I am selling PHP script online at 35$ for a individual user
Is there any way to identify whether , my script is hosted by more than one user ..
Should i use any logic in my script to find his identity?
Is there an easy way to find the pirator
Please help me.
(sorry for grammatical mistakes)
For example, somewhere in your script:
<?php
file_get_contents('http://yourserver.com/tranck_script_users.php?site='.url_encode($_SERVER['HTTP_HOST']));
?>
This way you will see which hosts use your script. Of course, anyone can remove this line from your script, there is no 100% way to know for sure.
If you can, try to make simple calls to a server of yours to track the script usage, you should send the domain name and the IP. Use cURL for this. If your business logic permits this you can go as far as disabling the script functionality if tracking is not successful.
Because PHP is just plain text anyone can remove your tracking code portion. Try to obfuscate the code.
There is no reliable way in PHP to prevent someone else using your script. Because PHP uses just-in-time compilation, the source code can be read by anyone with access to the files. This means that any call-home logic you put into your script can easily be disabled. The best you can do is obfuscate it, but the code can still be edited by anyone with sufficient determination.
Your best solution is to use a good licence, or to develop in a language that can be distributed already compiled. With PHP, there is not a reliable way to prevent re-use of your source code.
I would urge you not to put any kind of call-home functionality into your script. First, it can be disabled, so is essentially useless. Second, it will cause significant delays even for legitimate users of your script. Finally, if you must put it in, it is vital that you tell your users that you are doing so.
There isn't much you can do to negate piracy with non-compiled scripts. Anybody can modify the source to remove whatever protections you have in place. You can, however, try to run the script through some sort of obfuscation tool, or otherwise try to manually "encode" the file, in much the same way a lot of PHP malware does. Obfuscation and this type of encoding can and will be beaten by somebody with enough time on their hands, though.
If you're willing to invest some money into the problem, you could check out IonCube Encoder or Zend Guard. Both of which will secure your script, and I know at least Zend Guard allows for per-server licensing. These solutions would require your end-users to have either the IonCube or Zend loaders installed, though.
There is no way to do this without (IMO) impacting the security/privacy of your users.
The only "clean" way to do this is to encode your scripts with a tool like IonCube (there are many others but never used them) and restrict the execution on a specific domain. The downside (you can also see this as a plus depending of your license scheme) is that the users can't see/modify your code.
Related
First of all, I'm not looking for miracle... I know how PHP works and that there's not really way to hide my code from the clients without using encryption. But that comes with the cost of an extension to be installed on the running server.
I'm looking for something different though... I'm not looking to encrypt my code or even obfuscate it. There are many PHP scripts without encrypted/obfuscated code but they are commercial applications. For instance, vBulletin and/or IP.Board forum applications.
I just want to know what approach do these guys use for their applications...
I'm also open to any other suggestions.
Please note that I'm a single person and not working for a company. My product is also very specific, it won't sell that much. I just want you guys to know that I can't afford to consult a legal professional either to sue someone or prepare a commercial license. I'm just looking for a simple way to protect my simple product, if it's indeed possible, somehow...
Obfuscating things can only inconvenience your legitimate, law-abiding customers, while the people who would would rip you off are not your target paying customers anyway. (edited out other thoughts about obfuscation)
Another suggestion for protecting your software: create a business model in which the code is an incomplete part of the value of your offering. For example, sell product licenses along with access to some data you manage on your site, or license the product on a subscription model or with customer support.
Designing a EULA is a legal matter, not a coding matter. You can start by reading some EULA text for products and websites you use. You might find some interesting details!
Creating a proprietary license is is highly flexible, and probably a subject beyond the intended scope of StackOverflow, since it's not strictly about coding.
Some parts of a EULA that come to mind:
Limiting your liability if the product has bugs or causes damage.
Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
Giving you rights to audit their site, so you can enforce the licenses.
What happens if they violate the EULA, e.g. they lose their privilege to use your software.
You should consult a legal professional to prepare a commercial EULA.
edit: If this project can't justify the expense of a lawyer, check out these resources:
"EULA advice" on joelonsoftware
"How to Write an End User License Agreement"
You need to consider your objectives:
1) Are you trying to prevent people from reading/modifying your code? If yes, you'll need an obfuscation/encryption tool. I've used Zend Guard with good success.
