Way To Protect PHP Source Code, Encrypt?

[JustinK101]

Hello, I am devolping a commerical PHP application and I have a php function which does my license check. It basically connects to my database and verify the license_key they have entered, matches a valid license key that I stored in my database.

The problem is, anybody with a little brains can go searching through my functions.php file and find the function that does the check and remove it. Bam, they don't a license anymore. Is there a way to make my entire functions.php file encryped, i.e. so you can open it up and see all the source?

Thanks much.

[AndyB]

Yes, but not for free - which shouldn't really bother you if it's a commercial application.

http://www.phpaudit.com
https://www.olate.co.uk/index.php

[JustinK101]

Andy,

Thanks, after viewing these sites, these products are much more then I need, they are full distrubution and tracking software. I simply need a way to hide one file functions.php. Perhaps I could cheat a little, and not make it 100% secure, but have it work against the noob coders.

How about encrypting the functions.php file, then on the fly from php decrypt the file when I access it? Any other ideas are welcomed.

[mainewoods]

You could add some code in an unexpected place to check for a change in the file size of the function.php file and then give an ambiguous error message and instruct them to contact you in order to continue using the program.  You could even better make an md5 hash of the file and then check for a change in that in some unexpected places.

that would only protect the function.php file, you would also have to protect the code that calls it as a modification there can reroute security as well.  Similiar methods can be used for that though.

[JustinK101]

Well if they remove the include of functions.php the aplication will not work correctly, so I figure securing funtions.php is good enough.

[tomfmason]

Here is something that I just found. I am going to test it and see what happens. It claims to be an opensource encoder.

Give it a shot [url=http://www.byterun.com/free-php-encoder.php]http://www.byterun.com/free-php-encoder.php[/url]

Like I said I have yet to try this but I will.

Hope this helps,
Tom

[AndyB]

If it's a [b]commercial[/b] application then a real encoding/protection scheme is what helps protects your time investment as well as protecting against 'noobs' who scope out code or simply copy it and distribute it for free. I too have a commercial application in final beta testing, and my partner spent a considerable amount ot time researching protection and decided those two were the best, with phpAudit the preferred solution for us.  Given that the lite version's free, we'll be trying that first to see how it 'looks and feels'.

Give us some feedback on Tom's suggestion as that might be worth considering for some 'low level' commercial apps we're developing as well.

Oh, the link Tom gave also has an html 'encoder' that can stop right clicks and everything. My hopes that their php encoder is useful just dropped to near zero.

[mainewoods]

but in the file that includes the functions.php file there will somewhere be a call to your security function like:
[code]$passed = checklicense($enterbyuser); //calls your function
[/code]
if I just change that line to:
[code]$passed = true; //checklicense($enterbyuser);
//complete bypass of license system accomplished!
[/code]

[tomfmason]

I tested that encoder. Maybe I did something wrong but I got the following error.

[quote author=php error]

Parse error: parse error, unexpected $ in \test_function.php(1) : eval()'d code(1) : eval()'d code on line 6

[/quote]


Here is the test_function.php before encodding

[code]
<?php
function test_message($word) {
     $message = "The word that you sent to this function is <b>$word</b>";
     return $message;
}
?>[/code]

and here is what it looked like afterwords.

[code]
<?php $_F=__FILE__;$_X='Pz48P3BocA0KZjNuY3Q0Mm4gdDVzdF9tNXNzMWc1KCR3MnJkKSB7DQogICAgICRtNXNzMWc1ID0gIlRoNSB3MnJkIHRoMXQgeTIzIHM1bnQgdDIgdGg0cyBmM25jdDQybiA0cyA8Yj4kdzJyZDwvYj47DQogICAgIHI1dDNybiAkbTVzczFnNTsNCn0NCiA/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>[/code]

Here is how I called the function

[code]
<?php
include("test_function.php");
$word = "test";
$message = test_message($word);
echo $message;
?>[/code]

I got the following error:

Fatal error: Call to undefined function: test_message()


So as it seems this is worthless. Ether that or I am not doing something correctly

Tom

[AndyB]

$message = "The word that you sent to this function is <b>$word</b>; <- the quote is never closed :)

[tomfmason]

yea lol. I closed it in the orginal. I just made a typo here

[tomfmason]

LOL I guess I didn't. I retried it and it worked just fine...lol

I luv it when I make my self look like an idiot..

lol.. So for the record it does work.

