Best solution to protect PHP code without encryption
Asked Answered
E

11

79

First of all, I'm not looking for miracle... I know how PHP works and that there's not really way to hide my code from the clients without using encryption. But that comes with the cost of an extension to be installed on the running server.

I'm looking for something different though... I'm not looking to encrypt my code or even obfuscate it. There are many PHP scripts without encrypted/obfuscated code but they are commercial applications. For instance, vBulletin and/or IP.Board forum applications.

I just want to know what approach do these guys use for their applications...

I'm also open to any other suggestions.

Please note that I'm a single person and not working for a company. My product is also very specific, it won't sell that much. I just want you guys to know that I can't afford to consult a legal professional either to sue someone or prepare a commercial license. I'm just looking for a simple way to protect my simple product, if it's indeed possible, somehow...

Escarole answered 3/12, 2008 at 2:11 Comment(0)
M
36

Obfuscating things can only inconvenience your legitimate, law-abiding customers, while the people who would would rip you off are not your target paying customers anyway. (edited out other thoughts about obfuscation)

Another suggestion for protecting your software: create a business model in which the code is an incomplete part of the value of your offering. For example, sell product licenses along with access to some data you manage on your site, or license the product on a subscription model or with customer support.

Designing a EULA is a legal matter, not a coding matter. You can start by reading some EULA text for products and websites you use. You might find some interesting details!

Creating a proprietary license is is highly flexible, and probably a subject beyond the intended scope of StackOverflow, since it's not strictly about coding.

Some parts of a EULA that come to mind:

  • Limiting your liability if the product has bugs or causes damage.
  • Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
  • Giving you rights to audit their site, so you can enforce the licenses.
  • What happens if they violate the EULA, e.g. they lose their privilege to use your software.

You should consult a legal professional to prepare a commercial EULA.

edit: If this project can't justify the expense of a lawyer, check out these resources:

Mauretania answered 3/12, 2008 at 2:20 Comment(13)
Like I said on my first post, I don't want to use obfuscation because there's really no point in doing so. Well, actually, the only reason I see to use obfuscation has nothing to do with preventing other people from using the script without paying. Obfuscation could be nice if you want to prevent your clients from messing your code and then "force you" to support them. But this is not really the issue here. About the EULA thing, it's basically what Eran Galperin said and my answer to him also applies here.Escarole
Consulting a legal professional for my needs would be insane. I can't afford something like that nor will my product sell that much lol. It's a simple product but I wanted to protect it somehow.Escarole
OK, fair enough. I know a small project can't afford that, I didn't know if you were working at a large company or not.Mauretania
@BillKarwin, it's interesting to me how in the same breath you say "people who would rip you off are not your target audience" and then "create a business model with hosted data" - i.e. create a business model where people essentially can't rip you off. I hear this sentiment over and over and I just don't get it.Utricle
@kalenjordan, I don't know what you don't get about that. The point is that there's no longer a motivation for pirates to copy your product, if they can't use it without access to your hosted data. Or put another way, you don't care if they pirate your software. In fact, you might even encourage copies of your software to be distributed for free, with access to a sample so people see how valuable your service is.Mauretania
@BillKarwin but your primary point is that obfuscation is pointless because the only people who that will prevent from ripping you off are people who would never be customers anyways. If that's the case, why go to the trouble of creating a biz model with hosted data. That will have zero benefit to you if the first point is true. Point is - deterring people from ripping you off is a Good Thing. Doors have locks. Grocery store items have RFID chips. SaaS apps have pay walls. Sorry I'm kinda hijacking the comment thread here.Utricle
@kalenjordan, the second point about using a SaaS model is for people who aren't satisfied by the first point, and still want some kind of protection against pirates.Mauretania
@BillKarwin tempted to reply but I know this isn't the proper forum to hash out a philosophical debate. Thanks for your thoughts!Utricle
@kalenjordan, no worries. I think I understand your point, but this question is not not about trying to find a "perfect" right way to create a software business. Just offering different ideas.Mauretania
I have the same need, I developed a solution and my customer need to installs it on their own private network and sudo access to maintain the server, there is no chance of SaaS solution... i was thinking to develop a c# program that install the code on the server when it boot, load the code on the cache (APC/OPcache) and then deletes the files... what do you think about it?Tolly
@CristianSepulveda, I don't know if it's possible to do that in a PHP environment. Regardless, if the code is in the opcache, and if they are really motivated, then they can dump it from the opcache and reverse-engineer it. I wouldn't consider that to be a secure solution. Ultimately, you need to make it more attractive for the customer to work with you than to steal from you.Mauretania
Thanks @Bill Karwin. I know that any kind of proteccion could be hacked, the idea is to make it less easy. on the other hand, I dont think the "customer" want to steal, but is a large organization and I don't have control who they give access...Tolly
@CristianSepulveda, I don't know what to tell you. If you hand over your code to them, then they have access to it, full stop. If you make it "less easy" then you might stop them from accidentally reading it, but anyone who tries can still read it. That's not any kind of security strategy.Mauretania
C
16