2) Are you trying to prevent unauthorized redistribution of your code?? A EULA/proprietary license will give you the legal power to prevent that, but won't actually stop it. An key/activation scheme will allow you to actively monitor usage, but can be removed unless you also encrypt your code. Zend Guard also has capabilities to lock a particular script to a particular customer machine and/or create time limited versions of the code if that's what you want to do.
I'm not familiar with vBulletin and the like, but they'd either need to encrypt/obfuscate or trust their users to do the right thing. In the latter case they have the protection of having a EULA which prohibits the behaviors they find undesirable, and the legal system to back up breaches of the EULA.
If you're not prepared/able to take legal action to protect your software and you don't want to encrypt/obfuscate, your options are a) Release it with a EULA so you're have a legal option if you ever need it and hope for the best, or b) consider whether an open source license might be more appropriate and just allow redistribution.
I have not looked at the VBulletin source code in some time, but the way they used to do it around 2003 was to embed a call to their server inside the code. IIRC, it was on a really long code line (like 200-300+ chars long) and was broken up over several string concatenations and such.
It did nothing "bad" if you pirated it - the forum still worked 100%. But your server's IP was logged along with other info and they used that to investigate and take legal action.
Your license number was embedded in this call, so they could easily track how many IPs/websites a given licensed copy was running on.
If you can't create a "cloud app" that you host yourself and they access via the Web, then you could look into creating a virtual appliance using a virtual server (from VMWare, Parallels, Sun, etc) and install a "lite" version of Linux on that. Put your PHP code in the virtual environment and install the virtual machine on their server. Make sure to create a way to prevent loading into root. Of course, this would involve physically visiting the client yourself.
They distribute their software under a proprietary license. The law protects their rights and prevents their customers from redistributing the source, though there is no actual difficulty doing so.
But as you might be well aware, copyright infringement (piracy) of software products is a pretty common phenomenon.
The only way to really protect your php-applications from other, is to not share the source code. If you post you code somewhere online, or send it to you customers by some medium, other people than you have access to the code.
You could add an unique watermark to every single copy of your code. That way you can trace leaks back to a singe customer. (But will that help you, since the code already are outside of your control?)
Most code I see comes with a licence and maybe a warranty. A line at the top of the script telling people not to alter the script, will maybe be enought. Self; when I find non-open source code, I won't use it in my projects. Maybe I'm a bit dupe, but I expect ppl not to use my none-OSS code!
in my opinion is, but just in case if your php code program is written for standalone model... best solutions is c) You could wrap the php in a container like Phalanger (.NET). as everyone knows it's bind tightly to the system especially if your program is intended for windows users. you just can make your own protection algorithm in windows programming language like .NET/VB/C# or whatever you know in .NET prog.lang.family sets.
Zend Guard does not support php 5.5 and is easy to reverse, go for http://www.ioncube.com for obfuscation. http://wwww.phplicengine.com can license the scripts remotely or locally.
See our SD PHP Obfuscator. Handles huge systems of PHP files. No runtime requirements on PHP server. No extra runtime overhead.
[EDIT May 2016] A recent answer noted that Zend does not handle PHP5.5. The SD PHP Obfuscator does.
I have created a library for this purpose. It uses OPCache only, in order to covert php to op codes. The library compiles your PHP code to opcodes and removes code from all php files included in your project. All produced opcode files are saved on the server's filesystem and used by OPcache!
https://github.com/notihnio/php-cactus
So let me see, we want to show adam and eve there's some forbidden fruit in a tree, adn we 'd like a way to prevent them from eating...
How about having an angel with a flaming sword?
Might sound naive, and I dunno what your application does actually, but what about the extensive use of includes?
For the legitimate user, is all the software that should be visible or only parts of it?
Because you could obfuscate and give a copy of source code to legitimate
You could wrap the php in a container like Phalanger (.NET)
Perhaps your concerned with external theft, meaning your code freely visible over the web as customers uses it. This could be worth investing in a cheap web site hosting, for $50 a year, registering your legit customers with a serial in their code and have your app posting info to your web site regularly. At least, you'd detect when code has been compromised. You could push it with a self destruct after n days, giving you enough time to contact your customer and change the serial. This could be the only obfuscated include() of the whole code
Basically I need to allow users to submit code to be run periodically server side.
The users should submit simple scripts and I'll run their code server side to determine who came up with a better solution. I created a simple submit form and the code is stored on an SQL database.
