Protecting PHP scripts from copying - is it possible?
It so happens that you are reluctant to provide the source code of the projects that you developed. To do this, you can use obfuscators, which were recently discussed .
And it happens that you do not want to close the source code, how to protect the script from being copied. In my opinion, hiding the source code, in most cases, does not make sense without copy protection. Some obfuscators that encrypt a code (and not just distort) have the ability to lock a script for a specific domain or IP. But, first, we don’t want to re-encrypt all sources for each domain? Secondly, I managed to unlock this protection with a single line at the beginning of the script:
I have been searching for a copy protection solution on the Internet for a long time. On forums, this question was often discussed, mostly newbies asked it, and experienced (apparently) programmers answered "- You are a fool who need your code. Teach materiel, and in general php scripts are not worth anything!". Well, I thought. Probably really impossible. But wait, the same Bitrix (foo) licenses individual sites, and you get an open source code after purchasing a license. What prevents copy it on several of their sites? I do not know, and if you know, please tell me.
As a result, I had to do copy protection myself. I set the following initial conditions of the problem:
I create the key to the domain like this:
The script checks its license as follows:
Indeed, it is ugly to store $ secretword in the scripts themselves. Therefore, you can use public key encryption. When issuing a license, I will sign it with my private key, and the script, when checking the license, with the public key will check the validity of the license. But I didn’t find any public key encryption functions in the standard PHP suite, not even RSA (am I blind?). If you help, I will be grateful.
')
So, the script checked the validity of the license. That is, does the specified key match the specified domain? Go ahead.
How can the script check if it is in the specified domain? We do not trust $ _SERVER ['HTTP_HOST'].
Also, under the conditions - no connections to another server. So, we connect ourselves to our intended domain, and we check if we are there :)
Or rather:
1) we save a random number on the server (for example, in a temporary file) 2) contact the address our_domain.ru / our_script.php? Action = say_the number 3) check what number we give to this address. If it corresponds to what we have saved, then we are at the address:) 0) the zero point should be added to the return of the stored number, if we were called with the parameter action = say_count
I simplified the algorithm a little, in fact, for each access to the script, these random numbers need to be considered separately.
Now the script knows that the license is valid and that it lies on the corresponding domain. The main task is solved!
You tell me - wtf, the script will pull itself at each call? Indeed, cruel somehow. Therefore:
On the first access, if the check was successful, the script saves the temporary license in a temporary file.
A temporary license is something like md5 (today's_date, domain, secret word).
Now, with each request, we check only the temporary license, which is valid for the day. As soon as something is wrong with the temporary license (changed, deleted, a day has passed) - the script will again check everything seriously and save the new temporary license.
It would be ideal if the script did not require a license when running on the local computer. Why, one wonders, does a person require a license from me if he just wants to test the script on his computer? He must download it and use it. But when he puts the script on the server, then he will come to me.
I do not know how to solve this problem. I still have 3 solutions, but I do not like them:
1) If the script lies on a domain without points (like myscript ) - assume that this is a virtual domain, then, most likely, this is a local test. The disadvantage of this method is that the craftsmen will create a virtual domain on their server, and the real domain will be made synonymous. Also, it is not clear what to do with the localhost domain.
2) Check $ _SERVER ["REMOTE_ADDR"]. We check the presence of '127' at the beginning of the ip-address. The disadvantage is that you can override this variable before executing the script.
3) It's funny, but you can check the server operating system. And allow execution under Windows. Just do not hit me, it's just an option.
I post an example script for testing.
I am gratefully waiting for constructive comments. Perhaps you will find an error in this protection, or give a good idea.
