views:

1233

answers:

19

Hello,

I dont know what to say. About 3 days ago I released a script to the public. Today I realised, after searching on google that someone had already nulled (removed my protection) and pirated the script.

How do I stop users from pirating the script? It is written in PHP.

Please help or suggest some solutions.

Thank you for your time.

UPDATE By releasing to the public means that I have started selling it to users.

UPDATE My program is priced at only $49. Very reasonable for the functionality it offers. I do not understand how I should stop pirates from pirating my code. The replies which most people have given are rather sarcastic. I was hoping for some good advice. I know there is no silver-bullet. But some techniques which you have used in your PHP programs.

+7  A: 

How do I stop users from pirating the script?

Do not release sensible source code to the public...

[EDIT] After a few downvotes, I decided to comment on my answer:

Any code that is released public has a chance of being hacked. This is the number one reason why Javascript is not secure. No matter how much you will obfuscate it, compress it or translate it to some random japanese dialect, it is still source code that the user has access to. Hence it should not contain any sensible information such as passwords or such. All sensible data should be stored in the server side where it is kept hidden from the user.

If you are releasing a php framework containing both the server and client code; then you have no way of fully protecting yourself. PHP is, like Javascript, an interpreted language. You may translate it, compress it, or obfuscate it as much as you want, (and it's probably the best thing you can do) you will never fully protect it when released to the public.

Again... If there was a magic way to prevent code from being broken, it would have been known for a long time. No-cd patches / cracks for new games/softwares now are almost released the same day as the softwares themselves. It is, as noted by Paul, a form of flattery for you, even though I understand how sorry you may feel.

There are a few instances where programmers ended up with bullet-proof protection, but it usually involved high-end engineering.

m_oLogin
(-1) As programmers, we need to 'publish' our code to get paid.
> devinb : 'sensible' source code doesn't imply the entire source code. I have never seen published source code containing the author's password, db access information, or protection keys... Yet they usually get paid...
m_oLogin
Do you think this author included his passwords and protection keys? Have you seen his source? But, as you added in your fantastic edit, it is very difficult to obfuscate interpreted languages *for the reasons you enumerated* (that's what makes it different from your initial answer... explanation). Good Job! (+1)
+2  A: 

Contact the pirate and let h{im,er} know that you will be forced to take legal action against them if they do not abide by the license.

Alan Haggai Alavi
You might try something more friendly first in less you actually can follow up on your threat. Something like "hi, I noticed you're using my program. It'd be really great if you bought a copy so I could feed my family. Here's a coupon! Thanks!"
Michael Haren
Oh, yeah. That's gonna work :)
ldigas
@Idigas, While I wouldn't necessarily do what Michael is suggesting, Hackers are by their nature resentful of authority, so threatening them with a personal email could, and likely will, cause them to begin attacking you back.
And if the pirate is in <any-country-with-weak-copyright-laws>, he will laugh his a** off!
TFM
+9  A: 

There's not much you can do.

Be flattered your work was deemed worth the effort!

Paul Dixon
Downvote removed! I agree, its along the same lines as measuring hacking attempts as a sign of a successful web project.
karim79
(downvote removed also!)
jgubby
If writing code is your profession, flattery doesn't put food on the table or keep a roof over your kid's heads.
David
(-1) Not that I don't agree with your sentiment, however what you've provided is a "comment" and not really an "Answer". By that I mean that saying "there's not much you can do" is not helpful to someone who is asking what you can do.
@David, I read that as "flattery doesn't put food over your kids' heads"... hm. That is all.
nickf
Every software developer should have the opportunity to put food on his family.
mquander
@devinb: The problem is that there is no really effective technical solution, particularly for scripts. You may lament this, or wish whole-heartedly that there was a solution, but there really isn't, and saying anything else is even less helpful.
David Thornley
-1 for the same reasoning as devinb
Shadi Almosri
I should have edited this further, but what I was driving at was that it's just a waste of time to try and combat this. Do just enough to keep honest people honest, and focus your efforts on supporting those customers. Then you'll have plenty of food to put on your family :)
Paul Dixon
+3  A: 

PHP is easily decoded, so for people who really want to know, it's easy to find out the source code. However, there are certain obfuscator programs such as this one that'll make your PHP script almost unreadable for those trying to decode it.

