Hey

i was thinking how can i secure my script from being used on another server, make some kind of validation on index page for example.

Maybe collect server data with $_SERVER, put them in one string, hash it and upload the txt file on my friends server.

Now, if the validation doesn't pass die() or redirect somewhere.

Im sure there are much better ways but this came first on my mind, someone can simply remove those lines.

What do you think?

I'm a little confused as to what the problem is. You want to prevent your script from being used on another server? How would someone get the script in the first place?

As you pointed out, there is nothing stopping a user of your script from modifying it.

Let's say that i want sell my script to users, i need some kind of licencing system right?
For example vBulletin has a licence that only works for one user.
I know that everything can be null*d depending on the protection and with the protection like i have in mind that can be done in 2 seconds

But it's gonna work for a user with no php knowledge.

Okay I understand now.

I think (but don't quote me) vBulletin has the ability to 'call home' and check if the script is registered to a customer. It would take some digging through the code, but I'm certain that you could disable this feature. The reality is that any kind of anti-piracy or security feature you implement in PHP can be circumvented or disabled by a user of the script.

In the case of vBulletin there are incentives to purchasing a license (ie support and updates), but in the end someone who is determined not to pay for the software will either circumvent the security measures or, provided they exists, find a copy that has already had the security measures removed.

I think the only reasonable thing to do is focus on the users who are willing to pay for the software. In other words, don't dwell on implementing security measures when you could spend time working on features that will make people want to buy the software. Make it difficult to use the software without purchasing it, but in a manner that does not interfere with legitimate users.

One simple thing you can do is just have the script call home periodically. Pass the domain the script is running on via GET to a script on your server. That server will then check if the domain is registered to a customer. Clearly all you would have to do to circumvent this is find the function that checks if the domain is valid and just set it to always return true (or something to that effect). Just make sure the script doesn't shut down completely on one failed attempt to check the domain.

Unfortunately, you can't secure your script entirely. But you might wanna try something about obfuscating php.

Quote:

Originally Posted by XtrimVerSuS

Unfortunately, you can't secure your script entirely. But you might wanna try something about obfuscating php.

Obfuscating your code can make it extremely difficult for someone to modify your code. This includes malicious users trying to circumvent your security and legitimate users who want to make a change to the code. Depending on how you implement it it might also be a debugging nightmare.

http://en.wikipedia.org/wiki/Obfusca...of_obfuscation

@NullPointer: that's right, but if you keep an unobfuscated copy of the code, you can debug it. You should obfuscate only the final version, that you sell to clients. Also, you could obfuscate only portions of your code. You may get as example free wordpress themes that have the footer obfuscated.

Quote:

Originally Posted by NullPointer

One simple thing you can do is just have the script call home periodically. Pass the domain the script is running on via GET to a script on your server. That server will then check if the domain is registered to a customer. Clearly all you would have to do to circumvent this is find the function that checks if the domain is valid and just set it to always return true (or something to that effect). Just make sure the script doesn't shut down completely on one failed attempt to check the domain.

So i need to have a script that check the value of the request script and return results.
Basically thats the same thing i wanted to do.
Can you give me an example about calling the verification script?
Maybe a hidden form that submits on document load?

Im downloading Zend Guard trial version to try and obfuscate the source code, i really wanna know what will come out.

Quote:

Originally Posted by XtrimVerSuS

You may get as example free wordpress themes that have the footer obfuscated.

I know exactly what you're talking about, and after I'm done bypassing the obfuscation to make a completely legitimate change to the footer I'm just that much more inclined to remove any of the author's links. Obfuscation impairs usability if not implemented correctly.

Quote:

Originally Posted by miki86

So i need to have a script that check the value of the request script and return results.
Basically thats the same thing i wanted to do.
Can you give me an example about calling the verification script?
Maybe a hidden form that submits on document load?

Here is an example of the client portion:

PHP Code:

function check()
{
    $url = 'http://yoursite.com/check.php?domain=' . $_SERVER['SERVER_NAME'];
    $params = array('http' => array(
                'method' => 'GET'
                   ));
    $ctx = stream_context_create($params);
    $resp = @file_get_contents($url, null, $ctx);

    if($resp == 1)
        return true;    

    return false;
} 


and the server portion:

PHP Code:

$domain = $_GET['domain'];

//check if the domain exists in your customer database

if(it does)
     echo 1;
else
     echo 0; 


This is a very simplified example. There might be some problems using file_get_contents to call the remote script; if the user has allow_url_fopen disabled in their php.ini it won't work. I think you can work around this using fsockopen. Alternatively you can use cURL, but again, the user might not have it enabled.

The way I wrote it the server portion just returns 1 if the domain exists. In an actual implementation you might also want to retrieve some additional information (just make sure none of it is sensitive info). Also, you may want to include some sort of user id as well as the domain in the request.

zend may help

Thanks, very useful informations.

I didn't know about this fuction stream_context_create().

Some professional PHP scripts use IonCube to obfuscate their code, this requires the client to install the PHP add-on (Some web hosts have it installed by default), but keeps your code safe.

Anybody smart enough to actually hack your webserver and get your PHP code will know how to remove the security from it

BTW didn't read the whole thread so sorry if this is irrelevant.

I think i know that much to protect my web server

Every software for obfuscating out there is outdated, and doesn't support php 5.3.x

What about eval() and base64_encode() ?

Quote:

Originally Posted by miki86

What about eval() and base64_encode() ?

I see this constantly and it is just a minor annoyance. Less than a minute to decode.

By the way if you are writing a portable application you should be careful to make sure your code is backward compatible with PHP 5.2.x. There are some significant changes in 5.3 and many people haven't switch and probably won't for a while.

Yeah i saw it on a footer page, but they were using it for html so i could read the source code without a problem, i thought its different for php.

What about using an external dll file like AES or blowfish, i've done some encoding in the past but that was for windows applications.

Even if you encrypted the code the script would still need the key to decrypt and evaluate the code. This means that users would also have access to the key. No matter what you do a determined user is always going to find a way around the security.

I think it may be helpful to think about it like this:

How many people actually decide to purchase software after being deterred by security? Even if they are not able to bypass the security isn't it much more likely that they will either find an alternative application or just forget about it entirely?

I think you stand to gain much more by focusing on making good software that people will want to buy and that will be easy to maintain rather than focusing on a tiny minority of people who decide to buy software after failing to steal it.

Yes i know they'll need a key but if that key is stored in external executable file they wont have access to it, that is unless they decompile that exe file which is more complicated then removing a few lines in php right?

And regarding the clients, they won't know anything about security and they won't need to do any additional steps because im just trying to secure my config file that's all.

Quote:

Originally Posted by miki86

Yes i know they'll need a key but if that key is stored in external executable file they wont have access to it, that is unless they decompile that exe file which is more complicated then removing a few lines in php right?

Any compiled executable is going to greatly diminish the portability of your software.

Can you elaborate on the role you want the executable to play? Is it going to decipher the code every time the script runs? If the code that is running the executable file is written in PHP (I'm assuming you'd use exec to call the file) it is possible to obtain the deciphered code without bothering to decompile the executable.

I'm all for making it more difficult for people to steal software, just not when it distracts from the more important aspects of developing software.

Yes, every time the script is run. Thats, lets say 20 lines of code to be deciphered.

The executable file would be run through php, but without a key.

Quote:

Originally Posted by NullPointer

it is possible to obtain the deciphered code without bothering to decompile the executable.

There is no way of creating a 100% security, im aware of that, but this is a good way to start.