Login/Register
How do I verify users of my PHP application?
Asked Answered
Solved phpsecurityscriptingexternaldata-protection
S

7

7

While installing an application onto a client's server, I would like to make sure that the client (or a future developer for them, etc) does not copy my application and place it on other domains/servers/local servers.

How can I verify that my application is running on the server I installed it on? I do not want any substantial lag in the script every time it runs, so I assume a 'handshake' method is not appropriate.

I was thinking the script could request a PHP page on my own server every time it runs. This could send my server their server info and domain name, which my script can check against a database of accepted clients. If the request is invalid, my server handles the work of emailing me the details so I can follow it up. This should not slow down the client's script as it isn't expecting a response, and will still operate on their 'invalid' server until I can investigate this and follow it up with them personally.

If this is the best method (or if there is better), what PHP call should I be making to request my server's script? file_get_contents, curl and similar seem to always retrieve the response, which I don't need.

UPDATE

Thank you all for your responses. I completely understand that PHP is open source and should be freely available to edit. I should have stated more clearly initially, but my intentions were for this verification method to assist me in finding anyone breaching my license agreement. The application is covered under a license, but I would also like to include this check so that I can monitor an initial misuse of my application.

Hence, somebody may still breach my license and it would most likely go unnoticed, but if I implement this script I have the advantage of any 'lazy robbers' who don't break apart my application and remove the verifier before ripping it.

Does this justify the use of such a script? If so, is cURL my best option?

Shier answered 22/9, 2010 at 22:0 Comment(4)
As php is open source, any check can be easily removed. However it might be possible to move crucial parts of the software into a native php module (or similar) which code is then not open. That way the (open) script would always need to use the module which also does the check. Anyway, that is just what I think which might be possible, although I'm not sure if this would actually be work (or be even worth the effort).Anastasiaanastasie
@poke: 'open source' in our jargon usually means 'freely available source, to which access (and possibly alterations) are promoted', which isn't really to the point here. It's disclosed source to your clients (who in this case pay for it) for sure, and the C source of the PHP language itself is open source. Most people here and I get what you're trying to say, but IMHO it's a somewhat poor choice of words.Mosera
@Wrikken: Well, open source means to me that the source is open and completely visible, which is obviously the case with php (at least to those who have server access). Free software is not always open source and open source is not always free. That is a licensing detail which just gets often confused.Anastasiaanastasie
The meaning of 'open source' has taken a route of it's own, and can IMHO no longer be taken as literal as you take it. Definitions seem to agree: google.nl/… But it's just nitpicking, I'll shut up now ;)Mosera
M
2

Any checking code for verification is easily replaced with a return true;. Look at the faq at https://stackoverflow.com/tags/php/info :

Q. Can I protect my PHP code from theft? If so, how?
A. There is no effective technical solution to protect, encode or encrypt PHP source code. There are many products that offer some levels of protection, but all can be broken with time and effort. Your best option is not a technical solution, but a legal solution in the form of a license agreement.

Mosera answered 22/9, 2010 at 22:0 Comment(0)
S
1

You get a legal agreement and sue everyone.

Spinoza answered 22/9, 2010 at 22:13 Comment(0)
A
1

SaaS is your friend. Host the application on your own secure servers, and charge a license fee for your customers to access it.

Aramenta answered 22/9, 2010 at 22:16 Comment(4)
+1 This is the way to go if you are offering a service, turning your application into a paid API would be the only way to guarantee your software hasn't been cracked and/or redistributed.Pharmaceutics
It is a solution, but network overhead / latency would make this quite unworkable for most PHP projects.Mosera
@Mosera I think you misunderstand. I'm suggesting that he offer his full application on his own private servers and then charge a monthly fee for subscriptions to use it. E.g., salesforce.com, mint.com, flickr.com, etc. There's no overhead or latency besides what you'd normally get for any web page.Aramenta
OK, that's another business model, and a valid one. It is not one that will suit all project / client combos in general, and as a programmer I usually try to stay out of that kind of business, but it may fit the OP if his/her service is so unique it valids a dedicated environment. I was a little bit thrown of course by Mahdi's mentioning of 'an API'.Mosera
J
0

imo its worth checking out some joomla extensions that do this. There a few different implementations, some check the domain and validate it before executing, most are encrypted, along with a domain validation. I remember sakic's url sef extension used to do this. There are quite a few more commercial extensions that use the same thing. Apart from that I cant think of another way.Probably another good idea is to have a good license in place and a good lawyer....

Jangro answered 22/9, 2010 at 22:7 Comment(0)
E
0

Short answer: This can't be done.

Long answer: Whatever protection you put in your code, it can be removed with little difficulty by anyone with some experience in PHP. Even if the code is encoded with something like ionCube or Zend Guard, this too can be decoded with relative ease.

Your only option is to protect your intellectual property by actively pursuing copyright infringers. Even this is not foolproof, as our folks from RIAA and MPAA know very well. In this day and age, I'd say this is not a solvable problem.

Earreach answered 22/9, 2010 at 22:9 Comment(0)
F
0

You could integrate phone-home behavior into your software but you should probably consult a lawyer to discuss privacy issues about that and to work out privacy guidelines and terms of use for your clients' usage license.

One thing to be careful about is the data you send (and the way you send it, i.e. securely encrypted or not) to identify the client who is illegally using your product because it could potentially be used to compromise your client's infrastructure or for spying on your client.

Regarding your phone-home function, be warned that the client could just locate and remove it, so using a PHP obfuscator or compiler might provide some additional protection against this (though any sufficiently determined PHP developer could probably disable this). Note that your protection will only act as a deterrent aimed to make the cost of circumvention approach or exceed the cost for legal use.

EDIT:
As poke wrote in the question comment, you could move parts of your code outside the software installed at your client's site to your servers but this may backfire when your servers are unreachable for some reason (e.g. for maintenance).

In the end, I think that customer satisfaction should be valued higher than protecting your software from the customer, i.e. try to avoid protections that are likely to make your customers angry.

Fiducial answered 22/9, 2010 at 22:14 Comment(0)
F
-2

You could encode it and hard code a license file that would allow it to only work on the domain it was intended for (e.g. use ioncube or zend to encode a file that checks if the HTTP HOST is the intended domain without doing a handshake). You could then make that file required in all other files (if everything was encoded).

Fieldfare answered 22/9, 2010 at 22:6 Comment(1)
That can be easily circumvented. -1Earreach

© 2022 - 2024 — McMap. All rights reserved.