script licensing and security

Hello, so i am working on a script which i will sell online by sending the copy of that script to clients who will purchase it.
The script works like wordpress for example, after installation on the client's website they are set to go.
What i am looking for is information about protection and licensing.
I want to be able to create a license for each purchase with which my clients will be able to activate their product so that those who just have my files wont be able to use them for free.
Also i guess i need to encrypt my script using for example RSA or any other method doing so in order to prevent the script being nulled.
As a side note, i have found a website that claim to provide all of that "phpmillion", here is a url for the product description and purchase:
https://codecanyon.net/item/auto-php-licenser/19720092
Will that product meet my needs? are there any other similar solutions? how do i use it?
I know there are products like zend, ioncube but i don't think they offer licensing solution.
This is a new topic to me so i have very little knowledge in that area.
Thank you for your help!
Lev BuchelEntrepreneurAsked:
Who is Participating?
 
Chinmay PatelEnterprise ArchitectCommented:
Hi Lev,

You will have to combine both i.e. Auto PHP Licenser + ioncube or Zend. Auto PHP Licenser will only help you sort out licensing related functionality. It has built in support for ioncube and Zend so if you decide to go with APL, you should be able to call ioncube or Zend from APL to obfuscate your code.

Regards,
Chinmay.
0
 
Julian HansenCommented:
You are using PHP and JavaScript - interpreted scripts - whatever you do to protect them your customers can undo - as you are giving them the source code.

Depending on the nature of the application one method that works is if you have an API for the code. The main functionality sits on your server and is called by your client's code. If they are not paid up the API does not allow them access.

There are commercial products for code protection the following two being quite prominent.
http://www.ioncube.com/php_encoder.php
http://www.zend.com/en/products/zend-guard
0
 
Dave BaldwinFixer of ProblemsCommented:
Note that Ioncube and/or Zend must be installed on the web server by the host for you to use them.  They have become pretty common but not universal.
1
Firewall Management 201 with Professor Wool

In this whiteboard video, Professor Wool highlights the challenges, benefits and trade-offs of utilizing zero-touch automation for security policy change management. Watch and Learn!

 
Lev BuchelEntrepreneurAuthor Commented:
Thank you for your replies.
Regarding ioncube and zend i think i will have to pass due to the fact that i am developing the script at my spare time and i am not sure if i will end up completing it or not so i cannot justify buying their services for such a price ($200).
I have seen a solution which provide licensing option with php obfuscator.
Is "php obfuscator" going to be good enough as a code protection?

Also, regarding ioncube, i have seen that there is a feature called ioncube loader is that what i need?
0
 
Dave BaldwinFixer of ProblemsCommented:
Is "php obfuscator" going to be good enough as a code protection?
No.

Also, regarding ioncube, i have seen that there is a feature called ioncube loader is that what i need?
I believe there are two parts.  One to 'encode' your PHP code and another that resides on the server to decode and run it.   Their web site should tell you about it.  http://www.ioncube.com/php_encoder.php
0
 
Julian HansenCommented:
Is "php obfuscator" going to be good enough as a code protection?
In most cases no it won't a dedicated person can find where you have included your protection and can disable it.

Question: is this product going to be something that clients download and install themselves or will it be something that you engage with them on?

One option would be to leave out a critical module from the code base. To get that module they have to register - once they have successfully registered the rest of the application is restored - this sort of brings in the API aspect I mentioned earlier - you have a missing piece without which the application will not work - they get that piece when they register.

This does not stop them copying the code based and giving it to someone else - but then you would have the same problem with a license key.
0
 
gr8gonzoConsultantCommented:
A PHP obfuscator simply tries to make the code harder to read.
Original:
<?php
$dblink = mysqli_connect("localhost","root","password");
$query = "SELECT * FROM sometable";
$result = mysqli_query($dblink, $query);

Open in new window


Obfuscated code:
<?php $y=mysqli_connect("localhost","root","password");$g="SELECT * FROM sometable";$m=mysqli_query($y, $g);

Open in new window


Some obfuscators will try to make things even MORE difficult by also encoding the strings and then decoding them at runtime:
<?php $h2=base64_decode('bG9jYWxob3N0');$u9=base64_decode('cm9vdA==');$p7=base64_decode('cGFzc3dvcmQ=');$q1=base64_decode('U0VMRUNUICogRlJPTSBzb21ldGFibGU=');$y=mysqli_connect($h2,$u9,$p7);$g=$q1;$m=mysqli_query($y, $g);

Open in new window


Of course, this slows the script down by adding a bunch of decoding calls that need to execute every single time the script runs. So at best, an obfuscator will make things harder to read, but still completely able to be hacked. At worst, it will slow down your script execution. There is no obfuscator that will replace a licensing system.

As far as licenses go, you already have the best answers. I personally think Zend has the highest compatibility of all options, although ionCube is fairly popular, too. Yes, they cost money, and there's not much to be said except that it's just part of the nature of things. If it were easy or effective to do for free, then they wouldn't have a product that people buy.

If you absolutely cannot spend money, then the best thing you could do is try to use Zephir to build a compiled extension that uses OpenSSL and public/private keys to perform licensing. Basically, you'd put some critical code into that extension (code that your application wouldn't run without), and then also put some code into that extension that took some token that contained the user's info, and then called your own server with that information so your server could either provide a digital signature via private key to license the app, or discover if someone had copied the application without permission. It gets very tricky to do it correctly - to not "call home" every single time (so you're not bottlenecking the performance of your distributed application for legitimate buyers), but to also detect and prevent illegal duplication. Plus, many hosts will not just install some random PHP extension for their users, so your compatibility is going to drop dramatically, which means you won't have as many people buying your product (or if they do and cannot run it, they'll ask for a refund, and if you refuse, they'll probably sue you).

So spending money on a quality licensing application will avoid a lot of headaches and increase the number of people who can run your application. Sometimes you have to spend money to make money.
0
 
Lev BuchelEntrepreneurAuthor Commented:
Thank you gonzo, Julian, Dave and Chinmay.
Your comments were very helpful.
I will end up with purchasing both the PHP Licenser and ioncube.
And as Chinmay suggested, since there is an encoding support i will encode the script and then generate license for each costumer.
Thank you again!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.