And it happens that you do not want to close the source code, how to protect the script from being copied. In my opinion, hiding the source code, in most cases, does not make sense without copy protection. Some obfuscators that encrypt a code (and not just distort) have the ability to lock a script for a specific domain or IP. But, first, we don’t want to re-encrypt all sources for each domain? Secondly, I managed to unlock this protection with a single line at the beginning of the script:
$ _SERVER ['HTTP_HOST'] = 'allowed domain';
I have been searching for a copy protection solution on the Internet for a long time. On forums, this question was often discussed, mostly newbies asked it, and experienced (apparently) programmers answered "- You are a fool who need your code. Teach materiel, and in general php scripts are not worth anything!". Well, I thought. Probably really impossible. But wait, the same Bitrix (foo) licenses individual sites, and you get an open source code after purchasing a license. What prevents copy it on several of their sites? I do not know, and if you know, please tell me.
As a result, I had to do copy protection myself. I set the following initial conditions of the problem:
- The script should obviously be encrypted, for example, by Zend. But I liked Lock It - firstly, it does not require Zend Optimizer, and, secondly, it is inexpensive. But now it's not about how to encrypt the script, but how to protect it from copying. Therefore, we go further, we will simply assume that the source code is closed. Obviously, this is a necessary condition.
- I want to issue a key (I will call it a license) for each copy of the script. That is, I want to give each person only a license, and let the script roll in the public domain.
- The license is tied to the domain, but if the domain has synonyms - the script should work when accessing through them. The main thing is that it should be the same copy of the script.
- No connections to another (my) server. The script must be self-sufficient.
- No script trust in server or environment variables during license validation. They can be easily overridden.
Decision
1. Issuing a license and validating a license with a script
I create the key to the domain like this:
$ key = md5 ($ domain. $ secretword);
The script checks its license as follows:
$ key == md5 ($ domain. $ secretword);
Indeed, it is ugly to store $ secretword in the scripts themselves. Therefore, you can use public key encryption. When issuing a license, I will sign it with my private key, and the script, when checking the license, with the public key will check the validity of the license. But I didn’t find any public key encryption functions in the standard PHP suite, not even RSA (am I blind?). If you help, I will be grateful.
')
So, the script checked the validity of the license. That is, does the specified key match the specified domain? Go ahead.
2. Domain Check
How can the script check if it is in the specified domain? We do not trust $ _SERVER ['HTTP_HOST'].
Also, under the conditions - no connections to another server. So, we connect ourselves to our intended domain, and we check if we are there :)
Or rather:
1) we save a random number on the server (for example, in a temporary file) 2) contact the address our_domain.ru / our_script.php? Action = say_the number 3) check what number we give to this address. If it corresponds to what we have saved, then we are at the address:) 0) the zero point should be added to the return of the stored number, if we were called with the parameter action = say_count
I simplified the algorithm a little, in fact, for each access to the script, these random numbers need to be considered separately.
Now the script knows that the license is valid and that it lies on the corresponding domain. The main task is solved!
You tell me - wtf, the script will pull itself at each call? Indeed, cruel somehow. Therefore:
3. Temporary license
On the first access, if the check was successful, the script saves the temporary license in a temporary file.
A temporary license is something like md5 (today's_date, domain, secret word).
Now, with each request, we check only the temporary license, which is valid for the day. As soon as something is wrong with the temporary license (changed, deleted, a day has passed) - the script will again check everything seriously and save the new temporary license.
4. Running the script on a local computer without a license
It would be ideal if the script did not require a license when running on the local computer. Why, one wonders, does a person require a license from me if he just wants to test the script on his computer? He must download it and use it. But when he puts the script on the server, then he will come to me.
I do not know how to solve this problem. I still have 3 solutions, but I do not like them:
1) If the script lies on a domain without points (like myscript ) - assume that this is a virtual domain, then, most likely, this is a local test. The disadvantage of this method is that the craftsmen will create a virtual domain on their server, and the real domain will be made synonymous. Also, it is not clear what to do with the localhost domain.
2) Check $ _SERVER ["REMOTE_ADDR"]. We check the presence of '127' at the beginning of the ip-address. The disadvantage is that you can override this variable before executing the script.
3) It's funny, but you can check the server operating system. And allow execution under Windows. Just do not hit me, it's just an option.
I post an example script for testing.
I am gratefully waiting for constructive comments. Perhaps you will find an error in this protection, or give a good idea.
Source: https://habr.com/ru/post/29301/
All Articles