I am developing a chat application in php and i want to sell this over internet. How I can I make it licence protected, that only those person who have bought licence key are able to use it. There will be a different licence for different domain.
What how can I achieve this?
You're going to struggle with the three banes of licensing:
Someone smart will just take the code out
You'll need to license per server or to have the keys circulating on the internet
Most people will just get a free alternative
To remedy the first one...you can't. PHP is not compiled. the other two are less about code.
Usually on the internet what you can see is not licenses but memberships, unless you mean to install your application on internal servers of other companies, if that is the case, there are many installers setups that help you restrict an installation by provising an encripted key, in that case would be your license.
Related
I'm wondering if anyone can offer any advice on the following situation.
I'm developing a system, which will then be installed on peoples own servers. However, i want people to pay a subscription fee for using this system. If they do not pay I want to be able to disable the system externally.
Basically when the system is run it does a call in the background to my server, which checks the license key, if it exists and is active they can use the system as normal.
I've got a basic function that calls my external site (sort of a web service) which checks the key exists. However, anyone with a bit of knowledge could just alter the function so it returns true and bypass the external check.
Any suggestions on the best way to do this, even if it makes it slightly more harder for them to remove.
You will need to encode your code, e.g. with ionCube. However, the customer then needs to set up ionCube on their own server to be able to run the code.
You would usually put the main logic/controllers onto YOUR server.
So it would be more SaaS (Software as a Service).
If that's not possible, you might encrypt (some of) the code on the customers server with keys and certs, so what you sell is a private key to your customer.
Besides that, have a look at Zend Guard.
I have developed a web based portal using php and some part of the site is only accessible by employees only. I would like to add an extra security layer so only employees whose PC is authenticated can access the restricted area.
If it was Dot NET it could be easily done by using activex components but I am not certain about the PHP.
Can any one share hints how to accomplish this task using PHP?
Are you using Active Directory to Authenticate? If so, you can probably tap into the LDAP functions in order to check for a valid authentication. You could also implement some security paradigm like Kerberos in order to achieve this with single sign on.
The easiest thing to do is to add a users table to your database and then built some basic authentication around that.
I would create a while-list with the IP's of the allowed computers (using $_SERVER['REMOTE_ADDR']), since it's almost the only information that you can obtain from the machine that make the HTTP request using just server-side scripting.
This should work well for computers inside the company, since they would have IP's within the same range (e.g. 10.100.x.x or 192.168.x.x), or they will use the same gateway for connecting to Internet.
If you need to allow access to roaming laptops, then this method will be almost useless unless they have static IP addresses.
This likely isn't possible with PHP. You can try to embed an ActiveX control using PHP, but I feel like this would be a better application for desktop software. PHP is definitely not going to be sympathetic. Sorry.
Hello guys.
I think it isn't possible just using PHP, but just to be sure.
Is it possible for PHP to know if the
user is accessing the web from behind
a Router?
And if yes, how can i get some
information about that router, like:
Router Name, Brand, Serial Number, ...
Users connected in the same network.
Can PHP also find the Local IP
Address for the visitor in that
Network?
A few simple questions. To which i haven't found a solid answer, and i tough that some PHP genius could tell me. And teach me.
Thanks for your help.
EDIT: Motives for this privacy invasive question
I didn't thought that i had to say this... But i guess i do
I was writing a couple functions that would get the browser preferred languages and finding out from which Country the user comes based on the IP, to deliver my website content in the right language to the visitor.
Then i started to think, most people browse from behind the router, can i find out if they are indeed?
Then it just came to my mind to do one of those simple programs that display network details, people connected on your network. My idea was to do that, but Web App Based not Desktop App Based as all other programs of this kind.
I appreciate privacy above everything as most developers do, so i kind of understand the Down Votes, i would probably Down Vote myself.
I'm sorry if you misjudge me due to my weird question, i have nothing to do so.. These things just popped up on my head.
First, are you talking about finding out information about users visiting your website? Keep in mind that this implies an intrusion into their privacy (you can try it with yourself though ;))
Is it possible for PHP to know if the user is accessing the web from behind a Router?