I'm obviously worried about safety but I also don't know which language to use. I need an scripting language with an easy syntaxis that let's me limit the number of things users can do (I only need to let them define variables, create functions, use loops and some array and algebraic functions). Maybe even create a pseudolanguage with an easy syntaxis.
So basically:
What language could I use?
How do I run users codes periodically? (only know about cronjobs but I don't know if they will allow for long execution times)
Would it be a good idea to create a pseudolanguage? If it is please point me in the right direction
What language: Well, you could use any language, just make sure you have minimal permissions. A scripting language like Ruby or Python would be easier though.
If this task would fall on my lap I'd look into pythons virtualenv so that i have an environment that is isolated. Then obviously I'd make really sure about the permissions of the script running the uploaded programs.
This also means that you could set up a python environment for each user using this service.
Well yeah, cron works.
Indeed, but the scope for a good answer doesn't really fit here. But google DSL or Domain Specific Language and you're sure to find some tutorials.
If you're targeting PHP specifically you can use the runkit extension - specifically created to run user-supplied PHP code:
http://www.php.net/manual/en/intro.runkit.php
There's also a newer runkit project available (though you'll have to compile it manually):
https://github.com/zenovich/runkit/
Q1. What language could I use?
A1. Pretty much any. Because compliers would add to the complexity of the system, an interpreted (or JIT-compiled) language would be preferable.
Q2. How do I run users codes periodically? (only know about cronjobs but I don't know if they will allow for long execution times)
A2. cron jobs are probably the way to go. It doesn't care about execution times. However that means it is your job to make sure you only restart a job if the prior run has finished (assuming that is what you'd like it to do)
Q3. Would it be a good idea to create a pseudolanguage? If it is please point me in the right direction
A3. Inventing the wheel rarely is a good idea. You could do this, but there is reasonable doubt that it is necessary and/or advisable.
My personal pointer would go towards JavaScript as scripting language - since it is so widespread there are tons of tools and documentation around. So you might want to look at Node.js and this sandboxing model to run it server-side.
I'm thinking of protecting my script to the mass majority of users (non-web dev savvy) and I came across an online service to encode php script. I'm not sure about it though.
Is it safe to encrypt php script? What if the encoded code has something fishy in it?
If you intend to distribute the PHP file then I would suggest that you do not do this. It's only going to irritate those that want to tinker with it.
If for some reason you don't want them tinkering with it, then don't distribute the PHP file.
If you need to distribute the file AND you don't want them tinkering with it, then I would highly suggest you not do this in PHP and instead write the functionality using C as an extension to PHP.
You'll notice that at no point do I suggest you actually go ahead and "encode" the php file. That's not going to buy you anything.
If you are looking to obfuscate your server-side PHP, the best bet would be to use a commercial product such as Zend Guard (http://www.zend.com/en/products/guard/). Any home-brew encryption is not secure in the slightest - your code can be easily reverse-engineered with fairly trivial effort. The page you link to does not have any credibility, it is just someone's side project. They have no accountability or stake in protecting your information.
Even these commercial products (Zend Guard, ionCube, phpShield, SourceGuardian) can be decrypted if someone really, really wanted to. No tool or technique in any language can make absolutely secure obfuscation, there is no "unhackable" system. Everything boils down to effort over time.
If it isn't important enough to bother doing it right, then you're probably wasting your time on the issue. Further, if it is absolutely vital that some information or code remain private, you should simply not put it out into the public purview.
[edited for clarity]
Ultimately, you need to trust the encrypting party. If you don't trust them (apparently you don't), then don't give them access to your server (through executing their decryption code/your obfuscated code, possibly with who-knows-what else inside). Simple as that, albeit possibly inconvenient.
php is usually running on the server where the users have no access to the code(neither source nor any other representation) anyways. No reason to obfuscate it there.
Obfuscating php is only useful in the rare cases where you give the php code to clients. For example if you want clients to be able to run their own server but not give them full access to the code.
So, it looks like all it does is obfuscate the code so it's not human-readable. The only way this would really be useful is to prevent lazy people who have access to the code from reading it. However, it uses simple functions to encode/decode, so it would be trivially easy for someone to decode it if they have access.
Which brings me to my point... PHP security works by not allowing anyone to have access to the source file. If someone who shouldn't have access gets it, then this "encoding" thing isn't going to do you any good.
