Secure PHP Code

oo7ml
oo7ml used Ask the Experts™
on
Hi, i have created a new web template with an integrated CMS... i am selling the package to small clients for a very small fee.

I am worried that a client could copy the template and database give it to someone else...

Is there a way to stop this, such as securing the code by referencing php include files from my server or any other method... thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
you can do licencing using this:
http://www.ioncube.com/
Having used ioncube with a client's website in the past I noticed that it adds a delay of some seconds to any webpage appearing to the user. Sometimes this delay is unacceptable. I also had a bad time when upgrading to a very new PHP install where the ioncube loader for that PHP version was not ready effectively disabling the software unless I downgraded PHP. Since I was upgrading to remove security issues.......... well, you get the picture.

Given the scenario you outline, I think a better option is to only give support and upgrades to those people you know you sold it to and if people want to pass it around unsupported then that is their lookout.

Author

Commented:
Ok, thanks... i was thinking of making a key that was linked to the url basename

If the basename does not match the key, then the site won't load...

I know a programmer could find this script / coding in my code but i could try make it hidden as best i can
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

The problem is that any script can either be replaced or the call to it disabled. With an interpreted script like PHP, there really is very little code security.

One option might be to use obsfucation where the code is altered to make it very hard to follow or modify but is still executable. For instance this code

<?php
// Output the main stories
//
if ( $mainNews > 0 ) {
	$keys = array_keys( $idCodes );
	$t .= noEcho("<div class='mainNews'>");
	for ( $i=0; $i < $mainNews; $i++ ) {
		$pageId = ( $stories[$i]->getNeCategory() == 1 ) ? $cat2 : $cat1;
		$url->addParameter("news", $storyIds[$i] );
		$url->addParameter("pageId", $pageId );
		$link = "<a href='{$url->rtvAmpUrl()}'>";
		$t .= "<div class='popularNewsTitle'>".$link . $stories[$i]->getNeTitle()."</a></div>";
		// 002 $t .= "<p>" . $idCodes[$keys[$i] ] . " views</p>";
		$t .= "<p></p>"; // 002
	}
	$t .= noEcho("</div>");
}

Open in new window


becomes this code

<?php 

/*******************************************\
|  Source code obfuscated  by Code Eclipse  |
|        http://www.codeeclipse.com/        |
| Complete protection, total compatibility! |
\*******************************************/

 $x17="ar\x72a\171\x5f\153\145\x79s"; 
 if ( $x0b > 0 ) { $x0c = $x17( $x0d ); $x0e .= noEcho("\x3c\x64\151\x76 c\154\141s\x73\x3d'\155a\151\156\x4e\x65\167\163'>"); for ( $x0f=0; $x0f < $x0b; $x0f++ ) {$x10 = ( $x11[$x0f]->getNeCategory() == 1 ) ? $x12 : $x13;$x14->addParameter("\156e\167s", $x15[$x0f] );$x14->addParameter("\160\x61g\145\111d", $x10 );$x16 = "\074\x61 \150\x72\145\146\075'\x7b$x14->rtvAmpUrl\050\051\x7d'\076";$x0e .= "<\144\151v\x20\143l\141ss\075'\x70\157p\x75la\x72\x4eews\x54\151\x74le'\x3e".$x16 . $x11[$x0f]->getNeTitle()."</a>\074\x2f\x64\151v\076"; $x0e .= "<p\x3e\074\x2f\x70>";} $x0e .= noEcho("</\144\x69v\x3e");}

Open in new window


You always keep a copy of the original code and always work on that. These things can be reverse engineered to an extent, but I think you get the point. Obfuscators are available on some IDEs or at source forge.

Author

Commented:
Thanks, i will try this
Just remember to use the obfuscator on a COPY of your code and not on the original version.

then the easiest way would be to use php encoding

one online tool is this:
http://www.byterun.com/free-php-encoder.php

it will encode the code into hex like string.
Commented:
Piracy is an unavoidable element of any creative work. How rampant is music, movie or software piracy? Obfuscation will only ever be a mediocre deterrent, never a solution.

The time and money you spend on obfuscation technology might be better spent with a lawyer defining a specific licensing document your customer must accept prior to implementation of your finished product. In my experience, if you're selling to small businesses, they don't have the time, technical skills or financial backing to engage in large scale piracy. The outcome needs to justify the means.

If you're really worried abut piracy and your CMS is primarly targeted at the public Internet, you could implement a phone home procedure which is activated on random occaisons and not so frequently as to attract attention or impact performance. Perhaps while the customer is editing a page, but with a broad scope so that thge procedure is only actioned once in a while and reports the actual web domain they're using, the server IP, page being updated, and time and date of the offence so you have specific proof. There are many web/domain archiving hosts so it would be relatively trivial to perform legal discovery for a competent individual.

Everyone needs to update their website, and while you might not catch everyone all the time, you'll probably catch most people most of the time.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial