views:

81

answers:

7

While installing an application onto a client's server, I would like to make sure that the client (or a future developer for them, etc) does not copy my application and place it on other domains/servers/local servers.

How can I verify that my application is running on the server I installed it on? I do not want any substantial lag in the script every time it runs, so I assume a 'handshake' method is not appropriate.

I was thinking the script could request a PHP page on my own server every time it runs. This could send my server their server info and domain name, which my script can check against a database of accepted clients. If the request is invalid, my server handles the work of emailing me the details so I can follow it up. This should not slow down the client's script as it isn't expecting a response, and will still operate on their 'invalid' server until I can investigate this and follow it up with them personally.

If this is the best method (or if there is better), what PHP call should I be making to request my server's script? file_get_contents, curl and similar seem to always retrieve the response, which I don't need.

UPDATE

Thank you all for your responses. I completely understand that PHP is open source and should be freely available to edit. I should have stated more clearly initially, but my intentions were for this verification method to assist me in finding anyone breaching my license agreement. The application is covered under a license, but I would also like to include this check so that I can monitor an initial misuse of my application.

Hence, somebody may still breach my license and it would most likely go unnoticed, but if I implement this script I have the advantage of any 'lazy robbers' who don't break apart my application and remove the verifier before ripping it.

Does this justify the use of such a script? If so, is cURL my best option?

A: 

You could encode it and hard code a license file that would allow it to only work on the domain it was intended for (e.g. use ioncube or zend to encode a file that checks if the HTTP HOST is the intended domain without doing a handshake). You could then make that file required in all other files (if everything was encoded).

Darren
That can be easily circumvented. -1
NullUserException
A: 

imo its worth checking out some joomla extensions that do this. There a few different implementations, some check the domain and validate it before executing, most are encrypted, along with a domain validation. I remember sakic's url sef extension used to do this. There are quite a few more commercial extensions that use the same thing. Apart from that I cant think of another way.Probably another good idea is to have a good license in place and a good lawyer....

Ke
+2  A: 

Any checking code for verification is easily replaced with a return true;. Look at the faq at http://stackoverflow.com/tags/php/info :

Q. Can I protect my PHP code from theft? If so, how?
A. There is no effective technical solution to protect, encode or encrypt PHP source code. There are many products that offer some levels of protection, but all can be broken with time and effort. Your best option is not a technical solution, but a legal solution in the form of a license agreement.

Wrikken
A: 

Short answer: This can't be done.

Long answer: Whatever protection you put in your code, it can be removed with little difficulty by anyone with some experience in PHP. Even if the code is encoded with something like ionCube or Zend Guard, this too can be decoded with relative ease.

Your only option is to protect your intellectual property by actively pursuing copyright infringers. Even this is not foolproof, as our folks from RIAA and MPAA know very well. In this day and age, I'd say this is not a solvable problem.

NullUserException
+1  A: 

You get a legal agreement and sue everyone.

A: 

You could integrate phone-home behavior into your software but you should probably consult a lawyer to discuss privacy issues about that and to work out privacy guidelines and terms of use for your clients' usage license.

One thing to be careful about is the data you send (and the way you send it, i.e. securely encrypted or not) to identify the client who is illegally using your product because it could potentially be used to compromise your client's infrastructure or for spying on your client.

Regarding your phone-home function, be warned that the client could just locate and remove it, so using a PHP obfuscator or compiler might provide some additional protection against this (though any sufficiently determined PHP developer could probably disable this). Note that your protection will only act as a deterrent aimed to make the cost of circumvention approach or exceed the cost for legal use.

EDIT:
As poke wrote in the question comment, you could move parts of your code outside the software installed at your client's site to your servers but this may backfire when your servers are unreachable for some reason (e.g. for maintenance).

In the end, I think that customer satisfaction should be valued higher than protecting your software from the customer, i.e. try to avoid protections that are likely to make your customers angry.

Archimedix
+1  A: 

SaaS is your friend. Host the application on your own secure servers, and charge a license fee for your customers to access it.

Alex Howansky
+1 This is the way to go if you are offering a service, turning your application into a paid API would be the only way to guarantee your software hasn't been cracked and/or redistributed.
Mahdi.Montgomery
It is _a_ solution, but network overhead / latency would make this quite unworkable for most PHP projects.
Wrikken
@Wrikken I think you misunderstand. I'm suggesting that he offer his full application on his own private servers and then charge a monthly fee for subscriptions to use it. E.g., salesforce.com, mint.com, flickr.com, etc. There's no overhead or latency besides what you'd normally get for any web page.
Alex Howansky
@Alex: OK, that's another business model, and a valid one. It is not one that will suit all project / client combos in general, and as a programmer I usually try to stay out of that kind of business, but it may fit the OP if his/her service is so unique it valids a dedicated environment. I was a little bit thrown of course by Mahdi's mentioning of 'an API'.
Wrikken