Licensing

[codingmasterRS]

Hi guys,

So I have some PHP script which accesses an external DB to get licensing data and then cross references with the local DB. Now I need a way to get the data from the external DB so that someone cant just alter the code and get everyones details, any ideas how this can be done?

 

Thanks in advance.

[Adam]

What database platform? Whether the DB is hosted locally or remotely, you should still be able to access it using the same/normal method. In-fact it's pretty common for a hosting provider to host the database remotely on a different server.

[codingmasterRS]

Okay MrAdam, you seem to have interpreted my question wrong.

 

1) I have built a PHP program

2) the PHP program uses MySQL DB (local DB)

3) The PHP program calls my MySQL DB (external DB) to cross reference for licensing

 

My question is how can I make it so that when I call to get content from externalDB how can I make it so someone can not just go and alter the code to get all peoples records from the DB/table?

 

Thanks

[Wolphie]

For somebody to alter the code (unless your code has bugs and security flaws within it) they would need your FTP login details in order to physically edit the PHP code. However, if your code is prone to MySQL injections (which you should have tested against and fixed) then you shouldn't need to worry unless your remote database server also has security flaws.

 

In terms of "secureness", it's no different than hosting a database locally.

[codingmasterRS]

no the code is licensed and can be put on their server, see my problem :-). I was thinking maybe a reciever variable which is populated after a include from a URL with a "PIN" so you would need the correct PIN for it to send the code back?

[Wolphie]

I'm not sure if I'm understanding this correctly. You've written a product, which you're making available for people to buy and then download. It's licensed so you don't really want people downloading it for free? Or you don't want people to get your customer details from the database?

 

If you don't want people downloading it for free, then when they make a purchase, send them an e-mail with a uniquely generated key but only generate it when the customer has made the payment. Once that's been done, you can give them a URL containing the key which will allow them to download the file. Once it's been downloaded you can either remove the key so that it can't be re-used. I guess that's up to you.

 

In terms of people not getting customer details from the database, well that all depends on how secure the website is that you're selling the product on.

[codingmasterRS]

okay Wolphie, you have it partly right.

Yes people will pay, put apart from the download I want another way to stop them from just giving it to other people, hence the license DB cross check.

[Adam]

You could limit incoming connections to specific addresses? Then allow each custom to access an admin area on your website and set their address. That won't prevent them giving it somebody else (if you're giving them something, you have absolutely no way of physically stopping them doing that) but it will make the product unusable. At least it will if I'm following you right.

[codingmasterRS]

going to make a cross domain reciever file and a PIN code for each which is sent and then computed to validate if they may check the variable and then will only return the one with that PIN and other details exact match.

 

SOLVED

[Adam]

What if they give them their PIN too?

[codingmasterRS]

at this point more worried if they do a SELET * with no where and get all peoples data, might worry about the rest later

[Wolphie]

I would suggest only allowing certain hosts which are verified by your server/database. For example, you give the client a PIN to use, and if that PIN is verified with that host then all is good, otherwise make the application unusable.

[codingmasterRS]

I have a licensing DB and just want to make it secure for authenticating valid license credentials

[Adam]

Perhaps rather than giving them full (or restricted) access to the database, you should pipe the requests through an API. That way you'll have much more control over the queries they try.

[codingmasterRS]

yeah I was thinking about developing an API, suggestions on how MrAdam?

[Adam]

Through some form of input (e.g. XML (or SOAP), JSON, URL parameters, etc.) you need have some form of "language" if you like that defines what it is they need. Without knowing anything about the queries or data the user would need though, I can't really give any suggestions.