net/ - my friend is developing something to protect php scripts .. he's still working on it though.
I would be careful of a lot of these other 'avenues': converting to hexadecimal is like base64encode'ing it. It looks bad to the user, but you can see exactly how it gets decoded and if you do that yourself, you get the original source code. phplock.net has nothing on it at the moment but I did look at another project with a suspiciously similar name and for all intents and purposes, it was base64encode'ing as well. If the final 'encrypted' script has a call to exec in it, you can pretty easily get the original code (unless the original code was obfuscated as well). The encrypters that use server side libraries are better, but again, there are rumours of 'cracked' libraries that dump the original code to file. To stop people getting to the original code it *has* to be obfuscated at some point. Obfuscation doesn't stop them essentially reverse engineering the code to be similar to the original, but you can't easily reverse obfuscated code to the original like you can with base64encode'd code, for example.
You say that most of your users are basic users, right? Here is what I do for most of my scripts. I create a mail function that emails me at the end of the installation. It includes the domain, IP, install URL and some other information. I then encrypt this section as well as a few other sections of the install code so that if someone deletes the encrypted portions, the install will not perform correctly. Also, part of the installation requires receipt numbers to allow for easy lookup to confirm legal installations. If you need/want some assistance, let me know. I would be more than happy to lend a hand to a fellow programmer.
Czar that was i was talking about let them Ping your server then you know when some one install. If they not register you have to send them a email telling them bad stuff is going to happen. Also write to there hosting company and google, paypal and other companies they are working with.