The OP mentioned an interest in protecting database connection details, and it should be kept in mind that no matter what protection system is used for the code itself, the PHP engine and component libraries being opensource sets some absolute limits on what can be achieved. If MySQL connection details, for example, are hidden in a script then these details could be trivially revealed without going near the PHP scripts themselves simply by running the scripts with a PHP build that had slight modifications to the MySQL library or the associated PHP module wrapper. Even hiding the details in a C module as suggested by Chris L. would afford no extra protection in this case. Good protection can certainly be given to source code with compiled code systems such as ionCube and Zend, but wherever data hits routines in the PHP core then it can be exposed.
Obviously for any online service where you may be sending sensitive details, you should use due diligence and make best efforts to ensure that it has a good pedigree. Apart from anything else, not having a working https URL for the site the OP questioned should immediately warn that it's a no-no, and not just for the lack of connection encryption but showing that they are not offering a service that they consider to be serious.
I'm a self-taught coder and am getting into php, so please excuse me if this is a basic issue/question.
I've been putting together small sites using php and using php file extensions, ie. index.php. But I've recently been told that 'php' in the page address is not good for security.
Can someone please briefly explain why this might be the case and what I should be doing?
MTIA.
It's not really important, it just tells someone browsing the site that your app is written in PHP and that helps an attacker because they then have an idea of what to attack.
If you want to conceal it, you can use mod_rewrite to rewrite requests that don't have a .php extension to the target PHP script. If you're going to do this, you should also turn off expose_php in the php.ini.
Note that this doesn't really make your app more secure, it just makes it that little bit harder for an attacker to figure things out.
Obfuscating what technology you're using is no substitute for securing your application and its infrastructure. Hiding the PHP file extension should be one detailed item in a list of many steps you should take to secure your code and server.
Entire books are written on PHP security topics. Here's a good one to start with:
http://www.amazon.com/Essential-PHP-Security-Chris-Shiflett/dp/059600656X/ref=pd_sim_b_2
By having the .php in the page name, you are announcing to the world that your site runs on PHP. Anyone who is interested in attacking your site would then not have to spend extra time and energy figuring out what you running.
However, this is not a MAJOR problem. Someone who is hell-bent on attacking you will figure it out soon enough.
The only reason it may be wrong from security perspective is that it actually tells everyone visiting the site, what technology (which scripting language) has been used to build the site. Everything else results from the higher possibility that the user knows it is PHP (eg. attacker may try to exploit some common mistakes made by some PHP coders).
However, you may easily change the extension into eg. .asp by using mod_rewrite (see more).
First of all, I'm not looking for miracle... I know how PHP works and that there's not really way to hide my code from the clients without using encryption. But that comes with the cost of an extension to be installed on the running server.
I'm looking for something different though... I'm not looking to encrypt my code or even obfuscate it. There are many PHP scripts without encrypted/obfuscated code but they are commercial applications. For instance, vBulletin and/or IP.Board forum applications.
I just want to know what approach do these guys use for their applications...
I'm also open to any other suggestions.
Please note that I'm a single person and not working for a company. My product is also very specific, it won't sell that much. I just want you guys to know that I can't afford to consult a legal professional either to sue someone or prepare a commercial license. I'm just looking for a simple way to protect my simple product, if it's indeed possible, somehow...
Obfuscating things can only inconvenience your legitimate, law-abiding customers, while the people who would would rip you off are not your target paying customers anyway. (edited out other thoughts about obfuscation)
Another suggestion for protecting your software: create a business model in which the code is an incomplete part of the value of your offering. For example, sell product licenses along with access to some data you manage on your site, or license the product on a subscription model or with customer support.
Designing a EULA is a legal matter, not a coding matter. You can start by reading some EULA text for products and websites you use. You might find some interesting details!
Creating a proprietary license is is highly flexible, and probably a subject beyond the intended scope of StackOverflow, since it's not strictly about coding.
Some parts of a EULA that come to mind:
Limiting your liability if the product has bugs or causes damage.
Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
Giving you rights to audit their site, so you can enforce the licenses.
What happens if they violate the EULA, e.g. they lose their privilege to use your software.
You should consult a legal professional to prepare a commercial EULA.
edit: If this project can't justify the expense of a lawyer, check out these resources:
"EULA advice" on joelonsoftware
"How to Write an End User License Agreement"
You need to consider your objectives:
1) Are you trying to prevent people from reading/modifying your code? If yes, you'll need an obfuscation/encryption tool. I've used Zend Guard with good success.
