It happens that you are reluctant to provide the source codes of projects that you have developed. To do this, you can use obfuscator programs, which were discussed recently.
And it happens that you don’t want to close the source code so much as you want to protect the script from copying. In my opinion, hiding the source code, in most cases, does not make sense without copy protection. Some obfuscators that encrypt the code (and not just distort it) have the ability to lock the script for a specific domain or IP address. But, firstly, we don’t want to re-encrypt all the sources for each domain? Secondly, I was able to unlock this protection with one line at the beginning of the script:
$_SERVER['HTTP_HOST']='allowed domain';
I searched the Internet for a long time for a copy protection solution. This question was often discussed on forums, mostly by beginners, and experienced (apparently) programmers answered “You’re a fool, who needs your code. Learn the hardware, and in general PHP scripts are worth nothing!” Well, I thought. Probably really not possible. But wait, the same Bitrix (ugh) issues licenses for individual sites, and you receive open source code after purchasing a license. What's stopping you from copying it to several of your sites? I don’t know, but if you know, please tell me.
As a result, I had to do copy protection myself. I set the following initial conditions for the task:
The script, obviously, must be encrypted, for example by Zend. But I liked Lock It - firstly, it does not require Zend Optimizer, and, secondly, it is inexpensive. But now we are not talking about how to encrypt the script, but how to protect it from copying. So let's move on and just assume that the source code is closed. Obviously this is a necessary condition.
I want to issue a key (I'll call it a license) for each instance of the script. That is, I want to give each person only a license, and let the script lie around in the public domain.
The license is tied to the domain, but if the domain has synonyms, the script should also work when accessed through them. The main thing is that it is the same instance of the script.
No connections to another (my) server. The script must be self-contained.
No script trust in server or environment variables during license verification. They can be easily overridden.
Solution
1. Issuing a license and checking the validity of the license with a script
I create a key to the domain approximately this way:
$key = md5($domain.$secretword);
The script checks its license like this:
$key == md5($domain.$secretword);
Indeed, it is not nice to store $secretword in the scripts themselves. Therefore, public key encryption can be used here. When issuing a license, I will sign it with my private key, and the script, when checking the license, will use the public key to check the validity of the license. But I didn't find any public key encryption functions in the standard PHP package, not even RSA (am I blind?). If you help, I will be grateful.
So, the script verified that the license was correct. That is, whether the specified key matches the specified domain. Go ahead.
2. Checking the domain
How can a script check whether it belongs to the specified domain? We do not have trust in $_SERVER['HTTP_HOST'].
Also, according to the conditions - no connections to another server. This means that we connect to ourselves using the supposed domain, and check whether we are there.
Or more precisely:
1) save a random number on the server (for example, in a temporary file)
2) contact the address our_domain.ru/our_script.php?action=tell_number
3 ) we check what number they give us at this address. If it corresponds to what we saved, then we are at address
0) the zero point must be added to the return of the saved number, if we were called with the parameter action=tell_number
I simplified the algorithm a little, in fact, for each call to the script we need to separately take into account these random numbers.
Now the script knows that the license is valid and that it resides on the appropriate domain. The main problem is solved!
You tell me - wtf, the script will pull itself every time it is accessed? Indeed, somehow cruel. Therefore:
3. Temporary license
On the first call, if the check was successful, the script saves a temporary license in a temporary file.
A temporary license is something like md5(today_date, domain, secret word).
Now, with each request, we only check for a temporary license, which is valid for a day. As soon as there is something wrong with the temporary license (changed, deleted, a day has passed), the script will again check everything seriously and save the new temporary license.
4. Running the script on the local computer without a license
It would be ideal if the script did not require a license when running on the local computer. Why, one might ask, would a person require a license from me if he just wants to test the script on his computer? He must download it and use it. But when he puts the script on the server, then he will come to me.
I don't know how to solve this problem. I have 3 solutions so far, but I don’t like them:
1) If the script is on a domain without dots (such as http://myscript/) — consider that this is a virtual domain, which means that this is most likely local testing. The disadvantage of this method is that craftsmen will create a virtual domain on their server, and make the real domain a synonym. Also, it is not clear what to do with the localhost domain.
2) Checking $_SERVER["REMOTE_ADDR"]. We check for the presence of '127' at the beginning of the IP address. The disadvantage is that you can override this variable before executing the script.
