Simple code obfuscation
in [General]
|
Prev: pecl install geoip doesnt work. Warning: opendir(/var/tmp/pear-build-root/install-geoip-1.0.7//var/www/pear): failed to open dir: No such file or directory in PEAR/Builder.php on line188
Next: poll: howto do informative error handling without the fatalities
From: Brian Dunning on 8 Feb 2010 14:32 Hey all - I'm selling a custom PHP solution to FileMaker users. It uses FileMaker's PHP API, so everyone who has FileMaker Server is already set up to use it, but very few of them have any knowledge of how to set up a server or do anything PHP related. But I do want to add some level of code obfuscation to prevent them from making simple changes to my code that allow them to exceed the privileges they've purchased. I've looked at custom code encryption services like Ioncube and phpCipher, but in my estimation, deploying the needed server-side code for these is going to be beyond the capabilities of a large segment of my customers. I would rather have a few customers cheat me than offer a product that most customers are unable to figure out how to run. So I was thinking of doing something like base64_encoding the crucial chunk of my code (maybe 20 lines worth) and using eval(base64_decode($that_content)) to run it. I figure that will scare away most of the customers who might be able to edit my code. Can anyone suggest something that goes one better? - Brian
From: Richard Quadling on 8 Feb 2010 18:13 On 8 February 2010 19:32, Brian Dunning <brian(a)briandunning.com> wrote: > Hey all - > > I'm selling a custom PHP solution to FileMaker users. It uses FileMaker's PHP API, so everyone who has FileMaker Server is already set up to use it, but very few of them have any knowledge of how to set up a server or do anything PHP related. But I do want to add some level of code obfuscation to prevent them from making simple changes to my code that allow them to exceed the privileges they've purchased. > > I've looked at custom code encryption services like Ioncube and phpCipher, but in my estimation, deploying the needed server-side code for these is going to be beyond the capabilities of a large segment of my customers. I would rather have a few customers cheat me than offer a product that most customers are unable to figure out how to run. > > So I was thinking of doing something like base64_encoding the crucial chunk of my code (maybe 20 lines worth) and using eval(base64_decode($that_content)) to run it. I figure that will scare away most of the customers who might be able to edit my code. Can anyone suggest something that goes one better? > > - Brian > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > For simple obfuscation, then maybe making a PHAR app may be of use here. http://docs.php.net/phar -- ----- Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling
From: Ashley Sheridan on 8 Feb 2010 18:47 On Mon, 2010-02-08 at 23:13 +0000, Richard Quadling wrote: > On 8 February 2010 19:32, Brian Dunning <brian(a)briandunning.com> wrote: > > Hey all - > > > > I'm selling a custom PHP solution to FileMaker users. It uses FileMaker's PHP API, so everyone who has FileMaker Server is already set up to use it, but very few of them have any knowledge of how to set up a server or do anything PHP related. But I do want to add some level of code obfuscation to prevent them from making simple changes to my code that allow them to exceed the privileges they've purchased. > > > > I've looked at custom code encryption services like Ioncube and phpCipher, but in my estimation, deploying the needed server-side code for these is going to be beyond the capabilities of a large segment of my customers. I would rather have a few customers cheat me than offer a product that most customers are unable to figure out how to run. > > > > So I was thinking of doing something like base64_encoding the crucial chunk of my code (maybe 20 lines worth) and using eval(base64_decode($that_content)) to run it. I figure that will scare away most of the customers who might be able to edit my code. Can anyone suggest something that goes one better? > > > > - Brian > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > For simple obfuscation, then maybe making a PHAR app may be of use here. > > http://docs.php.net/phar > > > -- > ----- > Richard Quadling > "Standing on the shoulders of some very clever giants!" > EE : http://www.experts-exchange.com/M_248814.html > EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp > Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 > ZOPA : http://uk.zopa.com/member/RQuadling > You could move some of the code to a binary package compiled from your PHP script. This would limit who could use your system, for example, if you compiled it for Windows then non-Windows users couldn't use it unless you also compiled some binaries for them too. Of course, requiring FileMaker does limit your audience too I believe, but that's another topic. I've seen this practice of binaries used before, and it seems to work well. There are countless pieces of software out there that can create installable programs, which will aid you immensely. You just have to put one of those together and people can easily install your software with just a few clicks. The other route is to use remote scripts. So they would install a base system on their own servers, but scripts crucial to the system are accessed remotely. Doing this will mean you have to make sure your script is watertight from a security point of view though, and ensure you encrypt traffic going between any servers. Lastly, you could offer some sort of hosted solution. This may not be suitable I guess from what you've described of your system, but if it is, you can then deem exactly what goes on. Thanks, Ash http://www.ashleysheridan.co.uk
From: Phpster on 8 Feb 2010 19:21 On Feb 8, 2010, at 2:32 PM, Brian Dunning <brian(a)briandunning.com> wrote: > Hey all - > > I'm selling a custom PHP solution to FileMaker users. It uses > FileMaker's PHP API, so everyone who has FileMaker Server is already > set up to use it, but very few of them have any knowledge of how to > set up a server or do anything PHP related. But I do want to add > some level of code obfuscation to prevent them from making simple > changes to my code that allow them to exceed the privileges they've > purchased. > > I've looked at custom code encryption services like Ioncube and > phpCipher, but in my estimation, deploying the needed server-side > code for these is going to be beyond the capabilities of a large > segment of my customers. I would rather have a few customers cheat > me than offer a product that most customers are unable to figure out > how to run. > > So I was thinking of doing something like base64_encoding the > crucial chunk of my code (maybe 20 lines worth) and using eval > (base64_decode($that_content)) to run it. I figure that will scare > away most of the customers who might be able to edit my code. Can > anyone suggest something that goes one better? > > - Brian > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > What about an md5 license hash check for certain modules/ functions? It could be kept in a client specific config file and read in during the appropriate script execution. Bastien Sent from my iPod
From: Manuel Lemos on 8 Feb 2010 23:50
Hello, on 02/08/2010 05:32 PM Brian Dunning said the following: > Hey all - > > I'm selling a custom PHP solution to FileMaker users. It uses > FileMaker's PHP API, so everyone who has FileMaker Server is already > set up to use it, but very few of them have any knowledge of how to > set up a server or do anything PHP related. But I do want to add some > level of code obfuscation to prevent them from making simple changes > to my code that allow them to exceed the privileges they've > purchased. > > I've looked at custom code encryption services like Ioncube and > phpCipher, but in my estimation, deploying the needed server-side > code for these is going to be beyond the capabilities of a large > segment of my customers. I would rather have a few customers cheat me > than offer a product that most customers are unable to figure out how > to run. > > So I was thinking of doing something like base64_encoding the crucial > chunk of my code (maybe 20 lines worth) and using > eval(base64_decode($that_content)) to run it. I figure that will > scare away most of the customers who might be able to edit my code. > Can anyone suggest something that goes one better? You may want to try some of these code obfuscation classes: http://www.phpclasses.org/searchtag/obfuscator/by/package/tag/obfuscator/ -- Regards, Manuel Lemos Find and post PHP jobs http://www.phpclasses.org/jobs/ PHP Classes - Free ready to use OOP components written in PHP http://www.phpclasses.org/ |