Page 1 of 1
Protecting my scripts from hackers.
Posted: Fri Jan 07, 2011 4:31 pm
by spedula
Okay, I'm working on a script that I plan on releasing commercially. Either subscription based or flat fee.
My issue with this how can I keep my script from being hacked/pirated?
I know encryption is the best bet here, but what else can be done to ensure that my licence check function doesn't get tampered with?
Also, the script will be remote connecting to my DB. How can I keep that info private?
Re: Protecting my scripts from hackers.
Posted: Tue Jan 11, 2011 6:17 am
by social_experiment
spedula wrote:My issue with this how can I keep my script from being hacked/pirated?
On the piracy issue, have the application require a registration key (and connection to your database for authentication). If it's bought by someone you can hope that maybe they have some morality and won't give away their key (and application).
spedula wrote:Also, the script will be remote connecting to my DB. How can I keep that info private?
You mention encryption. Encrypt the information in your database.
Re: Protecting my scripts from hackers.
Posted: Wed Jan 12, 2011 8:45 pm
by spedula
You mention encryption. Encrypt the information in your database.
It's not the data in the database I'm worried about so much as my database login credentials that will be in the script.
Re: Protecting my scripts from hackers.
Posted: Thu Jan 13, 2011 3:50 pm
by josh
spedula, to answer your question, you cannot prevent but you can deter. The general consensus among experienced developers it to not even try.
For example check out this thread, where I recently tried to help someone. They bought a script from a developer like you who thought it would be wise to lock out his own users. Due to that people are telling him to get a refund, and he is also unable to use the script, therefore unlikely to give a word of mouth recommendation.
So let's say 50% of your users pirate your software, but out of those pirates 20% recommend it to 5 friends, and on average 1 of those friends purchases.
1,000 users X $100 per license = $100,000 revenue
50% piracy = $50,000 loss & 200 people telling 5 friends = 1,000 new people find out. With a 1/5 close rate that's 200 sales, so you only technically loose 800 sales for every 1,000 pirates.
Then factor in your time to obscure the code, and also factor in the potential harm it could do to your reputation, consider the fact more experienced developers could easily clone your script but purchase it to
save time and realize that depending on your market the majority of the users could feel this way (and then furthermore factor in lost sales due to these lost customers not recommending it to 5 friends). Realize that obfuscation consumes both your, and your customer's valuable time, further lowering the incentive for legitimate purchases, and raising the incentive to pirate it (now you've got all your legit users trying to reverse engineer your script).. talk about unintended consequence.
Long story short, the lifetime value of a customer is way more than double the value of your software, and more than half your users will purchase anyways. They want support, they want to feel contempt they have the "best" software, they want to be immune from legal risk, etc.
Also lets say you sell your software for $100 and some deadbeat Microsoft employee pirates it, I'd rather be pirated by the Microsoft employee than to receive $100. My lawyer would have a field day talking about how much damages I'd be awarded.
Re: Protecting my scripts from hackers.
Posted: Fri Jan 14, 2011 10:14 am
by superdezign
If you really want to protect your code, host it as a service rather than releasing it as an application. You will have to cater to the special needs of your clients if you want to keep them, though.
Re: Protecting my scripts from hackers.
Posted: Tue Jan 18, 2011 5:34 am
by Peter Kelly
Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
Re: Protecting my scripts from hackers.
Posted: Sat Jan 22, 2011 10:34 am
by Weirdan

This thread was cleaned up. Stay on topic, be friendly, drink milk.
Re: Protecting my scripts from hackers.
Posted: Sat Jan 22, 2011 11:32 am
by spedula
Peter Kelly wrote:Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
Thats [expletive deleted] brilliant!
So instead of the script containing the login credentials for mySQL, the page I have on my server will have it and the only info being passed between the two servers is the authentication code and a simple yes/no reply.
This is beyond awesome. Thank you so much for this idea, would have never come up with this myself, +1 internets for you.
Re: Protecting my scripts from hackers.
Posted: Sat Jan 22, 2011 2:31 pm
by Peter Kelly
spedula wrote:Peter Kelly wrote:Maybe use IonCube and put the license script and the database details in a file which is needed in order for the script to work so they cant just get rid of the file or the script will break. But for a license script can you not just ping say your site and then get the page on your site to do the check and depending on what it says echo like valid of invalid and then check what the text says on the script and disable the script depending on the text?
Thats [expletive deleted] brilliant!
So instead of the script containing the login credentials for mySQL, the page I have on my server will have it and the only info being passed between the two servers is the authentication code and a simple yes/no reply.
This is beyond awesome. Thank you so much for this idea, would have never come up with this myself, +1 internets for you.
I'm glad it helps

Re: Protecting my scripts from hackers.
Posted: Sat Jan 22, 2011 7:33 pm
by josh
Except IonCube still will not protect you... Just makes it more of a pain for legit users, users can still get the code trust me.

Re: Protecting my scripts from hackers.
Posted: Wed Feb 02, 2011 7:11 am
by Peter Kelly
josh wrote:Except IonCube still will not protect you... Just makes it more of a pain for legit users, users can still get the code trust me.

Ioncube has yet to be cracked, Zendcube has though.
Re: Protecting my scripts from hackers.
Posted: Thu Feb 03, 2011 4:33 pm
by josh
The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
Re: Protecting my scripts from hackers.
Posted: Thu Feb 03, 2011 6:43 pm
by spedula
josh wrote:The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
Jesus, that's getting way to complicated for me to understand. My main concern was script kiddies getting the script for free, lol.
Re: Protecting my scripts from hackers.
Posted: Fri Feb 04, 2011 1:36 am
by Peter Kelly
spedula wrote:josh wrote:The byte codes are still in memory and suspect-able to being read out by a hacker. They can then essentially convert that back to the original script just with function & variable names swapped out. If you were using a byte code cache the byte codes could optionally be read from the byte code cache's persistence rather than trying to read out PHP's memory.
Jesus, that's getting way to complicated for me to understand. My main concern was script kiddies getting the script for free, lol.
Hehe you did ask how to protect your scripts, he's just gone a little more in-depth than lots of us understand xD