Best IT Recipes

The best solution for securing PHP code without encryption

First of all, I'm not looking for a miracle ... I know how PHP works, and that there really is no way to hide my code from clients without using encryption. But this is due to the cost of the extension that will be installed on a running server.

I am looking for something else, though ... I do not want to encrypt my code or even confuse it. There are many PHP scripts without encrypted / obfuscated code, but they are commercial applications. For example, vBulletin and / or IP.Board applications.

I just want to know what approach these guys use for their applications ...

I am also open to any other suggestions.

Please note that I am one person and do not work in the company. My product is also very specific, it will not sell so much. I just want you guys to know that I cannot afford to consult with a lawyer to sue someone or prepare a commercial license. I'm just looking for an easy way to protect my simple product, if it is really possible, anyway ...

+60
php encryption obfuscation
Dec 03 '08 at 2:11
source share
11 answers

Obfuscating things can only lead to the inconvenience of your legitimate, law-abiding customers, while the people who tear you apart will not be your customers paying for you. (edited other thoughts about obfuscation)

Another suggestion for protecting your software is to create a business model in which the code is an incomplete part of the value of your offer. For example, sell product licenses along with access to some data that you manage on your site, or license the product for a subscription model or with customer support.

EULA development is a legal issue, not a coding issue. You can start by reading some EULA text for the products and websites that you use. You can find interesting details!

Creating a proprietary license is very flexible and probably an object that goes beyond the intended scope of StackOverflow, as it is not strictly about coding.

Some parts of EULA that come to mind:

  • Limitation of liability if the product has errors or damages.
  • Descriptions of how the customer can use their licensed software, for how long, for how many machines, with or without redistribution rights.
  • Granting you the right to audit your site so that you can enforce licenses.
  • What happens if they violate EULA, for example. they lose their privilege to use your software.

You should contact a lawyer to prepare a commercial license agreement.

edit: If this project cannot justify the costs of a lawyer, check these resources:

+32
Dec 03 '08 at 2:20
source share

You need to consider your goals:

1) Are you trying to prevent people from reading / changing your code? If so, you will need an obfuscation / encryption tool. I used Zend Guard with good success.

2) Are you trying to prevent unauthorized redistribution of your code? An EULA / proprietary license will provide you with legal force to prevent this, but will not really stop it. The key / activation scheme will allow you to actively control the use, but can be deleted if you also do not encrypt your code. Zend Guard also has the ability to block a specific script for a specific client machine and / or create time-limited versions of the code if this is what you want to do.

I am not familiar with vBulletin, etc., but they need to either encrypt / obfuscate, or trust their users to do the right thing. In the latter case, they have protection against a license agreement that prohibits behavior that they consider undesirable, and a legal system to protect against violations of the license agreement.

If you are not ready / cannot take legal measures to protect your software, and you do not want to encrypt / obfuscate your options: a) Release it using EULA so that you have a legal option if you ever need it and hope for the best, or b) consider whether an open source license might be more appropriate and just allow redistribution.

+13
Dec 03 '08 at 3:04
source share

You can use php compiler:

Roadsads

phc

+7
Dec 03 '08 at 2:23
source share

I have not looked at the source code of VBulletin for some time, but the way they did it in 2003 was to embed the call on my server inside the code. IIRC, it was on a very long line of code (for example, 200-300 + characters long) and was split into several string concatenations, etc.

It didn’t do anything β€œbad” if you were pirating it - the forum still worked 100%. But your server IP address was registered with other information, and they used this to investigate and take legal action.

Your license number has been embedded in this call so that they can easily track the number of IP addresses / websites on which this licensed copy was running.

+6
Dec 03 '08 at 3:08
source share

If you cannot create a "cloud application" that you host on your own, and they access it online, you can look at creating a virtual device using a virtual server (from VMWare, Parallels, Sun, etc.) and install it " lite "version of Linux. Put your PHP code in a virtual environment and install the virtual machine on your server. Be sure to create a way to prevent booting to the root directory. Of course, this will be associated with a physical visit to the client on their own.

+2
Aug 17 '09 at 17:59
source share

They distribute their software under a proprietary license . The law protects their rights and does not allow its customers to redistribute the source, although there is no real problem with this.

But, as you are well aware, copyright infringement (piracy) of software products is quite common .

+1
Dec 03 '08 at 2:17
source share

in my opinion, but just in case your php code program is written for a standalone model ... the best solutions are: c) You can wrap php in a container like Phalanger (.NET). since everyone knows that it is closely related to the system, especially if your program is designed for Windows users. you can simply create your own security algorithm in the Windows programming language, for example .NET / VB / C #, or what you know in .NET prog.lang.family.

+1
Oct 29 '11 at 17:23
source share

The only way to really protect your php applications from others is to not pass the source code. If you send the code somewhere on the Internet or send it to your customers using some kind of media, other people than you have access to the code.

You can add a unique watermark to each copy of your code. This way you can track leaks back to a single customer. (But will this help you, since the code is already out of your control?)

In most cases, I see a license and, possibly, a guarantee. The line at the top of the script telling people not to modify the script might be enough. By itself; when I find non-open source, I will not use it in my projects. Maybe I'm a little cheating, but I expect ppl will not use my code without OSS!

0
Dec 03 '08 at 23:49
source share

See our SD PHP Obfuscator . Handles huge PHP file systems. There are no runtime requirements on the PHP server. No additional time spent on execution.

[EDIT May 2016] A recent response noted that Zend is not processing PHP5.5. SDFp Obfuscator does.

0
Sep 04 '09 at 3:51
source share

Zend Guard does not support php 5.5 and is easy to reverse, go to http://www.ioncube.com for obfuscation. http://wwww.phplicengine.com can license scripts remotely or locally.

0
Aug 01 '14 at 6:47
source share

So let me see, we want to show Adam and the eve of the forbidden fruit there on the tree, and we would like them not to eat ...

How about making an angel with a fire sword?

  • It may seem naive, and I don’t know what your application actually does, but what about extensive use includes?

  • For a legitimate user, should all software be visible or only parts of it? Since you can confuse and provide a copy of the source code for legit

  • You can wrap php in a container like Phalanger (.NET)

  • You may be worried about external theft, which means that your code can be freely viewed through the Internet, as customers use it. It might be worth investing in cheap website hosting for $ 50 a year by registering your legitimate customers with a serial number in your code and regularly posting information about your application on your website. At least you will find out when the code has been cracked. You can push it with self-destruction after n days, giving you enough time to contact your client and change the serial number. This may be the only confusing include () of the entire code.

-5
Mar 31 2018-11-11T00:
source share


More articles:


All Articles