Sure. For now I think I will create an installation steps for each script and while installing will ping the server with domain name. I will then ask all customers who purchased the script to register. That way I will at least know who installed the script on what domain. If the new domain does not match the registered domain then email me... something like that
Being a php programmer myself I understand the need to protect your work but have you thought of the potential sales you may loose for having an encrypted script? I have bought a few scripts and I only buy unencoded ones now since I got screwed once buy some guys script that had to call back to home when ever you logged into the admin section. People serious about using your script (and in their business) will not want to put their trust (and their business) into a locked script that may fail for any number of reasons. Most people downloading script off the warez site probably wouldn't buy the script if it wasn't available on the warez sites. Just my opinion.
That's why I simply have the script email me once the install is complete. If my mail server is broken, down, not working properly, whatever, the script will still install and work just fine. But, I will also know exactly where my scripts are being used since I receive the info via email upon completion of installation.
That's why I decided to not encrypt the scripts and create this installer for all. That way I will achieve 2 things 1. Installing a script on a new server will be much easier. Inexperienced users have issues finding the config file and edit it 2. Will know on what domain name the script is being installed. If the domain is not found in my registered domains (will ask customers who purchase the script to register) then email me.
Here the code of installer will be still visible, and can be edited. You have to keep the installer encrypted too, isn't it ?
I disagree here... Most of people do not go with encrypted scripts is because of their customization problems. I believe if your script provides a good level of customization and you have skills to present that information on your website... then it will hardly affect your sales.
master06: like has been said here, the problem with ioncube and the like is that they require server side libraries to operate. That's fine if you're in control of the operating environment but it's absolutely amazing what some hosting companies out there don't support and these extra libraries are one of those things. It just becomes a hassle for your customers and you. Regarding ability to customise, that is definitely a valid concern. Believe it or not, I do hate to toot my own horn, but again that's why I like the obfuscator I wrote. It lets you choose which functions / variables / classes / constants etc. to obfuscate. I know of at least one person that uses it in such a way that he essentially provides an API: all of his actual 'work' functions and so on are obfuscated but all of the front end stuff uses non-obfuscated functions. The people that buy his script can change the HTML and a lot of the look and feel, but can't actually get into his code and change the fundamentals (or licensing) without a heap of effort.
IonCube just do it ..... it's no money compared to what you get, plus for an extra few bucks you can get phpaudit as a bundle, saving 100's of hours, a lot of servers still allow dl and like cody said a lot support ioncube by default, ioncube themselves even produce a gui for windows to install the loaders on a users shared server.... just do it ...
One way to do it, but which would require you to have a high-bandwidth and reliable site yourself, is to leave some of the bigger functions of the script on your own server, accessible only by your scripts that people have purchased and have a valid license code and coming from a valid IP. So, say you have a common function in your scripts which gets value "A" sent in and "B" sent out. Make your script read yoursite.com/scriptname/process.php?A=whatever&license=whatever to get the result for "B". Make sure license is valid and incoming IP is valid before providing result. Problem with this is that makes your scripts dependent on your site being always up and accessible. Good points are that people that don't code (the ones that buy your scripts) wouldn't care what your script is doing as long as it works and people wanting to steal your code won't bother starting to code in the missing remote functions.
You still need to encode / encrypt this otherwise it's easily removable by anyone who has some knowledge of PHP. Also this could get very sluggish.. I would just have some self-made algorithm which has a unique identifier + expiration date in it. Once it expires the script will kaput until either updated and or given a new one, but once again theres no point unless it's encoded / encrytped.
Sure, somebody could remove the code that call home, but then the script wouldn't work. The person would have to understand what the missing code was doing and create their own code, which they probably aren't willing to do. No encoding/encryption needed. But yes, things probably would get sluggish.
Not really... if it were me, I'd change the code to write a local copy of what it grabs from your server. Then I'd replace the code that calls your server with what your sent back to me.
You could easily "null" it to make it work without the code.. but the main problem is with it phoning home every time (aside from the obvious if 500 sites are doing it every time a user visits a page to call a certain function) is if someone decides to DDoS your server.. then anyone using your script would have downtime.
czar, Most hosts have IonCube installed as an extension anyways and any good host will install it on request. Invest in a copy of it, you wont be sorry. Any soft way of protecting the code will be broken by a determined hacker. IonCube will stop them from reversing the encryption and protect your code. Meantime look up the hosts of those warez sites and send a DMCA notice to them. Safe harbor will kick in and they will go in and take down the scripts you wrote. I had to deal with a schmuck who tried to use the DMCA to bump off a customers site and it's not fun. Since your complaint has merit though you are well within your rights to do this. Zen
I believe that I read somewhere that there was a 'hacked' version of one of the major 'encryptors' out there that dumped the decrypted code. I could be wrong, but if it were me, I'd be doubly sure and obfuscate the code myself before encrypting.