Commercializing a php application? - php

Say I have developed a php webapp and would like to distribute it for others to use as proprietary software. Is there anything I can do short of some sort of licence or just trusting the customer to avoid having to provide a hosted solution? Clearly if I just distribute the application to paying customers to host independently, I run the risk of them leaking the code.
Update:
Some of the responses so far suggest obfuscation. However, this won't prevent another user from simply plopping the leaked obfuscated code onto their servers and reusing it. Granted they won't be able to modify it..but I am looking for something more complete. Any ideas?

Obfuscating it can go a long way. Many users won't try to figure out the logic.
You can also add a registration key -- something that calls the mothership and acts like a dongle.
Edit: What I was going for with the registration: You can sell licenses by the domain, and require users to register their domain at your website after they buy.
One script I bought requires activation at their website. (The script is obfuscated as well.) Don't enter the domain, the software ceases working after a certain period of time. Transfer domains, and the software ceases to work.
I don't know the mechanics but the basic idea is that you want to guarantee that the script is running at the domain the purchaser said it was running at.

Can you elaborate please on the registration key? Will their be some logic in the code preventing it from running unless a valid registration key is obtained from another server?
To do this, you would have to generate a key for the user when they purchased the application. The application would then communicate with a master server which in turn looks up the key and checks the domain the key is coming from and sends back a simple true or false reading. If the response is true, the application would then continue its operation, otherwise it would shutdown.
The only problem with this method is that if your master server were to ever go down, all of your clients would be locked out (unless you created a condition where if the master server was down, the default response would be true).

http://www.google.com/search?q=php+code+obfuscator&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a
Have at it...
This obfuscation usually consists of stripping comments and whitespace, base64 encoding, and sometimes other little tricks like completely renaming every variable and such to make it next to impossible to understand by humans

Zend has a product "Zend Guard" (http://shop.zend.com/en/zend-guard.html) that may offer something more than obfuscation.
With its key components of Encoding, Obfuscating and Licensing, Zend Guard protects your PHP applications from reverse engineering, unauthorized customization, unlicensed use and redistribution

There's also ionCube. Generally these solutions require a server side extension to be loaded but most hosts will have them loaded already I find.
ionCube allows you to license to a particular domain if you like, and also allows you to put time limits on the script (to require license renewal).
Although by default ionCube is a system that requires you to actually create the licenses yourself, there is a system that you can buy to automatically manage this stuff for you (I thought it was PHP-Audit, though that site seems to have gone through a redesign and so I can't tell anymore).

Related

How to make your custom php CMS work only on a certain domain for a certain time?

I want to prevent coping my custom made CMS from domain to domain and I want that it is operable only on a doain that it is bought for and onluy for the period 1, 2 years from the purchase.
The code generation part is not a problem, but how to prevent it from modifying from hackers is the hardest part.
E.g. something like vBulletin protection. (I know it can be nulled too)
How to implement such thing into my CMS written in php?
I think it needs to be spread through the whole app on various places the variable check and masked in some ways, so the dependencies is not easy to detect and remove.
I know that it is very difficult and hard topic, so I appreciate some direction like book, web discussion or article.
Btw. connecting to my server and checking if the domain is ok is not an option, my servers could be down and the clients as a result of not possible connection too.
You could do a combination of things..
New client domains can be given generated license keys that are unique to each of your client's install that is need for your software to work. The key should be bound one per hosted domain and should be stored remotely on your servers as well as locally on the client install.
When you or someone else is installing the cms for the first time make it required to enter the license key and verify it with a remote server. This should suffice for the initial setup time. Store some info about the server in your remote database. If this remote procedure fails installation should render unsuccessful. Think of clever ways to make this necessary and required like fetching an encryption key to be stored in the database.
During or after install you can generate encryption keys (or not) and store something unique in a file on the app server that is required by your code. Super cheap would be to create the file /MY-CUSTOM-CMS-LICENSE.txt with the key in plain text right inside it. This can be another vector for verification later on. Should you discover a website which has copied your cms you can check this txt file.
Have your software call home to your server every now and then sending the key plus some server info (ip, host, etc). It does not have to be dependent on your server to run. Meaning you can let the software run if it fails. It is just very helpful to call home every now and then. For example every X days to ping a url on your server and if your server is down just have it do the call home check the next day. One reason why this is so handy is if your client copies the app folder from one domain to another domain to setup a second illegal site, as soon as they run index.php file it will call home. And if they have not checked every line of your code and don't know it even does this they would be caught rather easily. All you need to do is check some kind of log of who 'called home' so to speak.
Write up proper software license agreement with the terms for your product and place it in a file called LICENSE located in the root directory of your app. This will ensure clients (and their developers) are aware it is not free to copy and reuse. Later if someone copies it, you (or your lawyers) can point to the file and say 'didn't you read this jerky-boy'
Make something (or many things) in your code unique to your code. For example wordpress' admin by default is /wp-admin and almost every single file in their app starts with wp- which makes it easy to detect. Add the entire app in a special folder. Add a meta tags to all output like <meta name="generator" content="vBulletin 4.0.4" />. There are many other things you can incorporate and write into your app that could be tell tail signs it is your code. The point is to have so many things that make the job of removing everything a daunting task or just annoying to the thief. I don't think anyone would be crazy enough to refactor all your code just to steal it. If they do remove these code bits and resell/reuse it you have an even stronger case for litigation.
You could write a script to crawl the web (ugh) or just do searches on google or even setup Google alerts to notify you if any of detectable methods you placed in your app are found (like in #3, #4, #5, #6, #8)
You could buy a CDN like www.maxcdn.com and host a JavaScript file on there and put that into your code. <script src="http://cms-headquarters.example.com/license.js"> since it is on a CDN is has very small chance of failing and if it goes down for a week that's OK too, all you need to do is check who hasn't hit your server.
Obfuscate some of your code for an added annoying deterrence.
On how vbulletin does it:
http://www.sitepoint.com/forums/showthread.php?281666-How-does-the-vBulletin-License-work
https://www.vbulletin.com/forum/showthread.php/338346-Easy-Way-To-Find-Nulled-vBulletins
Finally here's a PHP class that tries to offer a partial solution: PADL (PHP Application Distribution License System)

