Social Buttons
  1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

What's the easiest way to protect a php script?

Discussion in 'PHP' started by DomainMagnate, Apr 21, 2013.

0
  1. #1
    What would be the easiest way to protect a php script so it can only be run on one domain. I'm looking for a very simple solution that would be easy to implement for selling 1 domain licences. Some sample code and examples would be appreciated, thanks!
     
    DomainMagnate, Apr 21, 2013 IP
  2. sarahk

    sarahk iTamer Staff

    Messages:
    28,089
    Likes Received:
    4,370
    Best Answers:
    123
    Trophy Points:
    665
    #2
    Give the client a "key" and somewhere in the important part of the code make it have to send that key to you for processing. You then return a string that can be executed and allows the code to continue.

    Or if the key isn't unique there's a big banner over the top of the settings/admin page.

    Which ever way you run it, you'll get someone who thinks its worth his time and effort to bypass your security. Factor that into your business plan and find a way around it. Premium plugins or support won't work if any one of the modules/plugins/components isn't legit.
     
    sarahk, Apr 21, 2013 IP
  3. Feral

    Feral Active Member

    Messages:
    70
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    68
    #3
    The easiest way is to not bother, because if you not going to do something like encrypt the files then your wasting your time.

    But if you insist on doing it then what I would do is make the user enter in specific information when they download the script from you including the domain name that the script will be running on. Use this information to generate a key that is stored on your server.

    When they activate the script on their server the script would gather the required information and generate the key on the server end then "call home" to your server and compare the keys. If the keys match then the script can run. If not then it locks up and will not run.

    An extended version of this would be the double call home, where you use a dynamically created salt when creating the key. Then the users server would first call home for the salt, use it to generate the key and call home again with the key.

    One question to ask is if you want this to be only done when the script is first activated or should it be done on every page load, or once a day, or once a week.. month etc.
     
    Feral, Apr 22, 2013 IP
    ryan_uk and Devtard like this.
  4. HorrorMovies

    HorrorMovies Notable Member

    Messages:
    1,466
    Likes Received:
    36
    Best Answers:
    0
    Trophy Points:
    250
    #4
    You can force the script to do a API call to your server with a key which would have some encrypted settings, so if the API call were to be removed the script wouldn't work.

    You can simply hard code everything to begin with but if you wanted to add reporting all you would need to add is changes to your own server, to find out where the call came from how many times it calls etc.

    There really is no "easy" way of making it work as any good PHP dev would be able to write a work around no mater what solution you have. But an API call will show you when a website stops calling the API at which point you can contact them asking them why etc.
     
    HorrorMovies, Apr 22, 2013 IP
  5. sarahk

    sarahk iTamer Staff

    Messages:
    28,089
    Likes Received:
    4,370
    Best Answers:
    123
    Trophy Points:
    665
    #5
    Thing is that if it's just asking for a key you can edit the source to stop asking for it. The host server has to do something that can't be replicated
     
    sarahk, Apr 22, 2013 IP
  6. DomainMagnate

    DomainMagnate Illustrious Member

    Messages:
    10,932
    Likes Received:
    1,022
    Best Answers:
    0
    Trophy Points:
    455
    #6
    Could you expand on that or link me where its explained in more details how to implement?
    Basically at this stage I just want to protect the script from people who don't know any coding or have much motivation to crack it, but just so they can't set it up on additional domains easily without buying another licence. I'd like the script to be tied to a specific domain.
     
    DomainMagnate, Apr 23, 2013 IP
  7. sarahk

    sarahk iTamer Staff

    Messages:
    28,089
    Likes Received:
    4,370
    Best Answers:
    123
    Trophy Points:
    665
    #7
    If you're looking for a low tech solution I'd give them a key which is actually a hash of their domain name and perhaps a salt you supply from your site. If they don't match then the script degrades nicely - you don't want them to be pissed off, you want them to come to you and buy.

    So in one part of the script, maybe the init I'd create a variable called something unremarkable with "digitialpoint.com" (for example)
    Then in another part of the script I'd do an fgets to your server for the salt value, md5 them together (not sophisticated but that's ok) and if it matches the license number they've entered into the admin panel then they're good to go, otherwise they need to buy.

    I'd tend to make the admin panel shutdown but leave the public site unaffected but how heavy handed you want to be is up to you.
     
    sarahk, Apr 23, 2013 IP
  8. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,666
    Likes Received:
    1,983
    Best Answers:
    250
    Trophy Points:
    515
    #8
    All this talk of 'keys' is a bunch of BS, as is the mere CONCEPT of copy protection on an INTERPRETED language. Even the big expensive packages are fairly easily slapped aside by anyone who knows what they are doing.

    Lemme put it this way: Think about "copy protected" games -- the game industry has put how many programmers and how many millions of dollars into things like Starfarce, suckurom, etc,etc, only to have them slapped aside quite often before the product is even on shelves in stores? We are talking about COMPILED programs without source code...

    You really think in a interpreted language where the source code IS the distribution method you're gonna come up with a proper answer? PLEASE...

    ... and honestly, if you were to 'sell licences' on obfuscated/pre-compressed/encrypted code, I'd tell you where to shove your software, just on philosophical grounds given we're talking about PHP - and encourage others to do the same!

    See that 'ioncube' bull for moron deploying software... and I do mean moron.
     
    deathshadow, Apr 24, 2013 IP
    sarahk and Devtard like this.
  9. annaharris

    annaharris Active Member

    Messages:
    119
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    51
    #9
    I would recommend the solution suggested by SaraHK as it is the best way to protect php script.
     
    annaharris, Apr 24, 2013 IP
  10. edduvs

    edduvs Well-Known Member

    Messages:
    394
    Likes Received:
    31
    Best Answers:
    3
    Trophy Points:
    160
    #10
    The easiest way to protect your files is to keep them on your hard drive and give them to nobody.
     
    edduvs, Apr 24, 2013 IP
    deathshadow likes this.
  11. sarahk

    sarahk iTamer Staff

    Messages:
    28,089
    Likes Received:
    4,370
    Best Answers:
    123
    Trophy Points:
    665
    #11
    deathshadow is right by the way - but you asked for low tech for unsophisticated users
     
    sarahk, Apr 24, 2013 IP