문제
I have a script, and I sell it to some people. I need a way to make sure that my script won't work on any website that not in my clients list.
What is the best method to avoid making people from stealing my script?
I read about making a license key in the script, so any script without license won't work. However, there are many ways to generate a license key without taking my permission right?
All I need is to not activate any script in any domain name, unless I have it in my clients list.
해결책
There's a reason Adobe, Microsoft, and others don't over actively pursue pirates (not saying they don't, just not at epic, absolutism levels) - they make most of their money from business to business sales and support. A simple license and support structure is typically enough to posture yourself for profit from legitimate businesses and parties who want your product.
Technical protection is a losing battle if you're going to give anyone the code. That's why SaaS is so popular.
다른 팁
Your question is very interesting because way too many php developers wonder the same thing. How can I protect my product from being stolen and copied?
Some of the comment talk about not being greedy, but the truth is that many people program for a living, so it isn't a matter of just some software you built as a hobby, it is your work and you deserve to get paid for it, just like any other profession.
Sadly, PHP is a language that is very hard to protect, but I will give you a few pointers:
1) Don't trust encryption: I have seen way too many tools for un-encrypting code, even some tools that I used to trust like Zend Guard, are also vulnerable. The most advanced tools I have seen can reveal your code in minutes.
EDIT: Another thing I forgot to mention about encryption. It will require the server to have certain special modules installed in order for your code to work and this is a deal-breaker for all the people who use shared hosting and can't install the unencryption module.
2) Try obfuscation: Even though your code will be still readable, if the obfuscator does a good job at mixing variables, adding nonsense and making functions within functions, the code itself will become almost non-modificable, so it will be useless to try to modify it.
3) Take advantage of obfuscation to insert domain-lock code within your software itself: Instead of a license file, just sell the software to a certain customer with some domain verification code within the software itself, that approach combined with obfuscation, will make it very hard to figure out what to change to make it work in some other domain, so you will probably achieve your goal.
4) Make a great software: This is the most important part, build an outstanding software that people will be willing to pay for, create a proper website for it, get the word out there.
I hope I have helped you.
The only true way to lock down script-based code that you give away, is to keep a core part of that code executing on a server you control -- and have the code you've given to your client 'call home' to your server on each execution. Then all you have to do is block access to this 'call home' script based on the requesting ip.
Also, in this 'call home' mechanism it is no good just performing a simple connection test or handshake because this can be worked around -- the script on your server has to do something integral to the system as a whole so that the client would have to rewrite that missing part in order to use your code elsewhere without you knowing. This could be some key calculation or data provision.
Obviously this is not ideal as many clients will not like a script calling a remote server, plus you'd have to make sure your network and server could handle the number of requests -- otherwise you'll slow or timeout your clients own systems.
All I need is to not activate any script in any domain name, unless I have it in my clients list.
Ok you narrowed it enough.
create your openssl certificate, hardcode public part to checking code, when issuing license sign domain.name string with your private key, issue sign part as license, in your license:
https://stackoverflow.com/questions/13897941
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian$lic=<<<EOL
LICENSE CODE HERE - SIGNATURE of string contained domain name
EOL;
in your code to check license:
include 'license.php';
$cert=<<<EOK
PUBLIC KEY DATA HERE
EOK;
$pub_key=openssl_get_publickey($cert);
$ok = openssl_verify($_SERVER['SERVER_NAME'], $lic, $pub_key);
if ($ok !== 1) {die ('bad license!')}
O'c all should be encrypted as much as possible.
this probably vulnerable for special crafted libopenssl binaries but I hope it will help you. to avoid running of such code every you can add condition like this:
if (int(random()*100))==6) {check_license();}
but it depends on which part is should be protected.
also, in all parts of the code you should check md5summ of file that contain license check code.
You can use http://www.ioncube.com to obfuscate your source code or http://www.phplicengine.com to license your php code remotely or locally.
My thoughts are that you can't successfully save code from to be nulled. I really don't like way the Non-Free apps are created, but I won't judge you. Best solution to protect code is sometimes not worth of it, because many people (read websites) have very restricted hosting, where they cant install ioncube... Best protection is to join many types of protections (ex. IonCube + injected licence connection to your data server in different places with different code+if site NEED to use some ssl, you can try to make some protection with to sell also ssl with public key check on your data server), or many, many, other ways, just be creative)
But however as I said, If you want very high protection, you will get loss of money for creating it, and loss of money of loosing your customers, because they use some cheap hosting...
You need to think about everything...
Forgot to say: Hosting on your server is best protection, but have disadvantages: you need to add possibility for 'templating' site, access to be created some plugins, and similar stuff... But sometimes Clients just don't like to keep all data on your hosted server.
I think I helped somehow...
There are some good comments from other posters to this. Depending on the edition of the ionCube Encoder that you're using the features that you need are there already (in Pro and Cerberus), including features to allow you to craft your own layers of licensing if you wish, though this shouldn't be necessary. Some basic steps give the biggest wins, and as others have said, it's not generally worth going over the top with a massive licensing infrastructure. Keep in mind too that a main benefit to licensing comes not so much from stopping those who are intent on cheating and not paying, but from keeping the paying customers in line.
Say that you have a fee for each domain where your software is used. If you mention this somewhere but do nothing to enforce it, then when an honest customers tries your scripts on a second domain and finds that it works, chances are that they'll simply use it without even realising that they should have paid. In contrast, if your software alerts them to the fact that a new license is needed, it's likely that they'll purchase for the second domain.
Realistically it's impossible to stop the most determined thieves, and as one poster eluded to it may even be beneficial in the long term to have cheaters using software for free rather than not at all, but licensing can definitely lock in revenue from the honest majority who are happy to purchase good software (plus support, bug fixes, upgrades etc.), and it's foolish not to do that.