Web Application Activation | Computer, Local Server

Have done some research and found some stuff that may be helpful.
I would like your opinion about my approaches on this.
THE GOAL
I will develop an application in PHP (That's the only language I know and unfortunately I don't have time to learn another one right now). I want this application to be able to run offline and locally to any pc. I will use Wamp server and cakePHP framework for this.
THE PROBLEM
This application will be for sale. So I will need some activation method to prevent each app from being used in multiple computers. I don't want something complicated or very very secure. I just need something simple, to prevent non-programmers to run this app in any computer. Of course, the more secure, the better! :)
POSSIBLE SOLUTIONS I AM THINKING OF
First of all, I am thinking to force users to activate their application, by going online during installation. That way they could get a unique KEY from my online database.
I found php's shell_exec command. So I am thinking, during online installation, to get the Host ID (Machine ID) of that computer, send it to my server and store it to my database next to a unique KEY. Then Machine ID and unique KEY can be stored to a php file. (Could I store it somewhere more secure? Maybe encrypt it?)
Every time the user opens the application, php will read machine ID. If not the same with the one stored in php file, an activation will be required. (Maybe could store computer's name too or some other id?)
Is that a good approach? Would it be possible?
Another approach I am thinking of, is to have a guy create a non php installation file. When run, will promp wamp installation and when installation finishes, will transfer all necessary files to wamp root folder (automatization for the user). I can only guess though this will work, as my knowledge over other languages is limited...
Could I benefit from this in validation terms? Can a non php file interact with my php application and validate it, for only one unique computer?
Any info will be very appreciated. I have just started building the application and want to know if there is a good way (or non) to secure it.
Thanks!
There is no point in all of this because if people want they can simply crack any of the copy protection methods you came up with. This also applies to any other app written in any other language. If people want to use it without permissions there are ways to do that.
There are some ways to obfuscate the code (see Is there a code obfuscator for PHP?) but these solutions are just silly because if people really want they can get the code in plain text anyways.
A better idea might be to run the app on your server and allow people to pay for it monthly, Software as a Service like Google Apps for Business.

How do I verify users of my PHP application?

