JustinK101 Posted September 16, 2006 Share Posted September 16, 2006 Hello, I am devolping a commerical PHP application and I have a php function which does my license check. It basically connects to my database and verify the license_key they have entered, matches a valid license key that I stored in my database. The problem is, anybody with a little brains can go searching through my functions.php file and find the function that does the check and remove it. Bam, they don't a license anymore. Is there a way to make my entire functions.php file encryped, i.e. so you can open it up and see all the source?Thanks much. Quote Link to comment Share on other sites More sharing options...
AndyB Posted September 16, 2006 Share Posted September 16, 2006 Yes, but not for free - which shouldn't really bother you if it's a commercial application.http://www.phpaudit.comhttps://www.olate.co.uk/index.php Quote Link to comment Share on other sites More sharing options...
JustinK101 Posted September 16, 2006 Author Share Posted September 16, 2006 Andy,Thanks, after viewing these sites, these products are much more then I need, they are full distrubution and tracking software. I simply need a way to hide one file functions.php. Perhaps I could cheat a little, and not make it 100% secure, but have it work against the noob coders.How about encrypting the functions.php file, then on the fly from php decrypt the file when I access it? Any other ideas are welcomed. Quote Link to comment Share on other sites More sharing options...
mainewoods Posted September 16, 2006 Share Posted September 16, 2006 You could add some code in an unexpected place to check for a change in the file size of the function.php file and then give an ambiguous error message and instruct them to contact you in order to continue using the program. You could even better make an md5 hash of the file and then check for a change in that in some unexpected places.that would only protect the function.php file, you would also have to protect the code that calls it as a modification there can reroute security as well. Similiar methods can be used for that though. Quote Link to comment Share on other sites More sharing options...
JustinK101 Posted September 16, 2006 Author Share Posted September 16, 2006 Well if they remove the include of functions.php the aplication will not work correctly, so I figure securing funtions.php is good enough. Quote Link to comment Share on other sites More sharing options...
tomfmason Posted September 16, 2006 Share Posted September 16, 2006 Here is something that I just found. I am going to test it and see what happens. It claims to be an opensource encoder. Give it a shot [url=http://www.byterun.com/free-php-encoder.php]http://www.byterun.com/free-php-encoder.php[/url]Like I said I have yet to try this but I will.Hope this helps,Tom Quote Link to comment Share on other sites More sharing options...
AndyB Posted September 16, 2006 Share Posted September 16, 2006 If it's a [b]commercial[/b] application then a real encoding/protection scheme is what helps protects your time investment as well as protecting against 'noobs' who scope out code or simply copy it and distribute it for free. I too have a commercial application in final beta testing, and my partner spent a considerable amount ot time researching protection and decided those two were the best, with phpAudit the preferred solution for us. Given that the lite version's free, we'll be trying that first to see how it 'looks and feels'. Give us some feedback on Tom's suggestion as that might be worth considering for some 'low level' commercial apps we're developing as well.Oh, the link Tom gave also has an html 'encoder' that can stop right clicks and everything. My hopes that their php encoder is useful just dropped to near zero. Quote Link to comment Share on other sites More sharing options...
mainewoods Posted September 16, 2006 Share Posted September 16, 2006 but in the file that includes the functions.php file there will somewhere be a call to your security function like:[code]$passed = checklicense($enterbyuser); //calls your function[/code]if I just change that line to:[code]$passed = true; //checklicense($enterbyuser);//complete bypass of license system accomplished![/code] Quote Link to comment Share on other sites More sharing options...
tomfmason Posted September 16, 2006 Share Posted September 16, 2006 I tested that encoder. Maybe I did something wrong but I got the following error.[quote author=php error]Parse error: parse error, unexpected $ in \test_function.php(1) : eval()'d code(1) : eval()'d code on line 6[/quote]Here is the test_function.php before encodding[code]<?phpfunction test_message($word) { $message = "The word that you sent to this function is <b>$word</b>"; return $message;} ?>[/code]and here is what it looked like afterwords.[code]<?php $_F=__FILE__;$_X='Pz48P3BocA0KZjNuY3Q0Mm4gdDVzdF9tNXNzMWc1KCR3MnJkKSB7DQogICAgICRtNXNzMWc1ID0gIlRoNSB3MnJkIHRoMXQgeTIzIHM1bnQgdDIgdGg0cyBmM25jdDQybiA0cyA8Yj4kdzJyZDwvYj47DQogICAgIHI1dDNybiAkbTVzczFnNTsNCn0NCiA/Pg==';eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));?>[/code]Here is how I called the function[code]<?phpinclude("test_function.php");$word = "test";$message = test_message($word);echo $message;?>[/code]I got the following error:Fatal error: Call to undefined function: test_message() So as it seems this is worthless. Ether that or I am not doing something correctlyTom Quote Link to comment Share on other sites More sharing options...
AndyB Posted September 16, 2006 Share Posted September 16, 2006 $message = "The word that you sent to this function is <b>$word</b>; <- the quote is never closed :) Quote Link to comment Share on other sites More sharing options...
tomfmason Posted September 16, 2006 Share Posted September 16, 2006 yea lol. I closed it in the orginal. I just made a typo here Quote Link to comment Share on other sites More sharing options...
tomfmason Posted September 16, 2006 Share Posted September 16, 2006 LOL I guess I didn't. I retried it and it worked just fine...lolI luv it when I make my self look like an idiot..lol.. So for the record it does work.Tom Quote Link to comment Share on other sites More sharing options...
