[SOLVED] Protecting my clients interests

[stockton]

I have developed a client/server PHP intranet system that I would appreciate being able to protect for the client but cannot think of how to do it.

Basically they may run this system on any one of their servers at any one of their many locations but I would like to make sure that if someone outside the group got their hands on this system they could not run it.

Please make suggestions on how I may achieve this. For that matter is it even possible?

 

Regards,

Alf Stockton www.stockton.co.za

[trq]

Your question is simply far too vague to answer definitively.

 

I would suggest a good firewall as well as regular OS and server updates, and thats just the tip of the iceberg.

[448191]

If I understand correctly, you want to protect the app from running at a different location than your client.

 

Best way to do that is have your app periodically check in with an external server, validate the ip and domain (not fool proof, but hey), and write a key to the drive (so you don't have to check in with the external server EVERY run). Hardcode the expiration time of the key, and encode the whole thing using Zend encoder or ioncube. The licensing info is actually on the external server (which you control), so adding new valid locations should be a snap.

 

I know a Java app that does something similar (ip based licensing).

[stockton]

My client has in place "a good firewall as well as regular OS and server updates".

 

What I am thinking of is, as the system is open source, if someone removed it from my clients site and installed it on their own server I see no reason why it would not work.

 

I would like a method whereby running it would not be an option if the system was "stolen".

 

One thought was to register the clients servers on a central site and check for registration whenever the system is run. This cannot works as any PHP programmer could get around that.

[stockton]

I would appreciate learning more about 448191's suggestion, especially the Java application spoken of.

[448191]

One thought was to register the clients servers on a central site and check for registration whenever the system is run. This cannot works as any PHP programmer could get around that.

 

Only if they have the source code. I wouldn't recommend checking registration EVERY run.

 

I don't think I'm really understanding your motivation here. You say the application is open source, so what are you protecting?

[corbin]

"This cannot works as any PHP programmer could get around that."

 

They couldn't get around it without access to the plain source code (or a lot of creativity), so that way could work.  There's always ways around a remote site check though....  Zend decrypters, the hosts file and spoofing... so on.

[stockton]

Sorry I should not have used the term Open Source.

I should have said that the source is open to my client but certainly not to anyone else.

[Daniel0]

Not even large companies like Microsoft and Adobe are able to protect their software from privacy, what are you trying to accomplish? If people really want to pirate your software then they'll find a way.

[stockton]

Good point Daniel0. I suppose that having just signed the client's NDA affected my attitude a bit.

[Daniel0]

I don't know what your agreement says, but I suppose that when you've handed the files over to them it will be their own responsibility to keep their files safe from leakage. As long as you don't give the files to anyone else I suppose you'll be fine.

[stockton]

You make a very good point and maybe I was being a bit anal.