No you cannot. Only when you know that e.g. you have a lot visitors from one company and they all have the same IP address, they might be behind a router but it could also be a proxy.
And if yes, how can i get some information about that router, like:
Router Name, Brand, Serial Number, ...
If you have the IP you might be able to discover various things about a host with tools such as nmap. You might be able to find out the brand of a router and host system but definitely not serial number and such stuff. nmap is not PHP though.
Note: The use of such tools without permission to do so is illegal in some countries. In any way, the use of such tools without permission is morally questionable .
Users connected in the same network.
As I mentioned in the first question, if you have different users with the same IP address they might be in the same network. They could also be in different sub-networks. Anyway you cannot get their local IP addresses.
Can PHP also find the Local IP Address for the visitor in that Network?
See previous answer.
You see, everything is very vague and mostly based on assumptions. You cannot get reliable information and I am very glad that we are not totally transparent yet.
Once we all use IPv6, the whole story is a different one.
I have no idea what you're trying to do, but it worries me a little.
So I'm glad that (as you suspected) it's not possible.
All the details you're asking about is information that there's no reason for anyone outside the local network to need, it would be a huge security problem if a router was broadcasting this to the world.
It is not possible, by the design of the network protocols.
However, some routers uses special builds of PHP in its admin control panels.
I want to divide my web application into two parts.
One part is free, like a demo for people to use.
The other part is not; a extension that is paid for but requires authorization and a license to use.
My idea is to sell the extension without having it being compromised. Once the extension is sold, the buyer can't upload it to some other site and make it "free" for other people to use. Thus the extension would check a database from another domain to authorize the use of its script.
How can I achieve this?
Give the free script away for users to run on their own site. Run the licensed non-free script only on your server and hook them together using an API over HTTP.
Use a professional solution like Zend Guard.
I am about to deliver an Adobe AIR app to a customer.
But it's my first delivery of any sort, I.e. I have
no experience whatsoever with licensing etc.
Users of this app may or may not be online, so
can't count on that. In fact it's 99% sure that
they will be offline.
Nor do I expect them to very tech-savvy, who will
spend enough time scouting for ways to "crack" it.
So, is there an okeish type of way to protect this
app. That is, I don't want people to simply copy
the installation folder, take it to another machine
and run it. It should be slightly harder than this.
Oh, and I am also using PHP and MySql, with which
this AIR app communicates. So anything you guys could
help me with is very very welcome.
protect the php api and not the frontend app. have a license key which is bound to an ip address and authenticate the request (which contains the key) is coming from the correct ip.
If you want to protect your Flex app you can use irrObfuscator. There is a 30 days free demo.
If you wish to obfuscate your PHP code I would suggest ioncube. There is an online obfuscator that you can pay per à-la-carte. Pretty usefull. Tho you need ioncube loaders which is a set of PHP extension that you will find into the products section. Not sure but I think you can install loaders without playing with PHP config so it's shared-hosting friendly.
You can not protect anything that's webbased or javascript based, purely because there is complete sourcecode.
Anyone who knows how to use 'right click' could copy your files. You can obfuscate your code, but you cannot protect it. If you think that this shouldn't be possible, write a desktop app in a 'real' programming language.
When the app installs, I would do the following:
Create a file in "app-storage" that basically indicates the app has been installed.
Fire off a service call and make a record of the install
Change a file in the app directory to indicate the app has been installed
On subsequent startups, check for the presence of the file as long as the file in the app directory indicates the app has been installed. If you see the customer keeps installing their app over and over, this could be flagged in their account and appropriate action taken. If you want to get fancy, the file in "app-storage" could a one-way hash of some information from the file in the app directory (install date?) plus some value baked into the AIR application.
In general, I think the key here is to trust your users and not make the assumption they are trying to steal. You want to make the system as painless as possible. It does not build a good relationship with customers when you treat them like criminals, so creating an "ironclad" approach probably isn't even the best idea.
I think pretty much the only good way to do this is to require activation after installing (online activation, with a phone backup).
From what you're saying, it seems like the backend is installed on-site and would not be able to provide adequate copy protection.