3) It's funny, but you can check the server's operating system. And allow execution under Windows . Just don't hit me, it's just an option.
And it happens that you don’t want to close the source code so much as you want to protect the script from copying. In my opinion, hiding the source code, in most cases, does not make sense without copy protection. Some obfuscators that encrypt the code (and not just distort it) have the ability to lock the script for a specific domain or IP address. But, firstly, we don’t want to re-encrypt all the sources for each domain? Secondly, I was able to unlock this protection with one line at the beginning of the script:
$_SERVER['HTTP_HOST']='allowed domain';
I searched the Internet for a long time for a copy protection solution. This question was often discussed on forums, mostly by beginners, and experienced (apparently) programmers answered “You’re a fool, who needs your code. Learn the hardware, and in general PHP scripts are worth nothing!” Well, I thought. Probably really not possible. But wait, the same Bitrix (ugh) issues licenses for individual sites, and you receive open source code after purchasing a license. What's stopping you from copying it to several of your sites? I don’t know, but if you know, please tell me.
As a result, I had to do copy protection myself. I set the following initial conditions for the task:
The script, obviously, must be encrypted, for example by Zend. But I liked Lock It - firstly, it does not require Zend Optimizer, and, secondly, it is inexpensive. But now we are not talking about how to encrypt the script, but how to protect it from copying. So let's move on and just assume that the source code is closed. Obviously this is a necessary condition.
I want to issue a key (I'll call it a license) for each instance of the script. That is, I want to give each person only a license, and let the script lie around in the public domain.
The license is tied to the domain, but if the domain has synonyms, the script should also work when accessed through them. The main thing is that it is the same instance of the script.
No connections to another (my) server. The script must be self-contained.
No script trust in server or environment variables during license verification. They can be easily overridden.
Solution
1. Issuing a license and checking the validity of the license with a script
I create a key to the domain approximately this way:
$key = md5($domain.$secretword);
The script checks its license like this:
$key == md5($domain.$secretword);
Indeed, it is not nice to store $secretword in the scripts themselves. Therefore, public key encryption can be used here. When issuing a license, I will sign it with my private key, and the script, when checking the license, will use the public key to check the validity of the license. But I didn't find any public key encryption functions in the standard PHP package, not even RSA (am I blind?). If you help, I will be grateful.
So, the script verified that the license was correct. That is, whether the specified key matches the specified domain. Go ahead.
2. Checking the domain
How can a script check whether it belongs to the specified domain? We do not have trust in $_SERVER['HTTP_HOST'].
Also, according to the conditions - no connections to another server. This means that we connect to ourselves using the supposed domain, and check whether we are there.
Or more precisely:
1) save a random number on the server (for example, in a temporary file)
2) contact the address our_domain.ru/our_script.php?action=tell_number
3 ) we check what number they give us at this address. If it corresponds to what we saved, then we are at address
0) the zero point must be added to the return of the saved number, if we were called with the parameter action=tell_number
I simplified the algorithm a little, in fact, for each call to the script we need to separately take into account these random numbers.
Now the script knows that the license is valid and that it resides on the appropriate domain. The main problem is solved!
You tell me - wtf, the script will pull itself every time it is accessed? Indeed, somehow cruel. Therefore:
3. Temporary license
On the first call, if the check was successful, the script saves a temporary license in a temporary file.
A temporary license is something like md5(today_date, domain, secret word).
Now, with each request, we only check for a temporary license, which is valid for a day. As soon as there is something wrong with the temporary license (changed, deleted, a day has passed), the script will again check everything seriously and save the new temporary license.
4. Running the script on the local computer without a license
It would be ideal if the script did not require a license when running on the local computer. Why, one might ask, would a person require a license from me if he just wants to test the script on his computer? He must download it and use it. But when he puts the script on the server, then he will come to me.
I don't know how to solve this problem. I have 3 solutions so far, but I don’t like them:
1) If the script is on a domain without dots (such as http://myscript/) — consider that this is a virtual domain, which means that this is most likely local testing. The disadvantage of this method is that craftsmen will create a virtual domain on their server, and make the real domain a synonym. Also, it is not clear what to do with the localhost domain.
2) Checking $_SERVER["REMOTE_ADDR"]. We check for the presence of '127' at the beginning of the IP address. The disadvantage is that you can override this variable before executing the script.
3) It's funny, but you can check the server's operating system. And allow execution under Windows . Just don't hit me, it's just an option.