Protecting my scripts from hackers.

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Protecting my scripts from hackers.

Post by spedula »

Okay, I'm working on a script that I plan on releasing commercially. Either subscription based or flat fee.

My issue with this how can I keep my script from being hacked/pirated?

I know encryption is the best bet here, but what else can be done to ensure that my licence check function doesn't get tampered with?

Also, the script will be remote connecting to my DB. How can I keep that info private?
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: Protecting my scripts from hackers.

Post by social_experiment »

spedula wrote:My issue with this how can I keep my script from being hacked/pirated?
On the piracy issue, have the application require a registration key (and connection to your database for authentication). If it's bought by someone you can hope that maybe they have some morality and won't give away their key (and application).
spedula wrote:Also, the script will be remote connecting to my DB. How can I keep that info private?
You mention encryption. Encrypt the information in your database.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Re: Protecting my scripts from hackers.

Post by spedula »

You mention encryption. Encrypt the information in your database.
It's not the data in the database I'm worried about so much as my database login credentials that will be in the script.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Protecting my scripts from hackers.

Post by josh »

spedula, to answer your question, you cannot prevent but you can deter. The general consensus among experienced developers it to not even try. For example check out this thread, where I recently tried to help someone. They bought a script from a developer like you who thought it would be wise to lock out his own users. Due to that people are telling him to get a refund, and he is also unable to use the script, therefore unlikely to give a word of mouth recommendation.

So let's say 50% of your users pirate your software, but out of those pirates 20% recommend it to 5 friends, and on average 1 of those friends purchases.

1,000 users X $100 per license = $100,000 revenue
50% piracy = $50,000 loss & 200 people telling 5 friends = 1,000 new people find out. With a 1/5 close rate that's 200 sales, so you only technically loose 800 sales for every 1,000 pirates.

Then factor in your time to obscure the code, and also factor in the potential harm it could do to your reputation, consider the fact more experienced developers could easily clone your script but purchase it to save time and realize that depending on your market the majority of the users could feel this way (and then furthermore factor in lost sales due to these lost customers not recommending it to 5 friends). Realize that obfuscation consumes both your, and your customer's valuable time, further lowering the incentive for legitimate purchases, and raising the incentive to pirate it (now you've got all your legit users trying to reverse engineer your script).. talk about unintended consequence.

Long story short, the lifetime value of a customer is way more than double the value of your software, and more than half your users will purchase anyways. They want support, they want to feel contempt they have the "best" software, they want to be immune from legal risk, etc.

Also lets say you sell your software for $100 and some deadbeat Microsoft employee pirates it, I'd rather be pirated by the Microsoft employee than to receive $100. My lawyer would have a field day talking about how much damages I'd be awarded.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Re: Protecting my scripts from hackers.

Post by superdezign »

If you really want to protect your code, host it as a service rather than releasing it as an application. You will have to cater to the special needs of your clients if you want to keep them, though.
Peter Kelly
Forum Contributor
Posts: 143
Joined: Fri Jan 14, 2011 5:33 pm
Location: England
Contact:

Re: Protecting my scripts from hackers.

Post by Peter Kelly »

Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Protecting my scripts from hackers.

Post by Weirdan »

:!: This thread was cleaned up. Stay on topic, be friendly, drink milk.
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Re: Protecting my scripts from hackers.

Post by spedula »

Peter Kelly wrote:Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
Thats [expletive deleted] brilliant!

So instead of the script containing the login credentials for mySQL, the page I have on my server will have it and the only info being passed between the two servers is the authentication code and a simple yes/no reply.

This is beyond awesome. Thank you so much for this idea, would have never come up with this myself, +1 internets for you.
Peter Kelly
Forum Contributor
Posts: 143
Joined: Fri Jan 14, 2011 5:33 pm
Location: England
Contact:

Re: Protecting my scripts from hackers.

Post by Peter Kelly »

spedula wrote:
Peter Kelly wrote:Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
Thats [expletive deleted] brilliant!

So instead of the script containing the login credentials for mySQL, the page I have on my server will have it and the only info being passed between the two servers is the authentication code and a simple yes/no reply.

This is beyond awesome. Thank you so much for this idea, would have never come up with this myself, +1 internets for you.
I'm glad it helps :)
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Protecting my scripts from hackers.

Post by josh »

Except IonCube still will not protect you... Just makes it more of a pain for legit users, users can still get the code trust me. :D
Peter Kelly
Forum Contributor
Posts: 143
Joined: Fri Jan 14, 2011 5:33 pm
Location: England
Contact:

Re: Protecting my scripts from hackers.

Post by Peter Kelly »

josh wrote:Except IonCube still will not protect you... Just makes it more of a pain for legit users, users can still get the code trust me. :D
Ioncube has yet to be cracked, Zendcube has though.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Protecting my scripts from hackers.

Post by josh »

The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Re: Protecting my scripts from hackers.

Post by spedula »

josh wrote:The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
Jesus, that's getting way to complicated for me to understand. My main concern was script kiddies getting the script for free, lol.
Peter Kelly
Forum Contributor
Posts: 143
Joined: Fri Jan 14, 2011 5:33 pm
Location: England
Contact:

Re: Protecting my scripts from hackers.

Post by Peter Kelly »

spedula wrote:
josh wrote:The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
Jesus, that's getting way to complicated for me to understand. My main concern was script kiddies getting the script for free, lol.
Hehe you did ask how to protect your scripts, he's just gone a little more in-depth than lots of us understand xD
Post Reply