Friday, January 23, 2015

Protect PHP scripts from copying

1. Issuance of licenses and license validation script

I am creating a key to the domain approximately as follows:
$ key = md5 ($ domain. $ secretword);

Scripts checks its license as follows:
$ key == md5 ($ domain. $ secretword);

Indeed, the ugly store $ secretword themselves in scripts. Therefore, one can use public-key encryption. When issuing a license, I'll sign it with your private key, and a script that license evaluation, the public key will be to check the validity of the license. But I did not find in the standard package of PHP functions are no public-key encryption, even RSA (I blind?). If you can help - I will be grateful.

So, the script checked the correctness of the license. That is, the suitability of the specified key to the specified domain. Go ahead.

2. Check domain

The script can check whether it is on the specified domain? We have no confidence in the $ _SERVER ['HTTP_HOST'].
Just on the conditions - no of connections to another server. This means that a connection to themselves on the proposed domain, and we check whether there are :)

To be more precise:
1) keep on servre random number (for example, in a temporary file) 2) please contact nash_domen.ru / nash_skript.php? Action = skazhi_chislo3) check what number we give to this address. If it corresponds to the fact that we have retained, so we're at:) 0) zero point return is necessary to add the stored number when we were called with the parameter action = skazhi_chislo
I'm a little simplified algorithm, in fact for each call to the script need to separately account for these random numbers.

Now the script knows that the license is valid, and that it is in the appropriate domain. The main problem is solved!

You tell me - wtf, each call script will pull itself? Indeed, brutally somehow. That Is Why:

3. Temporary License

The first time, if the test is successful, the script temporary files temporary license.
Temporary license is something nopodobie md5 (segodnyashnyaya_data, domain secret word).
Now with every request we check only a temporary license that is valid for the day. Once with a temporary license that something was wrong (changed, deleted, held a day) - the script will check everything again seriously and retain new temporary license.

4. Execution of the script on the local computer without a license


It would be ideal if the script does not require a license when running on the local computer. Why would a person to claim me with a license if he just wants to test the script on my computer? It should download it and use it. But when he put the script on the server, and then will come to me.

I do not know how to solve this problem. I have 3 options until the solution, but I do not like:
1) If the script is on a domain without points (type myscript /) - assume that this virtual domain, then it most likely site testing. The disadvantage of this method - the craftsmen will create a virtual domain on the server, and make a real domain synonymous. Just do not understand what to do with the domain localhost.

2) Check the $ _SERVER [«REMOTE_ADDR»]. Check the availability of '127' at the beginning of ip-addresses. Drawback - you can override this variable before running the script.

3) It's funny, but you can check the server's operating system. And allow execution under Windows. Just do not hurt me, it's just an option.

No comments:

Post a Comment