You need to consider your objectives:

1) Are you trying to prevent people from reading/modifying your code? If yes, you'll need an obfuscation/encryption tool. I've used Zend Guard with good success.

2) Are you trying to prevent unauthorized redistribution of your code?? A EULA/proprietary license will give you the legal power to prevent that, but won't actually stop it. An key/activation scheme will allow you to actively monitor usage, but can be removed unless you also encrypt your code. Zend Guard also has capabilities to lock a particular script to a particular customer machine and/or create time limited versions of the code if that's what you want to do.

I'm not familiar with vBulletin and the like, but they'd either need to encrypt/obfuscate or trust their users to do the right thing. In the latter case they have the protection of having a EULA which prohibits the behaviors they find undesirable, and the legal system to back up breaches of the EULA.

If you're not prepared/able to take legal action to protect your software and you don't want to encrypt/obfuscate, your options are a) Release it with a EULA so you're have a legal option if you ever need it and hope for the best, or b) consider whether an open source license might be more appropriate and just allow redistribution.

Cyte answered 3/12, 2008 at 3:4 Comment(2)
Does Zend Guard let you obfuscate only? I've downloaded it and I'm playing around with it - it seems to allow you to encode and obfuscate, but not just obfuscate?Utricle
I have a question to ask. What if I want to save my sources from stealing? Assume I am working with a group and everyone has access into cpanel. How may I take actions if they are leaked or How can I prevent it from leaking?Defy
W
6

I have not looked at the VBulletin source code in some time, but the way they used to do it around 2003 was to embed a call to their server inside the code. IIRC, it was on a really long code line (like 200-300+ chars long) and was broken up over several string concatenations and such.

It did nothing "bad" if you pirated it - the forum still worked 100%. But your server's IP was logged along with other info and they used that to investigate and take legal action.

Your license number was embedded in this call, so they could easily track how many IPs/websites a given licensed copy was running on.

Wherein answered 3/12, 2008 at 3:8 Comment(5)
I see... That's easily edited out from the code though. But thanks for the insight.Escarole
indeed it is, if you know what you are looking for. A friend of mine found it and pointed it out to me. It was not anywhere near easy to find and took several minutes for both of us to figure out just what the heck the code did. :)Wherein
Yeah they can find it, but what you can do also is sprinkle it through the application to call that function, from time to time. Give them more work to have it operate.Antirrhinum
exactly. If you don't want to obfuscate or compile or otherwise "hide" your source code, there is really little else you can do. There is a trade off you have to deal with. Either leave source code open and risk losing more sales, or obfuscate and hopefully get more sales.Wherein
What if part of the embedded call was to download a core file (class) that would render the rest of the CMS useless without it? Of course this could be mirrored, but by then the IP is logged and its too late? And then what happens if the host site is down? I'm still not sure there is a complete solution to preventing PHP piracy.Dissert
P
3

If you can't create a "cloud app" that you host yourself and they access via the Web, then you could look into creating a virtual appliance using a virtual server (from VMWare, Parallels, Sun, etc) and install a "lite" version of Linux on that. Put your PHP code in the virtual environment and install the virtual machine on their server. Make sure to create a way to prevent loading into root. Of course, this would involve physically visiting the client yourself.