While installing an application onto a client's server, I would like to make sure that the client (or a future developer for them, etc) does not copy my application and place it on other domains/servers/local servers.
How can I verify that my application is running on the server I installed it on? I do not want any substantial lag in the script every time it runs, so I assume a 'handshake' method is not appropriate.
I was thinking the script could request a PHP page on my own server every time it runs. This could send my server their server info and domain name, which my script can check against a database of accepted clients. If the request is invalid, my server handles the work of emailing me the details so I can follow it up. This should not slow down the client's script as it isn't expecting a response, and will still operate on their 'invalid' server until I can investigate this and follow it up with them personally.
If this is the best method (or if there is better), what PHP call should I be making to request my server's script? file_get_contents, curl and similar seem to always retrieve the response, which I don't need.
UPDATE
Thank you all for your responses. I completely understand that PHP is open source and should be freely available to edit. I should have stated more clearly initially, but my intentions were for this verification method to assist me in finding anyone breaching my license agreement. The application is covered under a license, but I would also like to include this check so that I can monitor an initial misuse of my application.
Hence, somebody may still breach my license and it would most likely go unnoticed, but if I implement this script I have the advantage of any 'lazy robbers' who don't break apart my application and remove the verifier before ripping it.
Does this justify the use of such a script? If so, is cURL my best option?
Any checking code for verification is easily replaced with a return true;. Look at the faq at https://stackoverflow.com/tags/php/info :
Q. Can I protect my PHP code from theft? If so, how?
A. There is no effective technical solution to protect, encode or encrypt PHP source code. There are many products that offer some levels of protection, but all can be broken with time and effort. Your best option is not a technical solution, but a legal solution in the form of a license agreement.
You get a legal agreement and sue everyone.
SaaS is your friend. Host the application on your own secure servers, and charge a license fee for your customers to access it.
imo its worth checking out some joomla extensions that do this. There a few different implementations, some check the domain and validate it before executing, most are encrypted, along with a domain validation. I remember sakic's url sef extension used to do this. There are quite a few more commercial extensions that use the same thing. Apart from that I cant think of another way.Probably another good idea is to have a good license in place and a good lawyer....
Short answer: This can't be done.
Long answer: Whatever protection you put in your code, it can be removed with little difficulty by anyone with some experience in PHP. Even if the code is encoded with something like ionCube or Zend Guard, this too can be decoded with relative ease.
Your only option is to protect your intellectual property by actively pursuing copyright infringers. Even this is not foolproof, as our folks from RIAA and MPAA know very well. In this day and age, I'd say this is not a solvable problem.
You could integrate phone-home behavior into your software but you should probably consult a lawyer to discuss privacy issues about that and to work out privacy guidelines and terms of use for your clients' usage license.
One thing to be careful about is the data you send (and the way you send it, i.e. securely encrypted or not) to identify the client who is illegally using your product because it could potentially be used to compromise your client's infrastructure or for spying on your client.
Regarding your phone-home function, be warned that the client could just locate and remove it, so using a PHP obfuscator or compiler might provide some additional protection against this (though any sufficiently determined PHP developer could probably disable this). Note that your protection will only act as a deterrent aimed to make the cost of circumvention
approach or exceed the cost for legal use.
EDIT:
As poke wrote in the question comment, you could move parts of your code outside the software installed at your client's site to your servers but this may backfire when your servers are unreachable for some reason (e.g. for maintenance).
In the end, I think that customer satisfaction should be valued higher than protecting your software from the customer, i.e. try to avoid protections that are likely to make your customers angry.
You could encode it and hard code a license file that would allow it to only work on the domain it was intended for (e.g. use ioncube or zend to encode a file that checks if the HTTP HOST is the intended domain without doing a handshake). You could then make that file required in all other files (if everything was encoded).

PHP - protecting code [duplicate]

This question already has answers here:
Closed 12 years ago.
Possible Duplicates:
How to protect your software code?
Protect my PHP App
Hi, I have a framework that I am wanting to be able to sell licenses for. I want people to be able to edit the code if they choose to (to a degree) but also I want to try and stop someone paying for the code and then just putting it up for download.
Is there a way that I can keep part of the code ( small piece of code that is ) on a server which each site using my framework will need to connect to use?
any help or ideas much appreciated.
You can... But do you want to?
PHP scripts are not Java servlets. They're not always running; they start when a request commences and they finish when the request stops.
So, which functionality would you put that requires calling home? It must not be in every page, because it would significantly slow down both the client application and your servers. If you have some page that is rarely used (e.g. some configuration page) you could defer some of its functionality to your server. But even then, consider that your client may not want to run code that depends on some server of yours – you may not be able to guarantee it's always online; the client may have its server behind a firewall that doesn't allow outgoing connections, etc.
Zend Guard seems to be the de facto standard. However, a quick google search revealed a couple others:
SourceGuardian
PHP LockIt
PHP Cipher
In the long run, though, all of these just end up pissing off the people who have to make modifications to their server to run a script. My advice, as someone who has both used and released scripts with this type of encryption, is that you not bother, because someone will (given enough time) decrypt it anyways.
That's the problem with script-languages. You can't protect the code in the way, that a user doesn't see it. However if you plan to provide a license and a customer has to buy it, that's the best way I think. If he would upload the code for others to download, you can go to your lawyer.
The way you mentioned, that everybody has to connect to your server is also a solution. But therefore I would not store the framework on your server, but give the framework to you customer and let him register this framework for one domain for example. Then the framework connects to your server and checks if it was called, from the correct domain.
Sorry, my english it not that good to express myself this good, but I hope you get the idea :)