JustinK101 Posted September 16, 2006 Author Share Posted September 16, 2006 Sweet, I'll have to give this a try.Also, mainewoods,My key checking function would not return a variable, like isValid. It would do something like:if(mysql_num_rows($result) == 0){ die("Fatal Error: Invalid license.");}The script would stopp executing very early, the application would be worthless. Quote Link to comment Share on other sites More sharing options...
AndyB Posted September 16, 2006 Share Posted September 16, 2006 No worries, Tom. I'm well ahead of you in the "of course my code didn't work, here's the real version" race. Quote Link to comment Share on other sites More sharing options...
mainewoods Posted September 16, 2006 Share Posted September 16, 2006 so what if I just commented out the call to that function in the code?[code]//checksecurity($license); //commented out will not be called[/code]by the way I just disected the encoded code, try this:[code]<?php $_F=__FILE__;$_X='Pz48P3BocA0KZjNuY3Q0Mm4gdDVzdF9tNXNzMWc1KCR3MnJkKSB7DQogICAgICRtNXNzMWc1ID0gIlRoNSB3MnJkIHRoMXQgeTIzIHM1bnQgdDIgdGg0cyBmM25jdDQybiA0cyA8Yj4kdzJyZDwvYj47DQogICAgIHI1dDNybiAkbTVzczFnNTsNCn0NCiA/Pg==';/*eval(base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw=='));*/echo base64_decode('JF9YPWJhc2U2NF9kZWNvZGUoJF9YKTskX1g9c3RydHIoJF9YLCcxMjM0NTZhb3VpZScsJ2FvdWllMTIzNDU2Jyk7JF9SPWVyZWdfcmVwbGFjZSgnX19GSUxFX18nLCInIi4kX0YuIiciLCRfWCk7ZXZhbCgkX1IpOyRfUj0wOyRfWD0wOw==');//the value just above converts to below which would be eval'ed in the original:$_X=base64_decode($_X);$_X=strtr($_X,'123456aouie','aouie123456');$_R=ereg_replace('__FILE__',"'".$_F."'",$_X);echo "<br> <br>$_R";//eval($_R);$_R=0;$_X=0; //eval'ed orignally?>[/code] Quote Link to comment Share on other sites More sharing options...
makeshift_theory Posted September 16, 2006 Share Posted September 16, 2006 Well the way I encrypt thing is a bit different, I use htaccess with my server to limit ip's that are allowed access to those specific folders. Basically what I'm saying is put the db or .dat file in a folder with specific htaccess limits and use your php install file to set the ip's that have access to the functions that have the licensing code. I know this isn't exactly a php solution but I find it to be useful. PS> I just got a new laptop, my mom's fiancee only bought it to go to the islands to watch movies and take pictures. So I said I would back it all up if I could have it since he doesn't use it and he agreed haha =). It's a Turion 64 processor running @ 2.0 ghz it's not to bad and who doesn't love free things =). Quote Link to comment Share on other sites More sharing options...
AndyB Posted September 16, 2006 Share Posted September 16, 2006 [quote author=makeshift_theory link=topic=108326.msg435792#msg435792 date=1158450154]Well the way I encrypt thing is a bit different, I use htaccess with my server to limit ip's that are allowed access to those specific folders. Basically what I'm saying is put the db or .dat file in a folder with specific htaccess limits and use your php install file to set the ip's that have access to the functions that have the licensing code. [/quote]So if your server is down, the application on my site won't run? If I don't have a static IP address, the application won't run? That doesn't sound like a paying customer would be too thrilled with your method. Quote Link to comment Share on other sites More sharing options...
makeshift_theory Posted September 16, 2006 Share Posted September 16, 2006 Well no the client's server not mine specifically, and if the application is running on that server it won't make a difference anyway, I wouldn't think lol. No server = No application Quote Link to comment Share on other sites More sharing options...
makeshift_theory Posted September 17, 2006 Share Posted September 17, 2006 Don't know if this is relevant but it was quite a interesting read:http://www.zend.com/zend/tut/tutorial-brogdon.php#Heading4 Quote Link to comment Share on other sites More sharing options...
JustinK101 Posted September 17, 2006 Author Share Posted September 17, 2006 tomfmason,Trying to use the php encoder, did you download the demo, or use the free encoding tool. I don't get it though, I used the free encoding tool, but how do you know how to decode it? You must have download the demo right? Quote Link to comment Share on other sites More sharing options...
AndyB Posted September 17, 2006 Share Posted September 17, 2006 If their html encoder protection is so good, I wonder why they didn't use it on their own site then nobody would have seen their horrible html code ;D Quote Link to comment Share on other sites More sharing options...
tomfmason Posted September 17, 2006 Share Posted September 17, 2006 lol...^.. Quote Link to comment Share on other sites More sharing options...
redarrow Posted September 17, 2006 Share Posted September 17, 2006 JustinK101 as you asked if it can protect the code from a non programmer that does not no php encode softwere this product will suit you as you can use it for free, But if someone has the same program they can decript the code but to a novice there never no what program you encodded it with.the full version lets you put a password in but the free version dosent ok.cheek this one outhttp://www.rssoftlab.com/phpenc.phpgood luck. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.