Pianist answered 17/8, 2009 at 17:59 Comment(0)
H
1

They distribute their software under a proprietary license. The law protects their rights and prevents their customers from redistributing the source, though there is no actual difficulty doing so.

But as you might be well aware, copyright infringement (piracy) of software products is a pretty common phenomenon.

Heathenize answered 3/12, 2008 at 2:17 Comment(1)
Yes, but I know that they don't simply apply a proprietary license. I just don't know the details... That's what I want to know, along with the pros and cons. The problem is that I can't do the same to my software, for various reasons... One of them is that I'm a single person, not a company. I don't have the power nor the resources necessary to prosecute someone. And in my country, it would take time to sue somebody over this...Escarole
E
1

The only way to really protect your php-applications from other, is to not share the source code. If you post you code somewhere online, or send it to you customers by some medium, other people than you have access to the code.

You could add an unique watermark to every single copy of your code. That way you can trace leaks back to a singe customer. (But will that help you, since the code already are outside of your control?)

Most code I see comes with a licence and maybe a warranty. A line at the top of the script telling people not to alter the script, will maybe be enought. Self; when I find non-open source code, I won't use it in my projects. Maybe I'm a bit dupe, but I expect ppl not to use my none-OSS code!

Extravascular answered 3/12, 2008 at 23:49 Comment(0)
A
1

in my opinion is, but just in case if your php code program is written for standalone model... best solutions is c) You could wrap the php in a container like Phalanger (.NET). as everyone knows it's bind tightly to the system especially if your program is intended for windows users. you just can make your own protection algorithm in windows programming language like .NET/VB/C# or whatever you know in .NET prog.lang.family sets.

Aeneus answered 29/10, 2011 at 17:23 Comment(0)
S
1

I have created a library for this purpose. It uses OPCache only, in order to covert php to op codes. The library compiles your PHP code to opcodes and removes code from all php files included in your project. All produced opcode files are saved on the server's filesystem and used by OPcache!

https://github.com/notihnio/php-cactus

Snath answered 19/9, 2022 at 12:38 Comment(0)
J
0

See our SD PHP Obfuscator. Handles huge systems of PHP files. No runtime requirements on PHP server. No extra runtime overhead.

[EDIT May 2016] A recent answer noted that Zend does not handle PHP5.5. The SD PHP Obfuscator does.

Johanna answered 4/9, 2009 at 3:51 Comment(1)
Is there no free version program like that one?Agripinaagrippa
T
0

Zend Guard does not support php 5.5 and is easy to reverse, go for http://www.ioncube.com for obfuscation. http://wwww.phplicengine.com can license the scripts remotely or locally.

Tucci answered 1/8, 2014 at 6:47 Comment(0)
B
-6

So let me see, we want to show adam and eve there's some forbidden fruit in a tree, adn we 'd like a way to prevent them from eating...

How about having an angel with a flaming sword?

  1. Might sound naive, and I dunno what your application does actually, but what about the extensive use of includes?

  2. For the legitimate user, is all the software that should be visible or only parts of it? Because you could obfuscate and give a copy of source code to legitimate

  3. You could wrap the php in a container like Phalanger (.NET)

  4. Perhaps your concerned with external theft, meaning your code freely visible over the web as customers uses it. This could be worth investing in a cheap web site hosting, for $50 a year, registering your legit customers with a serial in their code and have your app posting info to your web site regularly. At least, you'd detect when code has been compromised. You could push it with a self destruct after n days, giving you enough time to contact your customer and change the serial. This could be the only obfuscated include() of the whole code

Bolden answered 31/3, 2011 at 0:51 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.