2) Are you trying to prevent unauthorized redistribution of your code?? A EULA/proprietary license will give you the legal power to prevent that, but won't actually stop it. An key/activation scheme will allow you to actively monitor usage, but can be removed unless you also encrypt your code. Zend Guard also has capabilities to lock a particular script to a particular customer machine and/or create time limited versions of the code if that's what you want to do.
I'm not familiar with vBulletin and the like, but they'd either need to encrypt/obfuscate or trust their users to do the right thing. In the latter case they have the protection of having a EULA which prohibits the behaviors they find undesirable, and the legal system to back up breaches of the EULA.
If you're not prepared/able to take legal action to protect your software and you don't want to encrypt/obfuscate, your options are a) Release it with a EULA so you're have a legal option if you ever need it and hope for the best, or b) consider whether an open source license might be more appropriate and just allow redistribution.
I have not looked at the VBulletin source code in some time, but the way they used to do it around 2003 was to embed a call to their server inside the code. IIRC, it was on a really long code line (like 200-300+ chars long) and was broken up over several string concatenations and such.
It did nothing "bad" if you pirated it - the forum still worked 100%. But your server's IP was logged along with other info and they used that to investigate and take legal action.
Your license number was embedded in this call, so they could easily track how many IPs/websites a given licensed copy was running on.
If you can't create a "cloud app" that you host yourself and they access via the Web, then you could look into creating a virtual appliance using a virtual server (from VMWare, Parallels, Sun, etc) and install a "lite" version of Linux on that. Put your PHP code in the virtual environment and install the virtual machine on their server. Make sure to create a way to prevent loading into root. Of course, this would involve physically visiting the client yourself.
They distribute their software under a proprietary license. The law protects their rights and prevents their customers from redistributing the source, though there is no actual difficulty doing so.
But as you might be well aware, copyright infringement (piracy) of software products is a pretty common phenomenon.
The only way to really protect your php-applications from other, is to not share the source code. If you post you code somewhere online, or send it to you customers by some medium, other people than you have access to the code.
You could add an unique watermark to every single copy of your code. That way you can trace leaks back to a singe customer. (But will that help you, since the code already are outside of your control?)
Most code I see comes with a licence and maybe a warranty. A line at the top of the script telling people not to alter the script, will maybe be enought. Self; when I find non-open source code, I won't use it in my projects. Maybe I'm a bit dupe, but I expect ppl not to use my none-OSS code!
in my opinion is, but just in case if your php code program is written for standalone model... best solutions is c) You could wrap the php in a container like Phalanger (.NET). as everyone knows it's bind tightly to the system especially if your program is intended for windows users. you just can make your own protection algorithm in windows programming language like .NET/VB/C# or whatever you know in .NET prog.lang.family sets.
Zend Guard does not support php 5.5 and is easy to reverse, go for http://www.ioncube.com for obfuscation. http://wwww.phplicengine.com can license the scripts remotely or locally.
See our SD PHP Obfuscator. Handles huge systems of PHP files. No runtime requirements on PHP server. No extra runtime overhead.
[EDIT May 2016] A recent answer noted that Zend does not handle PHP5.5. The SD PHP Obfuscator does.
I have created a library for this purpose. It uses OPCache only, in order to covert php to op codes. The library compiles your PHP code to opcodes and removes code from all php files included in your project. All produced opcode files are saved on the server's filesystem and used by OPcache!
https://github.com/notihnio/php-cactus
So let me see, we want to show adam and eve there's some forbidden fruit in a tree, adn we 'd like a way to prevent them from eating...
How about having an angel with a flaming sword?
Might sound naive, and I dunno what your application does actually, but what about the extensive use of includes?
For the legitimate user, is all the software that should be visible or only parts of it?
Because you could obfuscate and give a copy of source code to legitimate
You could wrap the php in a container like Phalanger (.NET)
Perhaps your concerned with external theft, meaning your code freely visible over the web as customers uses it. This could be worth investing in a cheap web site hosting, for $50 a year, registering your legit customers with a serial in their code and have your app posting info to your web site regularly. At least, you'd detect when code has been compromised. You could push it with a self destruct after n days, giving you enough time to contact your customer and change the serial. This could be the only obfuscated include() of the whole code