28 {{ upvoteCount | shortNum }}
28 {{ upvoteCount | shortNum }}

How can I Protect my Script? licensing scripts

by CarloD.
23 replies
Hey Warriors,

I have a script I am currently working on, and I will need to setup a recurring payment in order to use it. Any Ideas on how I can set this up so if the payment is not made they are not able to use it?

I know there is usually a way around these types of things, i am just after protection for majority of the users.

thanks

EDIT*
Or even something similar to amember where they have a member script that you can only setup 1 per domain and would need to buy a second license to add it to another domain.

I am not referring to a Membership script, I am referring to the Sale of scripts and limiting the users Use of that script.
#monthly #payment #protect #script #setup
  • Profile picture of the author fantasyzer
    What type of script? If you mean PHP using $session variables is usually a good idea, and make use of user management this way you will isolate every user to its own details.
    {{ DiscussionBoard.errors[2568611].message }}
  • Profile picture of the author nevadasoft
    If it's PHP you can use the ioncube encoder - you can protect your code making it very difficult (but not impossible) to modify. Then issue your members with a licence key to activate the software. Do a callback each time the script is used (so called "calling home") to a script that checks the licence key - if they haven't paid you deactivate their licence key at your end so the callback doesn't return a valid activation code and the software stops working.

    You can also use ioncube to lock the script to particular domain if you just want to sell it on a "1 install per domain" basis.
    {{ DiscussionBoard.errors[2568763].message }}
    • Profile picture of the author CarloD.
      Hey,

      Thanks for the replies,

      It's a template system with a membership script built in, instead of selling it and the user can do whatever they want with the files, encoding it is a good idea, I am aware that it's not 100% stoppable, plus im catering to the normal user that wouldn't know the first thing to decoding it, 2 the price is fair so there wouldn't be a need to try and "hack" it to get it free.

      I just want to setup a couple packages where they pay XX amount of dollars for XX amount of licenses. I'll take a look at ioncube encoder with a callback is what I am after.
      Signature

      {{ DiscussionBoard.errors[2568880].message }}
  • Profile picture of the author CarloD.
    I guess encoding is not needed 100%, that would just be to prevent altering the script, could I just use a call back to setup licensing? If so are there any resources on callbacks for this, I have never used it.
    Signature

    {{ DiscussionBoard.errors[2568924].message }}
    • Profile picture of the author CarloD.
      Well,

      After some more research, I am thinking maybe i'll Obfuscate my code, and have a script running under my main domain, something like auth.domain.com that is built into the script, then when the user registers they can add a domain submit it and they will be given an auth code that is stored in a database.

      That way when the product script runs, it checks my database for matching variables, if it returns true it runs, otherwise invalid.

      Yes they could still decrypt and strip out the part that connects to my script, however majority of people probably will not go through that work...
      Also the way the product script is built, they would have to modify the entire thing, (lots of files) to correct all if else statements if they modify the file that checks my site.

      Any opinions here? I really don't want to spend 200-300 on a script that does essentially the same thing, and seems in other php forums everyone just says they can still decode if they wanted to blah blah....

      Even though licensing is a common thing its not 100%???

      so ya i would rather do my own with same results.
      Signature

      {{ DiscussionBoard.errors[2569444].message }}
      • Profile picture of the author fantasyzer
        Originally Posted by CarloD. View Post

        After some more research, I am thinking maybe i'll Obfuscate my code...
        You don't have to worry anyone will see your PHP code, this is completely protected by your server, as long as PHP is able to run.
        {{ DiscussionBoard.errors[2569582].message }}
        • Profile picture of the author CarloD.
          You don't have to worry anyone will see your PHP code, this is completely protected by your server, as long as PHP is able to run
          Sorry but not at all what I am after... I am aware PHP is executed server side. I am selling a script and need to limit it to a Per Domain license.

          Meaning if you buy it, you can only use it on One domain.
          Signature

          {{ DiscussionBoard.errors[2572584].message }}
  • Profile picture of the author HONUware
    I am in the same boat as you. I need some way of checking licenses remotely and disable if needed.

    I found a couple scripts that will do that, but either the support was crappy or the software is not currently sold.

    As I look for and hopefully find a solution, I will keep you posted. Please do the same for me.

