How would one secure a PHP script to make it only usable when bought?
https://stackoverflow.com/questions/11229717
-
17-06-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianPergunta
I have read an answer to another question here on Stack Overflow. Let me first quote the incriminated part:
If your goal is to make people pay for it, you better register a key on your server side for each client. Then, when they connect to update, they will send the key and if she's in your database and valid, you output your zip file. If not, you don't.
I am asking that, technically, how would one secure his/her PHP-based project with the register a key method? Let's say we have this:
$key = file_get_contents('http://auth.project.example.com/auth.php?auth_key=asd123');
if ( $key === "auth_valid" )
define('AUTH', TRUE);
And after that, we check AUTH to see whether we (from the client's perspective) bought the system or not. Obviously, if we did not, AUTH will be FALSE or would not be defined at all. The problem is, that a client with only little-to-no knowledge to PHP would easily comment out these lines, hotwire AUTH to be TRUE and there he/she is, using the system with it thinking it had been bought, while, in reality, it hadn't.
Solução
You would use encryption and eval. Though, thinking about it, once it's evalled, then you have lost, as they could just change eval for echo. So, in that case you'll need to include the business parts on your server via an API.
