PHP Activiation Script

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
flippyn5
Forum Newbie
Posts: 4
Joined: Mon Feb 06, 2006 3:24 pm

PHP Activiation Script

Post by flippyn5 »

Hi, I am developing a website package for commercial distribution. I would like to have some sort of activation within the php script so that when people run it, it checks to make sure that they are a legal buyer of the package.
The catch is, I would prefer to have this checking system NOT depend on a database on my own server. The reason for this is, if for some reason my server was down or not working, I still want their site to work. How can I create some sort of activation system without storing serials in a database on my server? Or is that not possible...
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

you could write to and read from a flat file.
flippyn5
Forum Newbie
Posts: 4
Joined: Mon Feb 06, 2006 3:24 pm

Post by flippyn5 »

I thought about that but what's to stop someone from just creating their own file and fooling the system?
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

the file would reside on the server in a 'protected' area. Since all of your scripting should be done server side, there would be no way for an end user to upload a 'dummy' file and use it for access....
flippyn5
Forum Newbie
Posts: 4
Joined: Mon Feb 06, 2006 3:24 pm

Post by flippyn5 »

How would I put a file in a 'protected area' though? This package will be installed on clients servers and I will have no access to their server settings or the like.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The most reliable way I know of is where you take the role of an ASP (application service provider) by hosting the application on your own controlled servers. As long as part of it runs on their machines, it's crackable. And sometimes even run on a server it's crackable too. Unfortunately, this breaks your wish to not require your server being up.

If you store the authentication on their machine/server, it is far easier to crack, even if you use encryption. Granted, if you use strong encryption it may remove the bulk of evil but you run into legal issues like export laws and such.
Last edited by feyd on Mon Feb 06, 2006 4:25 pm, edited 1 time in total.
User avatar
Burrito
Spockulator
Posts: 4715
Joined: Wed Feb 04, 2004 8:15 pm
Location: Eden, Utah

Post by Burrito »

ahhh....I understand now.

You could set up some kind of activiation system similar to MS where to activate, they have to authenticate a key against something you host on your web site. The only other alternative would be to obfuscate a php file as much as possible and insert keys into a flat file as we discussed using some kind of hash then authenticate their key against the hashed values...
flippyn5
Forum Newbie
Posts: 4
Joined: Mon Feb 06, 2006 3:24 pm

Post by flippyn5 »

The whole heart of the project is that it is a website package for them to run on their own servers, so running it on mine is not really an option. I also don't have the capacity for that nor do I wish I did.

The first thing I thought of doing was to have the script check itself against a database on my server each time the script is run. If their number doesnt coincide with the one in my database, the script will not run. But is that fair to the client that their site will depend on my site being up 100% of the time? Now, obviously, the chances of my site being down are very slim, but it's the principle I suppose.

Any thoughts/more suggestions?
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

If your script checks each time it's run you're going to have your own server hammered.

The best bet would be to check it and cache the result on the client's server.

If the script cannot reach your server it simply waits a pre-determined amount of time, then re-tries (the cached results of the last validation still allow the application to run while its waiting for your server to come back online). Unfortunately all they have to do then is add an ipchains rule to null route all traffic to and from your IP and your application will just assume that your server is offline and continue to allow their application to run.


Basically what I'm telling is you're SOL, if there were a perfect solution then piracy wouldn't exist, but obviously it does.
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

This should be a bit of a no-brainer, but also ensure you have strong licensing agreements, and records on your end.

This way if you ever do find someone to be using your script when they shouldn't, you atleast have better grounds for a law suit.

The other problem you face is the implementation of the code on their machines.. what is to stop them removing the authentication segment all together?
Post Reply