    If you do your own thing, remember to allow the script to run even if it can't contact your server for a period of time so your customers are not dead in the water if your server is down. Just a thought.
    {{ DiscussionBoard.errors[2569502].message }}
  • Profile picture of the author nevadasoft
    Yes it's true there are people out there who can break any type of encryption you can apply to your script but it's still worth doing as the vast majority won't have a clue. Personally I've used ioncube to protect my products via licence key and don't see a better alternative.

    The callback is very simple, just a request to a script on your server with the user's licence key - your script should then decode the licence key and check the calling domain is licenced to use it (obviously the licence key needs to have the licenced domains inside it, along with any other info you need like their username).
    {{ DiscussionBoard.errors[2573807].message }}
    • Profile picture of the author CarloD.
      I assumed it was something like that, I just don't want to pay 300 dollars for ioncube when i can obfuscate myself and setup my own callback.

      I'll have to setup a testing auth. script that hits a database with the domain/key info in it that would be generated on purchase of the script.

      but none the less, i was thinking of using ioncube if I need to go the paid route as I have heard good things.
      Signature

      {{ DiscussionBoard.errors[2573857].message }}
      • Profile picture of the author CarloD.
        The callback is very simple, just a request to a script on your server with the user's licence key - your script should then decode the licence key and check the calling domain is licenced to use it (obviously the licence key needs to have the licenced domains inside it, along with any other info you need like their username).
        I am not to familiar with CallBacks, can I do this specifically with PHP, or should I be using AJAX to send the request? Any direction would be useful.

        thanks
        Signature

        {{ DiscussionBoard.errors[2573970].message }}
  • Profile picture of the author Johnny Slater
    You can do call backs with php. You would have the script call a page on your server and have the call url append the license key to it.. ie. mypage.php?license=4t4rfwefasd

    The page on your server can look at the domain who called it and match that to the license key. If the key and domain do not match then your page sends back an error and the script stops running.

    Simplified example but it should give you an idea of how it works.
    Signature

    {{ DiscussionBoard.errors[2574400].message }}
    • Profile picture of the author CarloD.
      You can do call backs with php. You would have the script call a page on your server and have the call url append the license key to it.. ie. mypage.php?license=4t4rfwefasd

      The page on your server can look at the domain who called it and match that to the license key. If the key and domain do not match then your page sends back an error and the script stops running.

      Simplified example but it should give you an idea of how it works.
      Thanks, definitely paints a picture, no clue how to go about it though... after some more searching it's sounding like cURL is the best solution for communicating with other servers. this may be a harder task than expected.
      Signature

      {{ DiscussionBoard.errors[2578251].message }}
  • Profile picture of the author nevadasoft
    I use Curl and it's very easy to use for simple http requests. I'll post my code if you want it.
    {{ DiscussionBoard.errors[2578343].message }}
    • Profile picture of the author CarloD.
      Sure,
      thanks

      Like I said I am not after a 100% fool proof system, I just want the general user to have to buy the script, and somehow when they upload it to there server it has to check my DB if they are an existing customer if not say invalid license...

      If you are not comfortable posting it here PM Me, perhaps it would be useful for other though if you do post here.

      thanks again,
      Signature

      {{ DiscussionBoard.errors[2578499].message }}
  • Profile picture of the author dealbert.net
    All so-called PHP encoder are NOT 100% secure from decrypting unless it uses loader on the web server.. even that, it is not 100% secure. You certainly don't wanna your script to "phone home" every time the script is running. It's too much trouble for users. User could be testing it locally without Internet connection.

    In the past, I used Zend Optimizer. It was very good, but does require a loader called running on the web server. The downside is some users dont' have permission to install PHP plugins on a shared host server.

    Here's list of encoders I came across before, just google them to find out more:
    .Zend Optimizer,
    .Source Cop
    .True Bug
    .PHP Lock
    .IonCube

    Good luck,
    Rich
    dealbert.net
    {{ DiscussionBoard.errors[2579320].message }}
    • Profile picture of the author ussher
      do what nevadasoft said in post #3:
      http://www.warriorforum.com/programm...ml#post2568763

      it doesnt have to be on all pages, just do the check when they go to log in.

      The login page will be the only one that needs to be ioncube encoded.

      You can encode a single page using the online encoder for $0.50.

      dont need to buy the full encoding system.
      Signature

      "Jamroom is a Profile Centric CMS system suitable as a development framework for building entire communities. Highly modular in concept. Suitable for enterprise level development teams or solo freelancers."

