Have done some research and found some stuff that may be helpful.
I would like your opinion about my approaches on this.
THE GOAL
I will develop an application in PHP (That's the only language I know and unfortunately I don't have time to learn another one right now). I want this application to be able to run offline and locally to any pc. I will use Wamp server and cakePHP framework for this.
THE PROBLEM
This application will be for sale. So I will need some activation method to prevent each app from being used in multiple computers. I don't want something complicated or very very secure. I just need something simple, to prevent non-programmers to run this app in any computer. Of course, the more secure, the better! :)
POSSIBLE SOLUTIONS I AM THINKING OF
First of all, I am thinking to force users to activate their application, by going online during installation. That way they could get a unique KEY from my online database.
I found php's shell_exec command. So I am thinking, during online installation, to get the Host ID (Machine ID) of that computer, send it to my server and store it to my database next to a unique KEY. Then Machine ID and unique KEY can be stored to a php file. (Could I store it somewhere more secure? Maybe encrypt it?)
Every time the user opens the application, php will read machine ID. If not the same with the one stored in php file, an activation will be required. (Maybe could store computer's name too or some other id?)
Is that a good approach? Would it be possible?
Another approach I am thinking of, is to have a guy create a non php installation file. When run, will promp wamp installation and when installation finishes, will transfer all necessary files to wamp root folder (automatization for the user). I can only guess though this will work, as my knowledge over other languages is limited...
Could I benefit from this in validation terms? Can a non php file interact with my php application and validate it, for only one unique computer?
Any info will be very appreciated. I have just started building the application and want to know if there is a good way (or non) to secure it.
Thanks!
There is no point in all of this because if people want they can simply crack any of the copy protection methods you came up with. This also applies to any other app written in any other language. If people want to use it without permissions there are ways to do that.
There are some ways to obfuscate the code (see Is there a code obfuscator for PHP?) but these solutions are just silly because if people really want they can get the code in plain text anyways.
A better idea might be to run the app on your server and allow people to pay for it monthly, Software as a Service like Google Apps for Business.
Related
I have made an appointment management php app for a department of an institution. They insist to keep the app in their server, because the database is holding sensitive informations, and they don`t want to hand it for a 3rd party.
If they give my app for the other departments or make a copy and run it on other institution's server, i would never know about it, which i really don`t want.
Can i somehow give them a really hard time to make changes on my app and make it impossible (or at least difficult) to move to other servers without my permission ?
I really appreciate any kind of idea.
There is no such thing as perfect protection, given enough time any copy protection can be broken. That said the most universally accepted solution to this is IonCube. If you want to lock it to the system, perhaps check some hardware thing and hard code it in, such as the system's IP and/or MAC address.
Most hosts are happy to run the IonCube extension and it is pre-packaged with cPanel hosting environments and the like.
You could make some services on your own server, called by your scripts, like SaaS and that would probably be the best protection - you could then guard the calls to the services using some tokens, oAuth, whatever...
I want to prevent coping my custom made CMS from domain to domain and I want that it is operable only on a doain that it is bought for and onluy for the period 1, 2 years from the purchase.
The code generation part is not a problem, but how to prevent it from modifying from hackers is the hardest part.
E.g. something like vBulletin protection. (I know it can be nulled too)
How to implement such thing into my CMS written in php?
I think it needs to be spread through the whole app on various places the variable check and masked in some ways, so the dependencies is not easy to detect and remove.
I know that it is very difficult and hard topic, so I appreciate some direction like book, web discussion or article.
Btw. connecting to my server and checking if the domain is ok is not an option, my servers could be down and the clients as a result of not possible connection too.
You could do a combination of things..
New client domains can be given generated license keys that are unique to each of your client's install that is need for your software to work. The key should be bound one per hosted domain and should be stored remotely on your servers as well as locally on the client install.
When you or someone else is installing the cms for the first time make it required to enter the license key and verify it with a remote server. This should suffice for the initial setup time. Store some info about the server in your remote database. If this remote procedure fails installation should render unsuccessful. Think of clever ways to make this necessary and required like fetching an encryption key to be stored in the database.
During or after install you can generate encryption keys (or not) and store something unique in a file on the app server that is required by your code. Super cheap would be to create the file /MY-CUSTOM-CMS-LICENSE.txt with the key in plain text right inside it. This can be another vector for verification later on. Should you discover a website which has copied your cms you can check this txt file.
Have your software call home to your server every now and then sending the key plus some server info (ip, host, etc). It does not have to be dependent on your server to run. Meaning you can let the software run if it fails. It is just very helpful to call home every now and then. For example every X days to ping a url on your server and if your server is down just have it do the call home check the next day. One reason why this is so handy is if your client copies the app folder from one domain to another domain to setup a second illegal site, as soon as they run index.php file it will call home. And if they have not checked every line of your code and don't know it even does this they would be caught rather easily. All you need to do is check some kind of log of who 'called home' so to speak.
Write up proper software license agreement with the terms for your product and place it in a file called LICENSE located in the root directory of your app. This will ensure clients (and their developers) are aware it is not free to copy and reuse. Later if someone copies it, you (or your lawyers) can point to the file and say 'didn't you read this jerky-boy'
Make something (or many things) in your code unique to your code. For example wordpress' admin by default is /wp-admin and almost every single file in their app starts with wp- which makes it easy to detect. Add the entire app in a special folder. Add a meta tags to all output like <meta name="generator" content="vBulletin 4.0.4" />. There are many other things you can incorporate and write into your app that could be tell tail signs it is your code. The point is to have so many things that make the job of removing everything a daunting task or just annoying to the thief. I don't think anyone would be crazy enough to refactor all your code just to steal it. If they do remove these code bits and resell/reuse it you have an even stronger case for litigation.
You could write a script to crawl the web (ugh) or just do searches on google or even setup Google alerts to notify you if any of detectable methods you placed in your app are found (like in #3, #4, #5, #6, #8)
You could buy a CDN like www.maxcdn.com and host a JavaScript file on there and put that into your code. <script src="http://cms-headquarters.example.com/license.js"> since it is on a CDN is has very small chance of failing and if it goes down for a week that's OK too, all you need to do is check who hasn't hit your server.
Obfuscate some of your code for an added annoying deterrence.
On how vbulletin does it:
http://www.sitepoint.com/forums/showthread.php?281666-How-does-the-vBulletin-License-work
https://www.vbulletin.com/forum/showthread.php/338346-Easy-Way-To-Find-Nulled-vBulletins
Finally here's a PHP class that tries to offer a partial solution: PADL (PHP Application Distribution License System)
I need to reliably get the id of a user from the PC using PHP.
I tried using
gethostbyaddr($_SERVER['REMOTE_ADDR']);
but that returns the network name of the pc, not what they actually logged in with.
I then tried
var WshShell = new ActiveXObject('WScript.Network');
document.form1.item('uid').value = WshShell.UserName;
which returned the value I needed, but has inherent issues:
browser security
being able to completely bypass by using browsers other than IE
Is there a way to get the ID that I am just not finding?
Looking at the discussion in the comments, the correct answer is to build a proper, run-off-the-mill login system like millions of sites already employ.
There is no safe mechanism to uniquely identify a PC to a server side application, plus as you say, users could switch machines on a daily basis.
You could set a cookie, but that is laughably trivial to fake.
See e.g. here for some good answers on authentication libraries for PHP.
You can figure out all sort of client-side tricks which will possibly work in some combinations of operating system and browser. But, in the end, everything will be transmitted to the server using good old HTTP. That's all that the server (the only side you have full control on) will receive: a bunch of text. There's no way to tell out whether the request came from your fancy ActiveX or was typed in a telnet command prompt.
Of course, there are ways to authenticate requests. That's one of the usages of cryptography. But, again, all you'll ever know is whether the signature was generated with the appropriate key. You cannot be sure of who the user is or what computer he's using, all you know is that it's someone who got a copy of the key.
Now, it's really complicate to build a login system that does not have its own users. As far as I know, even OpenID-based systems bind remote users to local users. Are you sure it's a requisite?
If you have a single-signon type of system running on Windows Active Directory, consider getting user data via LDAP
This question already has answers here:
Closed 12 years ago.
Possible Duplicates:
How to protect your software code?
Protect my PHP App
Hi, I have a framework that I am wanting to be able to sell licenses for. I want people to be able to edit the code if they choose to (to a degree) but also I want to try and stop someone paying for the code and then just putting it up for download.
Is there a way that I can keep part of the code ( small piece of code that is ) on a server which each site using my framework will need to connect to use?
any help or ideas much appreciated.
You can... But do you want to?
PHP scripts are not Java servlets. They're not always running; they start when a request commences and they finish when the request stops.
So, which functionality would you put that requires calling home? It must not be in every page, because it would significantly slow down both the client application and your servers. If you have some page that is rarely used (e.g. some configuration page) you could defer some of its functionality to your server. But even then, consider that your client may not want to run code that depends on some server of yours – you may not be able to guarantee it's always online; the client may have its server behind a firewall that doesn't allow outgoing connections, etc.
Zend Guard seems to be the de facto standard. However, a quick google search revealed a couple others:
SourceGuardian
PHP LockIt
PHP Cipher
In the long run, though, all of these just end up pissing off the people who have to make modifications to their server to run a script. My advice, as someone who has both used and released scripts with this type of encryption, is that you not bother, because someone will (given enough time) decrypt it anyways.
That's the problem with script-languages. You can't protect the code in the way, that a user doesn't see it. However if you plan to provide a license and a customer has to buy it, that's the best way I think. If he would upload the code for others to download, you can go to your lawyer.
The way you mentioned, that everybody has to connect to your server is also a solution. But therefore I would not store the framework on your server, but give the framework to you customer and let him register this framework for one domain for example. Then the framework connects to your server and checks if it was called, from the correct domain.
Sorry, my english it not that good to express myself this good, but I hope you get the idea :)
i have a database that is written in access. the access mdb file connects via ODBC to a local mysql database. i have a bunch of sql and vba code in the access file. i dont expect the database to surpass 100mb. currently it is around 10mb. i will need to have multiple user access. (no more than 10 users at a time)
i need to convert this database from being a local one to a web server, and i need to make a web interface for it.
how do i get the current local instance of mysql database to run off a webserver? i am currently running it off wampserver 2.0. i dont have experience putting a database on a webserver.
i have an OK vb.net background. i have never done any web applications. here's a picture of the access form that i may need to replicate to work off a website:
alt text http://img42.imageshack.us/img42/1025/83882488.jpg
which platform should i use as the front end to this thing?
would it be possible to just run this access file off a webserver instead of programming a new front end for it? is that not a smart idea?
thank you for your help!
If your webserver has TCP connectivity to your existing database server, and its hosted in a suitable place (eg, don't have your webserver in a datacenter connecting to a database server on your office DSL connection), then no move is required.
If you do need to move it, it's as easy as creating a backup/dump, and restoring it elsewhere.
As far as the frontend, there are MANY technologies that will do what you need (ASP.NET, PHP, Python, Ruby, Perl, Java being the most popular ones, not necessarily in that order).
Use something you are comfortable with, or that you are interested in learning (provided you have the time to do so)
Use something that runs properly on your target webserver. Really, ASP.NET is the only one that has any major issue here, as it's limited to Windows.
Access itself has no direct web-accessible version. A Google search finds some apps that claim to convert Access forms to web-based, but I will not link to any because I don't know how well they work. I'm certainly leary of anything like that, because web apps are a different breed from Windows apps. If you are going to go that route, be sure they actually generate HTML output; make sane, clean source; and offer a free trial so you can verify it actually works.
Really though, a form like that is reasonably easy to reproduce with some basic knowledge of server-side programming and some HTML.
I don't have any experience migrating access to a web-based interface, although I have heard of people going straight from access to a web page. MySql is exceptionally easy to migrate. MySQL.com has a program called mysqldump that comes with the standard install of MySQL that allows you to export your database straight to a text file that can be used then with mysqldump to import it on another server. I don't believe the WAMP server comes with the command line tools although they can be downloaded from mysql.com. However, if it has phpMyAdmin, then there is also an export feature with that as well that will generate a .sql file that can be imported to the webserver using phpMyAdmin. One thing to keep in mind though is that I have had very little success mixing and matching these methods: ie, I've never been able to get a mysqldump-created file to work with phpMyAdmin and vice versa.
Good luck!
The link will help you to export and import mySQL database
May be on Windows web server there is an opportunity to run Access files, you can check, but any way if you have some programming skills, I would say that it is not difficult to crate a php script which will query your database info and will edit.
Migrating an Access application to the web is quite difficult, because you can't translate an Access form 1:1 into a web page. Web apps are stateless, whereas Access is built around the concept of bound controls and bound datasets.
Secondly, it is impossible to easily replicate an Access subform.
Third, you lose tons of events that Access forms and controls are built around.
In general, a web page that performs the same task as an Access form will bear little or no resemblance to the Access form, simply because the methods for accomplishing the same tasks and the UI widgets available to you are so completely different.
One thing to consider is whether your users need a web application or if they just need to use your existing Access application over the Internet. If the latter is the case, Windows Terminal Server/Citrix can do the job for a lot less money, since there's no conversion needed. You do need to provision a Windows Terminal Server, set up a VPN and purchase CALs for the users, but the costs of those are going to be much less than the cost of rebuilding the app for web deployment.
It may not be an appropriate solution, but it's one that you should consider, I think.