2

I have coded a pretty nice class and I'd like to install it on the clients server without risking them taking the code and not paying me.

If possible, a method where I have the "key" on my server, and encrypt the source code on the clients server with that key and some how code the method for retrieving the key from my server into it, so in the event they don't pay I can change the key on my end thus disabling the code from working on their end.

Any ideas?

EDIT: I'm aware of zend and ioncube, I'm trying to see if there is a different, less expensive "free", way of doing this.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
Mickey
  • 2,285
  • 6
  • 26
  • 37
  • 2
    Reminds me of http://thedailywtf.com/articles/maybe-i-needing-later.aspx – Skilldrick Jan 24 '10 at 01:58
  • yeh i know how to do that, but if he backs up the file and located the file that's deleting everything, he could just delete it and restore the file he backed up =/ – Mickey Jan 24 '10 at 02:12

5 Answers5

2

You could run your own webserver, strip some of the key methods out of your code and refactor them into webservices that you would host on your server. So if they dont pay, you just shut off your server and boom... the app breaks.

a432511
  • 1,907
  • 4
  • 26
  • 48
  • brilliant, idk why i didn't think of this exactly. - i thought of hosting the entire class, as it's basically a stand alone script that gets crond every night, but it works with an API that restricts the curl requests to one IP, his IP, lol. but never thought of just doing parts of it, smart thinkin ;) thanks – Mickey Jan 24 '10 at 02:36
  • No problem. I love questions like this. – a432511 Jan 24 '10 at 17:15
1

Unless you reverse engineer the bytecode encryption that IONCube or Zend Guard does, your code is going to have some form of an "if ($authorized == "mysekritcode")" line somewhere. You can obfuscate that, but a malicious user could just change it to "if (1==1)" and bypass any obfuscation.

Instead, if your code can be separated into Model/View/Controller, and the client can be handed over only the "View" component (and maybe the Model), and have the "Controller" component act as a web service on your server, that gives them the functionality, but needed security.

MidnightLightning
  • 6,715
  • 5
  • 44
  • 68
  • awesome, but i gotta give the credit to a432511, thanks for taking the time to answer my question though. – Mickey Jan 24 '10 at 02:38
0

You need PHP encoding software to do this. There are downsides to doing this of course, the main one being that in order to run your code, the target environment needs the proper decoder set up.

IonCube is one product that accomplishes this. Zend Guard is another. Before you go this route, I'd suggest you learn more about the products and decide if it's worth it for you. There are several threads on SO about using PHP encoders that are full of good information.

Community
  • 1
  • 1
zombat
  • 92,731
  • 24
  • 156
  • 164
  • thanks for totally not answering my question. im aware of the other articles on SO, im just trying to see if anyone might have came up with a similar solution. – Mickey Jan 24 '10 at 02:16
  • 3
    No need to be rude. I did answer your question... you asked for a method of distributing your code without it being able to be read by anyone. PHP encoders are your answer. – zombat Jan 24 '10 at 02:25
  • Thanks. With "PHP encoding" in the title of my question I can't even begin to think how you came up with that answer. – Mickey Jan 24 '10 at 04:42
  • 1
    Look, the only question mark in your entire question followed the *extremely descriptive* line of "Any ideas?". Other than that, your "question" is an unspecific rambling about remote-key encoding, prefixed with "if possible", not "must use". You didn't mention that you were aware of existing encoders and that you didn't want to use them until much later after you got a bunch of answers all saying the same thing. Clearly the answers aren't the problem, it was your question. – zombat Jan 24 '10 at 05:10
0

Look into something like IONCube encoder. Works like your asking - and its not spinning your own solution (its got support, a good track record, documentation, etc).

IONcube isn't your only choice - google around. Zend offer's something also.

mr-sk
  • 13,174
  • 11
  • 66
  • 101
-1

You could do something like this in a file included by all the others:

if (file_get_contents('http://your.domain.com/getKey.php') != 'verySecretCode')
{
    die('pay me');
}

And then you'd have to encode the file with Zend Guard or similar.

Your server needs to be online 24/7 otherwise you'll have problems (or you could code a more robust system). Either way, for every request the server of your client will make a HTTP request to your server.

Zend Guard is the best, but if you don't have any money to spend you could try bcompiler.

Alix Axel
  • 151,645
  • 95
  • 393
  • 500
  • yeah the files will be available on demand, just can't fork over the money for the encoder. – Mickey Jan 24 '10 at 02:23
  • So the correct answer is the one that is specifically what the original poster didn't want to do? Pay for an encryption service? – MidnightLightning Jan 24 '10 at 06:45
  • @MidnightLightning: First, the OP edited is question to reflect is needs after I had answered him. Secondly, have you read my whole answer? Specifically the `bcompiler` part? – Alix Axel Jan 24 '10 at 06:48
  • As someone who also would be interested in a low-cost, secure solution to this question (the solution I've arrived at currently is my answer; splitting the Model/Controller/View and keeping part on the server, and part with the client), and if the above answer's only merit is bcompiler, it could be reduced to "try bcompiler", which is really not a helpful answer (how do you compile on one OS and decode on another? Any scripting frameworks for a bcompiler encode/decode you care to provide?), hence I agree with the down-vote. – MidnightLightning Jan 24 '10 at 21:24