      - jamroom.net
      Download Jamroom free: Download
      {{ DiscussionBoard.errors[2579851].message }}
  • Profile picture of the author CarloD.
    I've got this semi working now, I added it to my login page for the admin panel of the script. So if they want to do anything with it...they need to log in.

    im using cURL to pass the license key to my domain, and then script runs and checks the database for a match, that outputs back to the users domain, if it's True, the login continues, otherwise it returns error message....invalid license...

    right now i am only passing a key, i still need to lightly encrypt it, and also pass the domain. that way the license will be attached per domain.
    Signature

    {{ DiscussionBoard.errors[2580388].message }}
  • Profile picture of the author nevadasoft
    Good to hear you've got it working.

    Just a few points that might help:

    1) You certainly do want to be checking the licence key even when running locally, otherwise you're leaving the door wide open for anyone to run your software without a licence (if they know how to install locally, which most don't but it's as easy as installing WAMP so anyone can learn to do this).

    2) As ussher said I recommend using a callback for certain functions - for example I allow my scripts to run uninterrupted but do a callback when the user is logging in to the software's admin panel. That way the callback doesn't cause any performance issues.

    3) Ioncube's decoder is installed by default by many hosts (e.g. Hostgator) and even if it isn't then the ioncube loaders can be distributed along with your script. You may find the odd person who can't run an ioncubed script, my solution is to issue a test script they can use before purchase to test compatibility. In my experience ioncube causes very few compatibility problems, whether it's on a shared host or vps/dedicated.
    {{ DiscussionBoard.errors[2581959].message }}
    • Profile picture of the author CarloD.
      1) You certainly do want to be checking the licence key even when running locally, otherwise you're leaving the door wide open for anyone to run your software without a licence (if they know how to install locally, which most don't but it's as easy as installing WAMP so anyone can learn to do this).
      Here is what I am doing after they try to login

      *code missing...the editor deletes stuff
      PHP Code:
      =curl_init();
                        curl_setopt(,CURLOPT_URL,"http://auth.domain.com/authcheck.php?send_auth=?send_domain=");
                        curl_setopt(,CURLOPT_CONNECTTIMEOUT,2);
                        curl_setopt(,CURLOPT_RETURNTRANSFER,1);
                   =       curl_exec();
                        curl_close();
                  
                  if (empty())
                  {
                      print       "Sorry, AuthServ is performing maintenance.....<p>";
                  }
                  else
                  {
                      if ( ==       "true"){ 
      If it's true it checks the login details, if they are running locally They won't be able to get in because i check for authentication first. they only way aroudn would be to remove the code, but even then I will be obfuscating the login page, so it would be difficult to do a work around.

      Unless I am missing your point...that's possible.

      2) As ussher said I recommend using a callback for certain functions - for example I allow my scripts to run uninterrupted but do a callback when the user is logging in to the software's admin panel. That way the callback doesn't cause any performance issues.
      Ya this is done on loggin, however if my server is down it will report that it's currently under maintenance. So the user won't be able to login to the admin area but the site will still be live.

      3) Ioncube's decoder is installed by default by many hosts (e.g. Hostgator) and even if it isn't then the ioncube loaders can be distributed along with your script. You may find the odd person who can't run an ioncubed script, my solution is to issue a test script they can use before purchase to test compatibility. In my experience ioncube causes very few compatibility problems, whether it's on a shared host or vps/dedicated.
      I still need to look into this.

      thanks by the way.
      Signature

      {{ DiscussionBoard.errors[2582216].message }}
  • Profile picture of the author nevadasoft
    What I meant about checking locally is "don't not check locally" as a previous poster recommended...in other words no special exception in the code that allows the script to run without authentication if running locally.

    Oh and as ussher mentioned you can encode files online with the ioncube online encoder, what I do is encode my licence checking code and mysql database code, I leave the rest in plaintext, that way I can re-use the ioncube'd stuff over and over again in other projects without buying the full encoder!
    {{ DiscussionBoard.errors[2585971].message }}
  • Profile picture of the author MarketTrader
    Is anyone looking to hire someone to do his protection?
    {{ DiscussionBoard.errors[2589039].message }}
    • Profile picture of the author CarloD.
      I'm currently building it. In fact have it working now!
      Signature

      {{ DiscussionBoard.errors[2589129].message }}

Trending Topics