Jump to content


Photo

Please check my code - licence keys / domain check


  • Please log in to reply
3 replies to this topic

#1 jezari

jezari
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 10 October 2006 - 06:26 PM

Hi!

I want to add licence keys and domain checking to my scripts.  I will be encrypting my scripts with codelock, so its fairly safe that my clients won't be able to pull out the code.

To provide them with a licence key, they tell me their domain (in form of a URL).  I use the URL and the name of the script to create a unique licence key for them to use...

// example data provided by client (they can also use an IP address)
$url = parse_url("http://www.example.com/etc");

$script_name = "my script name";

$host = $url['host'];

$hash = md5($host.$script_name);

// create a readable licence key with dashes separating sets of 4 characters
for ($i=0; $i<strlen($hash) / 4; $i++) {
	$hash_pieces[] = substr($hash, $i*4, 4);
}
$licence_key = implode("-",$hash_pieces);

// in this example $licence_key is created as:
// 6a9d-17ac-d0e0-1610-c14c-ba1b-7e97-2a59

Then within the script I check that the licence key is valid for the script name and domain on which they are running it...

// example data provided by client (they enter their licence key to use the script)
$licence_key = "6a9d-17ac-d0e0-1610-c14c-ba1b-7e97-2a59";

$script_name = "my script name";

$domain = $_SERVER['SERVER_NAME'];
if (empty($domain)) $domain = $HTTP_SERVER_VARS['SERVER_NAME'];
$ip = $_SERVER['SERVER_ADDR'];
if (empty($ip)) $ip = $HTTP_SERVER_VARS['SERVER_ADDR'];

$hash_1 = md5($domain.$script_name);
$hash_2 = md5($ip.$script_name);

if ($domain == "localhost"
		|| $hash_1==str_replace("-","",$licence_key)
		|| $hash_2==str_replace("-","",$licence_key) )
{
	// licence key okay - execute
} else {
	// licence key not okay - don't execute
}


I'm also considering calving off the second half of the licence key, because security doesn't need to be that tight, 16 characters (plus dashes) should be more than enough.


Thanks in advance for any feedback you guys can provide!!!  ;D

#2 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 10 October 2006 - 06:35 PM

I guess it would work. But it would be very easy to make a key generator and thereby be able to register the script without a serial from you.

#3 jezari

jezari
  • New Members
  • Pip
  • Newbie
  • 2 posts

Posted 10 October 2006 - 06:44 PM

A keygen just contains a list of known working keys, yes?

The code gets the domain on which the script is running (via $_SERVER['SERVER_NAME']) and this is used to form the licence key.  So I don't think a keygen could be used since the licence key is unique for each domain?

#4 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 10 October 2006 - 06:51 PM

No. A keygen generates a serial/key that would work.

You need to keep the way you generate the key secret, so you could do this:

- User input serial in config file
- Each time the script is run it will open a connection to http://your-site.com...key.php?key=bla bla bla
- check_key.php on your server will check if the key is valid (and possibly if it is in your customer database). It will return e.g. 1 if it's valid and 0 if it isn't.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users