I want to divide my web application into two parts.
One part is free, like a demo for people to use.
The other part is not; a extension that is paid for but requires authorization and a license to use.
My idea is to sell the extension without having it being compromised. Once the extension is sold, the buyer can't upload it to some other site and make it "free" for other people to use. Thus the extension would check a database from another domain to authorize the use of its script.
How can I achieve this?
Give the free script away for users to run on their own site. Run the licensed non-free script only on your server and hook them together using an API over HTTP.
Use a professional solution like Zend Guard.
Related
I'm wondering if anyone can offer any advice on the following situation.
I'm developing a system, which will then be installed on peoples own servers. However, i want people to pay a subscription fee for using this system. If they do not pay I want to be able to disable the system externally.
Basically when the system is run it does a call in the background to my server, which checks the license key, if it exists and is active they can use the system as normal.
I've got a basic function that calls my external site (sort of a web service) which checks the key exists. However, anyone with a bit of knowledge could just alter the function so it returns true and bypass the external check.
Any suggestions on the best way to do this, even if it makes it slightly more harder for them to remove.
You will need to encode your code, e.g. with ionCube. However, the customer then needs to set up ionCube on their own server to be able to run the code.
You would usually put the main logic/controllers onto YOUR server.
So it would be more SaaS (Software as a Service).
If that's not possible, you might encrypt (some of) the code on the customers server with keys and certs, so what you sell is a private key to your customer.
Besides that, have a look at Zend Guard.
I am developing a chat application in php and i want to sell this over internet. How I can I make it licence protected, that only those person who have bought licence key are able to use it. There will be a different licence for different domain.
What how can I achieve this?
You're going to struggle with the three banes of licensing:
Someone smart will just take the code out
You'll need to license per server or to have the keys circulating on the internet
Most people will just get a free alternative
To remedy the first one...you can't. PHP is not compiled. the other two are less about code.
Usually on the internet what you can see is not licenses but memberships, unless you mean to install your application on internal servers of other companies, if that is the case, there are many installers setups that help you restrict an installation by provising an encripted key, in that case would be your license.
optimizepress is a wordpress plugin. I own a copy and use it and am wondering how they use the licensing to secure the product.
I would like to consider this for securing my own php script if it's viable.
Here's what they do to secure their product:
On there server where you download the script you have to enter your domain url in a text box to license the plugin for that url.
They have 2 textboxs to enter your domains in: 1. if it's first time licensing sites 2. adding more sites to your account
Then you click a submit button and a serial code is sent back
After you install the plugin in wordpress, you must goto the settings area where it asks you to enter the serial code for verification otherwise you can't use the script
How is this done? Could this be used with my php script I'll be distributing?
thanks for your thoughts
I'm not specifically familier with this script however it is very possible it is a script using cURL, the serial number will be used to authenticate your account for verification to access your account.
Next it will most likely pull the URL the script is being run from and verify that the URL is listed on your account.
From there if the URL is not listed it will probably send a fail command killing the script, if the URL is listed it will authenticate.
If it is listed then the script will check the status of the license and either run or kill the script.
There is a division in using this type of model whereby some developers believe if there is no response from the auth server then the script should assume it is allowed to run to not interrupt the user experience, others believe if the auth server doesn't reply its very possible it could be an unauthorised usage so they kill the activity.
There are other technologies available to do the same thing and depending on your application this may not be suitable, just have a look at various licensing models.
As a note, for this style of distribution you may want to use a PHP encoder such as ionCube so the script cannot be hacked to bypass authentication.
In addition when writing a script to use an API, I also recommend having the user assign the IP address, this way the first query to the API for auth is am I allowed to talk to this server. This provides a lot of protection to your API script that will then move on to verify the license is valid or not.
I hope this will be helpful for you.
I have developed a web based portal using php and some part of the site is only accessible by employees only. I would like to add an extra security layer so only employees whose PC is authenticated can access the restricted area.
If it was Dot NET it could be easily done by using activex components but I am not certain about the PHP.
Can any one share hints how to accomplish this task using PHP?
Are you using Active Directory to Authenticate? If so, you can probably tap into the LDAP functions in order to check for a valid authentication. You could also implement some security paradigm like Kerberos in order to achieve this with single sign on.
The easiest thing to do is to add a users table to your database and then built some basic authentication around that.
I would create a while-list with the IP's of the allowed computers (using $_SERVER['REMOTE_ADDR']), since it's almost the only information that you can obtain from the machine that make the HTTP request using just server-side scripting.
This should work well for computers inside the company, since they would have IP's within the same range (e.g. 10.100.x.x or 192.168.x.x), or they will use the same gateway for connecting to Internet.
If you need to allow access to roaming laptops, then this method will be almost useless unless they have static IP addresses.
This likely isn't possible with PHP. You can try to embed an ActiveX control using PHP, but I feel like this would be a better application for desktop software. PHP is definitely not going to be sympathetic. Sorry.
I am about to deliver an Adobe AIR app to a customer.
But it's my first delivery of any sort, I.e. I have
no experience whatsoever with licensing etc.
Users of this app may or may not be online, so
can't count on that. In fact it's 99% sure that
they will be offline.
Nor do I expect them to very tech-savvy, who will
spend enough time scouting for ways to "crack" it.
So, is there an okeish type of way to protect this
app. That is, I don't want people to simply copy
the installation folder, take it to another machine
and run it. It should be slightly harder than this.
Oh, and I am also using PHP and MySql, with which
this AIR app communicates. So anything you guys could
help me with is very very welcome.
protect the php api and not the frontend app. have a license key which is bound to an ip address and authenticate the request (which contains the key) is coming from the correct ip.
If you want to protect your Flex app you can use irrObfuscator. There is a 30 days free demo.
If you wish to obfuscate your PHP code I would suggest ioncube. There is an online obfuscator that you can pay per à-la-carte. Pretty usefull. Tho you need ioncube loaders which is a set of PHP extension that you will find into the products section. Not sure but I think you can install loaders without playing with PHP config so it's shared-hosting friendly.
You can not protect anything that's webbased or javascript based, purely because there is complete sourcecode.
Anyone who knows how to use 'right click' could copy your files. You can obfuscate your code, but you cannot protect it. If you think that this shouldn't be possible, write a desktop app in a 'real' programming language.
When the app installs, I would do the following:
Create a file in "app-storage" that basically indicates the app has been installed.
Fire off a service call and make a record of the install
Change a file in the app directory to indicate the app has been installed
On subsequent startups, check for the presence of the file as long as the file in the app directory indicates the app has been installed. If you see the customer keeps installing their app over and over, this could be flagged in their account and appropriate action taken. If you want to get fancy, the file in "app-storage" could a one-way hash of some information from the file in the app directory (install date?) plus some value baked into the AIR application.
In general, I think the key here is to trust your users and not make the assumption they are trying to steal. You want to make the system as painless as possible. It does not build a good relationship with customers when you treat them like criminals, so creating an "ironclad" approach probably isn't even the best idea.
I think pretty much the only good way to do this is to require activation after installing (online activation, with a phone backup).
From what you're saying, it seems like the backend is installed on-site and would not be able to provide adequate copy protection.