Dasuraga
Obfuscation is security by obscurity. In other words, it's not security at all.
Thomas Owens
Yes, but there are usually lower hanging fruit.
jgubby
But it will narrow the field of potential hackers down to a smaller group.
samoz
Great comment Thomas
m_oLogin
What on earth do you mean by "PHP is easily decoded"?
Jonathan Sampson
+18  A: 

The only real way to prevent piracy is to not give the user the program at all! What I mean by this is have the logic you want to protect remain server side and offer a client interface.

There are a few companies that offer protection services, but these are expensive and can sometimes still be overcome.

If you're worried about this happening again, try obfuscating your code. Here is a free program to do just that on PHP code.

samoz
I love the idea of making your code unreadable as a form of anti-piracy. Remove all white-space, rename all variable and functions to random characters. Basically, make the code so ugly that no one wants to use it.. haha
Jon
Bear in mind that obfuscation doesn't really accomplish anything. People hack binary machine code, and no obfuscator is going to be able to make your code harder to read than that.
Chuck
Since it's written in PHP, you're already done half the job of obfuscation. (kidding, I'm sure there is some very good PHP out there. I just haven't seen it.)
Michael Myers
I realize that obfuscation will not stop pirates. However, what it does do is raise the bar for reverse engineering. Any newbie can find a plain text password, key phrase, or jump in your binary, but if you obfuscate that same code, the person will need a higher level of skill to pirate your software. Even if some people still pirate it, it will cut down on the number of pirates.I'll take 10 pirates rather than 100 any day. (Well unless I have ninjas to back me up)
samoz
+3  A: 

What kind of protection did you think you had added to a PHP script, anyway? You should add a line of the form:

if ($pirated) exit();

and then make it mandatory (in the licence agreement) that users set the $pirated variable accordingly.

jgubby
Pirates generally disregard license agreements though. By modifying the program, they break the usual 'no-tamper' clause.
samoz
"Pirates generally disregard license agreements though". Srsly?
Steve Jessop
:D Under the DMCA, the licence agreement part is probably not even necessary: the anti-circumvention stuff should cover it!
cheduardo
Thats a Good one :D
Ali
@onebyone.livejournal.com: Damn, I forgot! Thanks!
jgubby
+1  A: 

I agree with Samoz's suggestion to keep the logic server side, however this can often be hard to do. The best strategy is to make the user want to buy it by offering updates automatically to registered users, as well as installation, advice and good support. You are never going to sway people hell bent on pirating, however your goal should be to persuade those who are undecided as to whether to pirate or purchase the script.

Any obfuscation/decryption technique for PHP can be cracked

Lobe
+5  A: 

With PHP, you're mostly out of luck. It's an interpreted language, which means that you are essentially forced to give away the source code. Sure, there are obfuscators (tools that "scramble" the source code to make it near impossible to read for humans), but they can be circumvented as well.

There are product like Zend Guard which seem to offer a better level of protection, but from my understanding, your customers need Zend Guard installed as well, which is almost never the case.

Michael Stum
A: 

piracy != copyright infringement

There are known routes to litigate copyright infringers.

Does it really matter enough to hire a legal team?

Kieveli
Quoting Wikipedia: “For electronic and audio-visual media, unauthorized reproduction and distribution is also commonly referred to as piracy [...] The practice of labeling the act of infringement as "piracy" predates statutory copyright law.”
Agos
A: 

Obfuscation do add something. It will not be fun to try to modify your code at least even if they can take the first version of it. In best case they will try to find some open source project that does something similar. Guess this would give you an fast fix at least for your problem?

nandarya
+1  A: 

I agree with @Michael.

Try ionCube or Zend Guard. They are both commercial offerings, but you say that you are selling your software so it might be worth it. Although nothing is foolproof and can be reverse engineered with enough effort and technical skill, these solutions are probably good enough for the average PHP script vendor.

veroxii
+2  A: 

Forget trying to prevent it

Go the way of CakePHP (see sidebar on front page) and many other open source projects and ask for donations.

