SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Wizard Zaggs's Avatar
    Join Date
    Feb 2005
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    PHP licensing system

    Hi Guys,

    I have created a licensing system for some php software that we run. However, I have found a major flaw in the scope of the code. Here's how it works:

    1) License is pulled from database on client website.
    2) The license file then queries our server to check if the license is valid and returns a response.
    3) If the license is invalid their script will not run.
    4) To prevent license calls upon every page load we think it is necessary to enter into the database (client-side) that the license has been checked for this day and is valid etc.

    The problem lies within point 4. The client can simply enter today's date into the database and the script will "think" it is valid and run.

    Is there a way to close this loophole without having to run the script on every page load?

    Thanks in advance.

  2. #2
    SitePoint Wizard TheRedDevil's Avatar
    Join Date
    Sep 2004
    Location
    Norway
    Posts
    1,198
    Mentioned
    4 Post(s)
    Tagged
    1 Thread(s)
    Encrypt the files doing the license validation, then encrypt the value in the db field that tells its valid.

    That way, without the information from the license validation file the client can not modify the db field with a valid value.

    Note.
    Just another piece of advice.

    Remember to encrypt the data being sent from your server to the license validation script as well. As if you dont do that all they need to do is snap up the information, then add it as default information in a basic html page. Finally they redirect your license validation domain towards that page in their host name and by that their license is valid forever.

    There is a lot of other steps you need to take to make certain your system is secure, but you should have enough to work with from this.

  3. #3
    SitePoint Wizard Zaggs's Avatar
    Join Date
    Feb 2005
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by TheRedDevil View Post
    Encrypt the files doing the license validation, then encrypt the value in the db field that tells its valid.

    That way, without the information from the license validation file the client can not modify the db field with a valid value.

    Note.
    Just another piece of advice.

    Remember to encrypt the data being sent from your server to the license validation script as well. As if you dont do that all they need to do is snap up the information, then add it as default information in a basic html page. Finally they redirect your license validation domain towards that page in their host name and by that their license is valid forever.

    There is a lot of other steps you need to take to make certain your system is secure, but you should have enough to work with from this.
    Thanks for your reply.

    I forgot to mention that the files are encrypted with ionCube (referring back to your first comment).

    What type of encryption method would you recommend for the date in the database? md5?

  4. #4
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    md5 is hashing, not encrypting.
    Look into the mcrypt_*-functions.

  5. #5
    SitePoint Wizard Zaggs's Avatar
    Join Date
    Feb 2005
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    md5 is hashing, not encrypting.
    Look into the mcrypt_*-functions.
    Hmmm, does mcrypt come compiled with PHP5 as standard? Or does it need to be installed manually? The reason I ask is that the script will be installed on PHP5 machines and if mcrypt is not installed as standard this will cause a headache as we will need to install this for clients.

  6. #6
    SitePoint Evangelist simshaun's Avatar
    Join Date
    Apr 2008
    Location
    North Carolina
    Posts
    438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Download PHP and see for yourself
    http://us.php.net/get/php-5.2.8-Win32.zip/from/a/mirror
    (The answer is yes, it comes with it.)

    Not sure about earlier versions of PHP.
    It might not be enabled in php.ini either. You'll have to check that yourself.

  7. #7
    SitePoint Guru
    Join Date
    Jun 2006
    Posts
    638
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can always decrypt them and remove that code...
    OR change the server's host file to point to a script on the same server, when it checks for validation, that returns what your server returns when the stuff is valid.

  8. #8
    SitePoint Wizard Zaggs's Avatar
    Join Date
    Feb 2005
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Vali View Post
    You can always decrypt them and remove that code...
    OR change the server's host file to point to a script on the same server, when it checks for validation, that returns what your server returns when the stuff is valid.
    Hmmmm ok, what would you suggest?

  9. #9
    SitePoint Evangelist simshaun's Avatar
    Join Date
    Apr 2008
    Location
    North Carolina
    Posts
    438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Vali View Post
    You can always decrypt them and remove that code...
    OR change the server's host file to point to a script on the same server, when it checks for validation, that returns what your server returns when the stuff is valid.
    Good luck decrypting a byte-code encrypted file. If you are referring to the timestamp/codes in the database, you would need the key to decrypt them (which is contained in the byte-code encrypted file).

    As to simply pointing the other scripts to an "always-activate-me.php" file... well the only way to prevent that is to encrypt all the files.
    There really isn't a whole lot you can do to license web scripts without encrypting them. If they aren't encrypted, any smart person will be able to remove the license check.

  10. #10
    SitePoint Wizard Zaggs's Avatar
    Join Date
    Feb 2005
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by simshaun View Post
    Good luck decrypting a byte-code encrypted file. If you are referring to the timestamp/codes in the database, you would need the key to decrypt them (which is contained in the byte-code encrypted file).

    As to simply pointing the other scripts to an "always-activate-me.php" file... well the only way to prevent that is to encrypt all the files.
    There really isn't a whole lot you can do to license web scripts without encrypting them. If they aren't encrypted, any smart person will be able to remove the license check.
    All of the files will be encrypted with ionCube.

    If I am okay to use mcrypt_generic(), what should I use as the "key"? Should this be a hardcoded value or a random string generated by a php function?

  11. #11
    SitePoint Evangelist simshaun's Avatar
    Join Date
    Apr 2008
    Location
    North Carolina
    Posts
    438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hardcode a random value into the license check script. Keep in mind you need to use that key for both generating the license and decrypting it. You'll also be using it to encrypt/decrypt the date and any other information that decides whether their site is "activated or deactivated".

  12. #12
    SitePoint Wizard Zaggs's Avatar
    Join Date
    Feb 2005
    Posts
    1,051
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by simshaun View Post
    Hardcode a random value into the license check script. Keep in mind you need to use that key for both generating the license and decrypting it. You'll also be using it to encrypt/decrypt the date and any other information that decides whether their site is "activated or deactivated".
    Ok great! Also, I have been informed (earlier in this post) that I need to encrypt the data which is sent to our server to check the license is valid...How could that be achieved?

  13. #13
    SitePoint Evangelist simshaun's Avatar
    Join Date
    Apr 2008
    Location
    North Carolina
    Posts
    438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The data sent to your server should be in its encrypted format already, so you shouldn't have to worry about that.

    Your server will handle decrypting the data, validating it, and returning a yes or no.
    In reality, you'll need to store the key on both the client's server and yours.
    In this way, you could even use asynchronous encryption, where one key is used to encrypt the license and another key is used to decrypt it.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •