I have written a utility that requires an installation key for uninstallation to ensure that only authorized users are uninstalling. After logging in to our website, the user will be presented with a uninstallation key, but then I would like to also launch the uninstallation wizard on the clients computer. I know this is possible, as I've done it before... just don't remember the code, nor did I save it.
Thanks in advance for any input.
PHP runs on the server-side and has no control over the client whatsoever. Neither can you use JavaScript to launch applications due to security reasons.
The only way you could do this is by using an ActiveX control or some kind of custom browser plugin. Or, if your uninstall wizard has registered some protocol handler on the client (say myuninstall://) then you could use JavaScript to redirect the user to a URL of this protocol, which will in turn then launch your program.
Assuming Windows, you could tell your installer to register a custom URL protocol with a custom scheme for uninstallation. Then your php app could present a link using the custom URL scheme (uninstall-my-product://12345678-ABCD).
Users without your uninstaller would see an "i don't know what to do with this protocol" message. Users who had installed your product would launch the uninstall program.
You could accomplish a similar function by delivering a file type which was registered to open the uninstall program.
If you're using a commercial installation program, then in both cases it would probably be easier to write a little launcher application to run the uninstaller, rather than modifying the uninstaller itself.
Related
I am building an internal system for a small business and one of the requested features was to be able to go in to different apps by clicking a button on a web page.
So for example when you click on the icon for Coda it will open and be useable.
This does not need to work for Windows, only on Mac OS Mountain Lion!
How could this be done? or can it not be done?
Two options:
If the app can be opened using a registered URL schema, you can use that. For instance, an ftp://... link opens the default FTP application, a news://... link the default news reader. You can make up your own URL schemas. An application typically needs to register itself for a certain schema for this to work.
If that is not an option, you pretty much have to install a plugin in the client's browser that can do this via any mechanism it wants.
The problem that you face here, is the way binaries and the web works. Compiled applications like cocoa apps will only work if at least their starting binaries are there. But this basically means that the user already has downloaded the binary.
Furthermore, these apps will create their own application preferences - so a downloaded version of Coda will have no license.
And if the user has downloaded you binaries, what will stop them from using your software forever? (Just apart form license problems with the authors of said software).
So, the only thing that you could do, is to present them with some kind of VNC like client that will grant them limited access to an environment that you have under control. But writing that is way out of scope for this site.
(I assume, that the application are not already installed locally, but be usable from the server).
Can anyone describe the pseudocode for how WordPress handles its upgrades? As in, you go into WordPress admin and choose to upgrade the version of WordPress.
I mean, does it use FTP APIs locally? Does it send credentials to another host which reconnects back with FTP APIs? Does it download files with Curl? Does it polyfill if a given API isn't there and go another route? Does it test file permissions to see which API to use?
I've got a client who wants something like this built into a web application unrelated to WordPress.
Have a look it wp-admin/includes/update.php and wp-admin/includes/class-wp-upgrader.php
And here for some explanation: http://tech.ipstenu.org/2011/how-the-wordpress-upgrade-works/
optimizepress is a wordpress plugin. I own a copy and use it and am wondering how they use the licensing to secure the product.
I would like to consider this for securing my own php script if it's viable.
Here's what they do to secure their product:
On there server where you download the script you have to enter your domain url in a text box to license the plugin for that url.
They have 2 textboxs to enter your domains in: 1. if it's first time licensing sites 2. adding more sites to your account
Then you click a submit button and a serial code is sent back
After you install the plugin in wordpress, you must goto the settings area where it asks you to enter the serial code for verification otherwise you can't use the script
How is this done? Could this be used with my php script I'll be distributing?
thanks for your thoughts
I'm not specifically familier with this script however it is very possible it is a script using cURL, the serial number will be used to authenticate your account for verification to access your account.
Next it will most likely pull the URL the script is being run from and verify that the URL is listed on your account.
From there if the URL is not listed it will probably send a fail command killing the script, if the URL is listed it will authenticate.
If it is listed then the script will check the status of the license and either run or kill the script.
There is a division in using this type of model whereby some developers believe if there is no response from the auth server then the script should assume it is allowed to run to not interrupt the user experience, others believe if the auth server doesn't reply its very possible it could be an unauthorised usage so they kill the activity.
There are other technologies available to do the same thing and depending on your application this may not be suitable, just have a look at various licensing models.
As a note, for this style of distribution you may want to use a PHP encoder such as ionCube so the script cannot be hacked to bypass authentication.
In addition when writing a script to use an API, I also recommend having the user assign the IP address, this way the first query to the API for auth is am I allowed to talk to this server. This provides a lot of protection to your API script that will then move on to verify the license is valid or not.
I hope this will be helpful for you.
I have a two part question. The first I think I have an okay answer to....
I am looking to force an external program to be called up to view a configuration file for an application my company is working on. The basic gist I guess is to set the Content-type header to type that your application is associating with, and then serving the contents of the file. I was thinking its simply structured like this:
<?php
Header( "Content-type: application/blahtype" );
?>
output of xml configuration file goes here...
Any other best practices here? Obviously the user is going to have to allow the external application access to this file universally in all browsers, unless they have a plugin installed in their browser that will handle the content-type, like adobe pdf. This isn't viable for our company right now, so we're willing to live with the confirmation screen.
The second part of the question is a little bit more complex, I think. How do we detect if the user has the application installed, and if they do not, serve them different content (a sign up page, or the application executable itself)? I'm not wondering about the logistics of serving different content, but simply the detection process. Is it possible for an application to install a lifetime cookie in the browsers cache installed on the machine? That's not a perfect solution, because the user could clear their cache of course. How else can we accomplish this?
Examples of programs that do this are Amazon MP3 Downloader (I've actually gotten into a bad state with this once or twice), and iTunes U. You can see iTunes U example on Stanfords CS193P page here: http://www.stanford.edu/class/cs193p/cgi-bin/index.php
Much appreciate any advice,
Josh
For part 1 of your question, as long as your application is correctly registered to handle that MIME type, then, yes, the browser should [prompt the user and launch your application](http://msdn.microsoft.com/en-us/library/ms775148(VS.85).aspx "MSDN: Handling MIME Types in Internet Explorer").
An alternative approach would be a [protocol handler](http://msdn.microsoft.com/en-us/library/aa767914(VS.85).aspx "MSDN: Registering an Application to a URL Protocol"). Instead of registering a MIME type for your application, you register a “protocol” that goes in a URL, in place of the http://. If your protocol is called myapp, then you could create links like this:
Link
While you can only pass a small amount of information this way, you could pass a GUID or tag that the application, once launched, can use to retrieve the full document from your server.
Edit: For part 2 of your question, iTunes uses a plug-in. Looking at the code that’s used to redirect to iTunes, you’ll see something like this:
<Object id="iTunesDetector" height="1" classID="CLSID:D719897A-B07A-4C0C-AEA9-9B663A28DFCB" width="1"></Object>
It’s followed by some JavaScript to detect whether that plug-in was loaded. If it was, then iTunes must be installed and it launches iTunes using the itms: protocol (just like the myapp: protocol in the example above).
The problem here is, you would have to write a browser plug-in.
It may be a good idea to look into using browser extensions for things like this.
We have a sharepoint instance on our network that we get automatically logged into by logging into Windows. (they do not get prompted to log in)
We have another web application that requires users to log in but it currently has it's own username/password setup.
Our goal is to get the other application (which we have built) to act the same way sharepoint does - if you are logged into windows it will log you right into the application.
Where do I start? (I assume this will require LDAP)
Any guidance would be greatly appreciated.
Our setup (windows):
Windows
IE7 & 8
Windows Active Directory managing users/password
Our setup (the other application):
RHEL (could be Windows Server if really necessary)
PHP 5
Apache
mySQL - username and password are stored in mySQL
Update:
Maybe a drawing would help: Look at this
You are looking to implement NTLM Authentication in the PHP application, see my prior answer on this:
Can a PHP intranet share Windows logins?
If your other web application uses Windows Integrated Authentication (NTLM or Kerberos authentication or even basic authentication) then it can act the same way. Depending on the browser, it can automatically remember and log into sites using one of these methods. Each browser may do it differently, though. IE has settings for automatically logging in based on the zone (Internet, Local intranet, trusted sites).
You would not necessarily need to have the have your other application use the same user store (AD/LDAP), but it would likely make sense.