ansaurus

Question

how to identify whether my PHP script is hosted by others

Answer 1

+1 A:

Hi,

If you can, try to make simple calls to a server of yours to track the script usage, you should send the domain name and the IP. Use cURL for this. If your business logic permits this you can go as far as disabling the script functionality if tracking is not successful.

Because PHP is just plain text anyone can remove your tracking code portion. Try to obfuscate the code.

Alin Purcaru 2010-10-06 12:37:40

Awesome idea! Disable functionality for paid up customers when a slice of the backbone flips out, breaking the link to your tracking server, or your tracking server is down for maintenance, or you decide to shut up shop, or you get hit by a bus and your tracking server account gets cancelled. As a bonus, since anyone who's pirating your code will probably simply remove the tracking code anyway, restoring full functionality for their versions, this will only affect your paid up customers.

AllenJB 2010-10-06 12:43:05

As a matter of fact anything can be pirated. What matters if how hard it can be done. In the current case of a PHP script it's extremely easy. With just the script as he sells it the only effort needed is to get it from a paying customer. If he adds something to track the usage the pirate needs to look at the script and understand at least some part of it. If he also obfuscates it the effort needed increases.

Alin Purcaru 2010-10-06 12:51:47

@ALlenJB `since anyone who's pirating your code will probably simply remove the tracking code anyway, restoring full functionality for their versions, this will only affect your paid up customers.` well, most anti-terrorism measures (e.g. no liquids and nailclippers on airplanes; eavesdropping on social networks etc. etc.) work the same way, so there *must* be some merit to this! :D

Pekka 2010-10-06 12:56:06

Answer 2

+1 A:

There is no reliable way in PHP to prevent someone else using your script. Because PHP uses just-in-time compilation, the source code can be read by anyone with access to the files. This means that any call-home logic you put into your script can easily be disabled. The best you can do is obfuscate it, but the code can still be edited by anyone with sufficient determination.

Your best solution is to use a good licence, or to develop in a language that can be distributed already compiled. With PHP, there is not a reliable way to prevent re-use of your source code.

I would urge you not to put any kind of call-home functionality into your script. First, it can be disabled, so is essentially useless. Second, it will cause significant delays even for legitimate users of your script. Finally, if you must put it in, it is vital that you tell your users that you are doing so.

lonesomeday 2010-10-06 12:40:47

I agree, never, never add call-home functionality in a script to prevent piracy. It's just a terrible idea!

AlexV 2010-10-06 12:50:14

I agree with you that this is generally not a good idea. But if you really want to do something with PHP it can help you. Also you could make the calls just sends and track who uses your script and when the user stops using it, giving you potential pirates. There should be some requests before the pirate realizes you are monitoring usage. As for the paying customer you can write in your license agreement that the script does that and if anyone complains you can supply a clean version.

Alin Purcaru 2010-10-06 13:00:48

@Alin Yes, you can do it if you really, really want to. You just need to be aware that, in the end, it probably won't work.

lonesomeday 2010-10-06 13:06:13

In the end means: for that one pirate that really, really doesn't want to pay for your software. You can do without him, but you will still have stopped some of them. Please remember that not everyone that uses pirated software is an action movie hacker.

Alin Purcaru 2010-10-06 13:15:30

@Alin Purcaru What if your license server is down? What if the requests time-out? These requests slow down your application. Why in earth do you want to penalize paying customers? This kind of "security" is so trivial that in the end it's like locking the door and leaving the key back in the lock!

AlexV 2010-10-06 13:54:41

First of all: This is a good option (maybe the only one) to do WHAT THE QUESTION ASKED FOR. Moving forward: as I stated before there are points where you could improve your tracking so that it causes minimum discomfort for the user, but still helps you track SOME of the pirating attempts. What I suggested is not pretty but it does the job IF YOUR BUSINESS MODEL ALLOWS IT.

Alin Purcaru 2010-10-06 14:04:35

@Alin "This is a bad idea" is often a good response to an SO question. This is a case in point.

lonesomeday 2010-10-06 14:09:54

@Alin Purcaru: Anyway, you can do it and yes *maybe* it can help track *some* info about a pirate. But what can you do about it? Legally you can do nothing about them in 99% of the cases (can you really prove that the IP detected by your app is really the one of the pirate - only the ISP + serious investigation can help which you will not have)... So I ask you why add a "pirate detector" in your app if you can do nothing legal about it? You waste effort in an useless feature while you add/improve features. Anyway you do what you want but a call-home in a PHP script will ALWAYS be a WTF for me!

AlexV 2010-10-06 18:13:35

Answer 3

+1 A:

For example, somewhere in your script:

<?php
file_get_contents('http://yourserver.com/tranck_script_users.php?site='.url_encode($_SERVER['HTTP_HOST']));
?>

This way you will see which hosts use your script. Of course, anyone can remove this line from your script, there is no 100% way to know for sure.

Silver Light 2010-10-06 12:41:51

Answer 4

+1 A:

There is no way to do this without (IMO) impacting the security/privacy of your users.

The only "clean" way to do this is to encode your scripts with a tool like IonCube (there are many others but never used them) and restrict the execution on a specific domain. The downside (you can also see this as a plus depending of your license scheme) is that the users can't see/modify your code.

AlexV 2010-10-06 12:47:11

Answer 5

A:

There isn't much you can do to negate piracy with non-compiled scripts. Anybody can modify the source to remove whatever protections you have in place. You can, however, try to run the script through some sort of obfuscation tool, or otherwise try to manually "encode" the file, in much the same way a lot of PHP malware does. Obfuscation and this type of encoding can and will be beaten by somebody with enough time on their hands, though.

If you're willing to invest some money into the problem, you could check out IonCube Encoder or Zend Guard. Both of which will secure your script, and I know at least Zend Guard allows for per-server licensing. These solutions would require your end-users to have either the IonCube or Zend loaders installed, though.

Ryan Chouinard 2010-10-06 12:49:36

ansaurus

tags:

views:

answers:

how to identify whether my PHP script is hosted by others

related questions