People actually do it!

bobobobo
+1 for sensibility without sarcasm
Robert S.
A: 

Actually I think it's easier to protect PHP scripts than desktop software, because with latter you never know who is running the cracked copy.

In case of PHP on the other hand, if people run your software on public web servers, you can easily find them and take them down. Just get a lawyer and turn them in to the police. They could also be breaking DMCA laws if they remove your protection so that gives you even more ammunition.

Technical way to protect your code is obfuscation. It basically makes your code unreadable like binaries in compiled languages (like Java). Of course reverse engineering is possible, but needs more work.

abababa22
+13  A: 

I'm not trying to be sarcastic here: forget about them. Here's my rationale:

  • You can spend tons of time trying to prevent pirates from pirating your stuff, or you can spend the same amount of time giving your paying users more functionality.

  • Extreme copy protection does not give your paying users anything but more hoops to jump through to use your application - which might lead them to get frustrated.

  • Pirates will pirate your applications no matter how much time you spend trying to stop them.

  • Budget a certain amount of time to put in basic copy protection - just enough to keep the honest people honest.

  • Most importantly: Don't irritate your paying customers. They are the ones you need to make happy.

rein
A: 

If your script won't consume a lot of bandwidth, you could keep your "logic" server-side, as samoz suggested, but if your users won't use it responsively ( a crawler, for example ), this could be trouble.

On the other side, you could become a ninja ...

Geo
A: 

Attach a copyright notice to it. Some companies will actually care that they're using software properly.

Ian Boyd
A: 

There is one way I can create is the script register the script will check if the license code has been used more than the regular use. If you want this product please contact me at our website or call our office (321) 252-9836.

Bryan Eller
+3  A: 

There are several methods of handling this:

  1. Offer your product as a service. This means finding appropriate hosting in the cloud, etc. This removes access to your code base, thus preventing direct piracy. Someone can still reverse engineer your stuff, but I'll touch on that later.
  2. Add a unique identifier to each version of the script sold. This can be done automatically, and is great to do with obfuscated code (another, complementing method). This will give you the ability to track whoever pirated your code. If you can track them, you can sue them (or worse).
  3. Pursue legal action. You'll need to know who leaked the code in the first place for this. Their PayPal information or even an IP address should be enough. You go to your lawyer, ask him to get a court order telling PayPal/ISP to release the identity of the thief, and then start tracking them down. If they're located overseas, your only real option is to freeze/appropriate funds from PayPal/credit card. Banks will be sympathetic only if they have a branch in your country (which can be targeted for legal action).
  4. Ignore it, and simply build your business model around the support that you offer.

The sad fact is that information cannot be secured completely. There is no way to prevent a team of Indian programmers from reverse engineering your program. So you just have to be better than them, and constantly improve your product (this is "A Good Thing (TM)", so do it anyways)

Also keep in mind that DRM and other solutions are often controversial, and will reduce your sales (especially among early-adopters). On a personal level, I would suggest viewing this as a compliment. After all, your script was useful enough that someone bothered to pirate it within a week!

SEK
A: 

In general it's hard to prevent users from stealing code when the program is written in a scripting language and distributed in plain text. I've found that http://feedafever.com/ did a really nice job of being able to sell PHP code but still give the code to users.

But the solution to your problem is very dependent on the domain of your program. Does this script run on the users machine with no internet connection? Or could this be a hosted service?

I'd also suggest looking at some of your favorite software, and seeing how they convinced you to pay for it initially. The issue I find isn't always "how can I prevent my users from stealing my software" but sometimes more "how do I convince my users that it's in their best interests to pay me". Software piracy often comes when your product is overpriced (Ask your friends what they would pay for a software package like the one you are selling, I've found that I have historically overpriced my software by 20%).

Anyway, I hope this helps. I'm glad that you are trying to create software that is useful to users and also not incredibly crippled. I personally of the mind that all software that isn't shrink wrapped or SAAS should be free, but I totally understand that we all need to eat.

icco