Page 1 of 2

Connecting to a remote website?

Posted: Tue Nov 30, 2004 11:15 pm
by Mr Tech
Hey there,

I want to allow my clients script to send information to my website (in this case the domain of the scritp and the lisence key) so that the script can check it and then return a value back to the cleints script.

How do you suggest I do this? I think I would also need to CMOD the script receiving the data right?

Thanks

Ben

Posted: Tue Nov 30, 2004 11:35 pm
by rehfeld
you could just send it via post or get

Code: Select all

<?php

$domain = $_SERVER['SERVER_NAME'];

$liscense_num = 'foobar123';

$url = "http://yourwebsite.com/collector.php?domain=$domain&liscense=$lisence_num";

$auth = @file_get_contents($url);




?>

you might wanna fire off an email too,
in case thier host has url wrappers dissabled.

Posted: Wed Dec 01, 2004 3:57 pm
by Mr Tech
Thanks refeld,

Is there away around the url wrappers...?

Thanks

Posted: Wed Dec 01, 2004 4:24 pm
by rehfeld
well, it going to be unlikely that a host does that. maybe a free host will, but its very limiting to thier users t do such a thing.

i think of heard of some host disabling url wrappers so that users sites cant be hacked by doing remote includes. im not sure if they can just restrict url wrappers for include, i would think they would have to dissable them altogether.

i know theres a setting in php.ini to dissalow url wrappers for fopen(), im not sure if that would affect file_get_contents, but i think it would/should.

ive never looked into this so i might be wrong.

but i think you need to realize that no matter what you do, it cannot always work.
user can and will circumvent your registration system if they have the source code.
that being said,

fsockopen() is prob your best bet. you can post data to another url w/ it.
theres example on how to do that on the php manual page for that function, and its been asked more than a few times here on this forum in the last wk, and examples were given. so doing a search on this forum for fsockopen should get you started.

it still might be possible url wrappers could affect fsockopen, like i said i havent looked into it.

Posted: Wed Dec 01, 2004 7:01 pm
by sakaveli
maybe CURL would help? just a shot in the dark!

Posted: Wed Dec 01, 2004 10:38 pm
by Mr Tech
Thanks guys.

rehfeld, if that is true, how do you think most software developers get around that? There are a lot of scripts out their that require a liciense for it to work... I found this code that checks the licience for a script. They don't connect to their website:

Code: Select all

<?php
define("C137e1bc1", "FF");
class FF_LICENSE
{
var $_users = 0;
var $_domain = "";
var $_expires = "";
var $_key = "";

function FF_LICENSE($Key)
{
$this->_key = $Key;
$this->F38ff71c2();
}

function F38ff71c2()
{
$this->_key = eregi_replace("-", "", $this->_key);
$this->_key = eregi_replace(sprintf("^%s", C137e1bc1), "", $this->_key);
$this->_key = urldecode($this->_key);
$this->_key = base64_decode($this->_key);
$arrData = explode("|", $this->_key);
$this->_users = (int)@$arrData[0];
$this->_domain = @$arrData[1];
$this->_expires = @$arrData[2];
}

function F2c222fe5()
{
return $this->_users;
}

function Fdea0676b()
{
return $this->_domain;
}
function F03133fc0()
{
return $this->_expires;
}

function Fc6558062()
{
$domain = $_SERVER["HTTP_HOST"];
if(md5($domain) == $this->Fdea0676b())
return true;
else
return false;
}

}

?>
Any thoughts?

Posted: Wed Dec 01, 2004 11:42 pm
by rehfeld
i thought you just wanted to find out who was using your scripts, i didnt realize your trying to protect them from being copied.

well, somewhere in your script you will need to call that class, and do something like

Code: Select all

if (!$FF_LISCENSE->authorized()) {
    die('dont steal my script');
}

whats to stop me from removing those lines of code?

you can use encryption like zend encoder, which is pretty strong, but it can cracked,
someone can just write some code in C to make it spill php source if they really want to spend the time. (unlikely though, and wouldnt be easy)
zend encoder is very expensive too.
theres other cheaper alternatives, but at least the ones ive seen(i havent looked at many)
just mangle the source w/ lots of str_replace and for loops and then use eval(), which slows the scripts down alot,
no matter how fast they say it is.

im not saying not to use encryption,
if you really want to protect your scripts thats your best bet,
but they can be cracked(i cracked one in about 2 hours)

but the average user will probably never even try, and if they do may not be successfull unless they understand php well,
in which case, they may not even be using your script, but would be prob writing thier own scripts.

if you used a combination of the class you posted,
along w/ encryption your scripts would be pretty hard to steal,
but definately not impossible.

if you end up using encryption let me know,
send me an encrypted copy, i wanna see if i can crack it :) (just for fun of course)

Posted: Thu Dec 02, 2004 1:37 am
by Mr Tech
Thanks mate, yes I should have explained better but i thought that was the best way to do it.

That's interesting how it can so easily be hacked :(

The script I'm selling is sold to my customers who hardly know how to use a PC, so I won't have much problem regarding being hacked.

I had a squiz at the code I gave. How do I setup unique liciences? Does the code have the domain encrypted in the F38ff71c2() function or something? I see something that might tell something: C137e1bc1

Thanks for your input :)

Ben

Posted: Thu Dec 02, 2004 11:09 pm
by Mr Tech
Any ideas?

See what I'm trying to do is stopping people from copying my script and put it on a server that isn't the server that it was originally on.

Thanks

Ben

Posted: Fri Dec 03, 2004 12:34 am
by rehfeld
did that class not come w/ instructions?

in concept, this is whats happening


when they buy the script, they must provide you w/ the domain name they will be using it on.

you then create a key based on this domain name, lets say md5

so if their domain was
example.com

you could create a key by doing
$key = md5('example.com');

then you need to hardcode that specific key into thier script for them


then, each time the script runs, it makes sure the keys match like so

Code: Select all

$key = 'your hardcoded key you generated when they purchased it';

if ($key != md5($_SERVER['SERVER_NAME'])) {
    die('please contact foo software inc for liscence upgrade');
}

that class is just doing something similar to this, and also does checks for expires and such

Posted: Fri Dec 03, 2004 8:39 pm
by Mr Tech
No, I just copied from another script.

Doesn't seem that secure to me but in my case it would work well because like I said, my clients using it hardly even know how to use their computer :)

Thanks for the help :)

Posted: Fri Dec 03, 2004 10:00 pm
by Mr Tech
LOL just had a thought... Can't beleive I forgot this. The main reason why I started this thread was so that I can cancel a license if the customer does not pay.

What do you sugegst for that :) I've got the license chcker jsut not the cancel part :(

Posted: Sat Dec 04, 2004 12:13 am
by rehfeld
make a key for each month, give it to them every month.

if you dont want to give it to them monthly, then use file_get_contents to have thier script retreive the key monthly from your website, and accept the fact that it cannot always work

Posted: Sat Dec 04, 2004 1:44 am
by Mr Tech
Okay, thanks mate :)

Posted: Sat Dec 04, 2004 1:46 am
by Mr Tech
Oh and BTW, do i have to CHMOD the file that will be read from the remote servers? E.g: CMOD 777?

Thanks again.