Tom

[JustinK101]

Sweet, I'll have to give this a try.

Also, mainewoods,

My key checking function would not return a variable, like isValid. It would do something like:

if(mysql_num_rows($result) == 0)
{
  die("Fatal Error: Invalid license.");
}

The script would stopp executing very early, the application would be worthless.

[AndyB]

No worries, Tom. I'm well ahead of you in the "of course my code didn't work, here's the real version" race.

[mainewoods]

so what if I just commented out the call to that function in the code?

[code]//checksecurity($license); //commented out will not be called[/code]
by the way I just disected the encoded code, try this:
[code]<?php  $_F=__FILE__;$_X='Pz48P3BocA0KZjNuY3Q0Mm4gdDVzdF9tNXNzMWc1KCR3MnJkKSB7DQogICAgICRtNXNzMWc1ID0gIlRoNSB3MnJkIHRoMXQgeTIzIHM1bnQgdDIgdGg0cyBmM25jdDQybiA0cyA8Yj4kdzJyZDwvYj47DQogICAgIHI1dDNybiAkbTVzczFnNTsNCn0NCiA/Pg==';
/*
eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));
*/

echo base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==');
//the value just above converts to below which would be eval'ed in the original:
$_X=base64_decode($_X);
$_X=strtr($_X,'123456aouie','aouie123456');
$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);

echo "<br>&nbsp;<br>$_R";
//eval($_R);$_R=0;$_X=0; //eval'ed orignally

?>[/code]

[makeshift_theory]

Well the way I encrypt thing is a bit different, I use htaccess with my server to limit ip's that are allowed access to those specific folders.    Basically what I'm saying is put the db or .dat file in a folder with specific htaccess limits and use your php install file to set the ip's that have access to the functions that have the licensing code.  I know this isn't exactly a php solution but I find it to be useful. 

PS> I just got a new laptop, my mom's fiancee only bought it to go to the islands to watch movies and take pictures.  So I said I would  back it all up if I could have it since he doesn't use it and he agreed haha =).  It's a Turion 64 processor running @ 2.0 ghz it's not to bad and who doesn't love free things =).

[AndyB]

[quote author=makeshift_theory link=topic=108326.msg435792#msg435792 date=1158450154]
Well the way I encrypt thing is a bit different, I use htaccess with my server to limit ip's that are allowed access to those specific folders.    Basically what I'm saying is put the db or .dat file in a folder with specific htaccess limits and use your php install file to set the ip's that have access to the functions that have the licensing code.
[/quote]

So if your server is down, the application on my site won't run?  If I don't have a static IP address, the application won't run?  That doesn't sound like a paying customer would be too thrilled with your method.

[makeshift_theory]

Well no the client's server not mine specifically, and if the application is running on that server it won't make a difference anyway, I wouldn't think lol.  No server = No application

[makeshift_theory]

Don't know if this is relevant but it was quite a interesting read:
http://www.zend.com/zend/tut/tutorial-brogdon.php#Heading4

[JustinK101]

tomfmason,

Trying to use the php encoder, did you download the demo, or use the free encoding tool. I don't get it though, I used the free encoding tool, but how do you know how to decode it? You must have download the demo right?

[AndyB]

If their html encoder protection is so good, I wonder why they didn't use it on their own site then nobody would have seen their horrible html code  ;D

[tomfmason]

lol...^..

[redarrow]

JustinK101 

as you asked if it can protect the code from a non programmer that does not no php encode softwere this product will suit you as you can use it for free, But if someone has the same program they can decript the code but to a novice there never no what program you encodded it with.

the full version lets you put a password in but the free version dosent ok.


cheek this one out

http://www.rssoftlab.com/phpenc.php

good luck.