Deploy PHP website to client server without showing PHP files

I asked a recent question regarding the use of readfile() for remotely executing PHP, but maybe I'd be better off setting out the problem to see if I'm thinking the wrong way about things, so here goes:
I have a PHP website that requires users to login, includes lots of forms, database connections and makes use of $_SESSION variables to keep track of various things
I have a potential client who would like to use the functionality of my website, but on their own server, controlled by them. They would probably want to restyle the website using content and CSS files local to their server, but that's a problem for later
I don't want to show them my PHP code, since that's the value of what I'd be providing.
I had thought to do this with calls to include() from the client's server to mine, which at least keeps variable scope intact, but many sites (and the PHP docs) seem to recommend readfile(), file_get_contents() or similar. Ideally I'd like to have a simple wrapper file on the client's server for each "real" one on my server.
Any suggestions as to how I might accomplish what I need?
Thanks,
ColmF
As suggested, comment posted as an answer & modified a touch
PHP is an interpretive language and as such 'reads' the files and parses them. Yes it can store cached byte code in certain cases but it's not like the higher level languages that compile and work in bytecode. Which means that the php 'compiler' requires your actual source code to work. Check out zend.com/en/products/guard which might do what you want though I believe it means your client has to use the Zend Server.
Failing that sign a contract with the company that includes clauses of not reusing your code / etc etc. That's your best protection in this case. You should also be careful though, if you're using anything under an 'open source' license your entire app may be considered open source and thus this is all moot.
This is not a non-standard practice for many companies. I have produced software I'm particularly proud of and a company wants to use it. As they believe in their own information security for either 'personal' reasons or because they have to comply to a standard such as PCI there are times my application must run in their environments. I have offered my products as 'web services' where they query my servers with data and recieve responses. In that case my source is completely protected as this is no different than any other closed API. In every case I have licensed the copy to the client with provisions that they are not allowed to modify nor distribute it. This is a legal binding contract and completely expected from the clients side of things. Of course there were provisions that I would provide support etc etc but that's neither here nor there.
Short answers:
Legal agreement, likely your best bet from everyone's point of view
Zend guard like product, never used it so I can't vouch for it
Private API but this won't really work for you as the client needs to host it
Good luck!
If they want it wholly contained on their server then your best bet is a legal solution not a technical one.
You license the software to them and you make sure the contract states the intellectual property belongs to you and it cannot be copied/distributed etc without prior permission (obviously you'll need some better legalese than that, but you get the idea).
Rather than remote execution, I suggest you use a PHP source protection system, such as Zend Guard, ionCube or sourceguardian.
http://www.zend.com/en/products/guard/
http://www.ioncube.com/
http://www.sourceguardian.com/
Basically, you're looking for a way to proxy your application out to a remote server (i.e.: your clients). To use something like readfile() on the client's site is fine, but you're still going to need multiple scripts on their end. Basically, readfile scrapes what's available at a particular file path or URL and pipes it to the end user. So if I were to do readfile('google.com'), it would output the source code for Google's homepage.
Assuming you don't just want to have a dummy form on your clients' sites, you're going to need to have some code hanging out on their end. The code is going to have to intercept the form submissions (so you'll need a URL parameter on the page you're scraping with readfile to tell your code that the form submission URL is your client's site and not your own). This page (the form submission handler page) will need to make calls back to your own site. Think something like this:
readfile("https://your.site/whatever?{$_SERVER['QUERY_STRING']}");
Your site is then going to process the response and then pass everything back to your clients' sites.
Hopefully I've gotten you on the right path. Let me know if I was unclear; I realize this is a lot of info.
I think you're going to have a hard time with this unless you want some kind of funny wrapper that does curl type requests to your server. Especially when it comes to handling things like sessions and cookies.
Are you sure a PHP obfuscator wouldn't be sufficient for what you are doing?
Instead of hosting it yourself, why not do what most php applications do and simply distribute the program to your client with an auto-update feature? Hosting it yourself is complicated, from management of websites to who is paying for the hosting.
If you don't want it to be distributed, then find a pre-written license that allows you to do this. If you can't find one then it's time to talk to a lawyer.
You can't stop them from seeing your code. You can make it very hard for them to understand your code, which is a good second best. See our SD PHP Obfuscator for a tool that will scramble the identifiers and the whitespacing in the code, making it much more difficult to understand.

Categories