Hi.I have created a small PHP application for a client and I am supposed to give them all source code for local machine(and not a server).Is there any way to secure the files?As they are not on any server,how can I track if the files are given to someone else?I searched forums and I found links for obfuscation/encryption tool like Zend Guard.But it is very costly.What is the best way to achieve this?
IonCube have an online encoder that’s not too expensive to use. They’ll need to install the loader to decode the files at runtime.
Encoder: http://www.ioncube.com/online_encoder.php
Loader: http://www.ioncube.com/loaders.php
I think you should first ask yourself, is this small little script really worth the cost to encrypt it? Does it contain so uber unique trade secrets of yours? Some uber unique process that competition would want or other people would need/want?
My own opinion on that matter, don’t bother. Encrypting the source code of your PHP scripts is a waste of resources.
If you are obliged to give the code to the client, why would you want to encrypt or obfuscate it? Surely, the reason the client wants the code is so that they can maintain it and continue using it if you’re not available. Rather than obfuscating it, you should be doing whatever is necessary to make the code easy to understand so that your client can enjoy the benefit of it.
Mike
Well I never used encrypt or obfuscation before.And it is true that the expensess are waste of resources.I dont mind if my client see the source code.But I dont want him to redistribute either 
Is there any other way?Tracing IP will work on sharing?I am really not sure about it.
You can build a ‘call home’ feature when the script is run which will give you some idea if the script is running on just one, or more network. Given that the customer most likely won’t understand the code this would likely work, but if given to someone that understands code then it is easily circumvented.
If you already agreed to give them source code and already wrote an application then just give them source code.
If you still have not agreed or still have a choice, then just call it off and don’t give them any source if this bothers you so much.
Can you please elaborate what is ‘call home’ feature exactly?I am concerned just because its offline and if he copy the files and database he can easily give it to someone else.
You can check this out http://www.zend.com/en/products/guard/ , but can be pretty expensive.
I come back to the point I made earlier. If you agreed to give the client the source code, then you must give them clear, unobfuscated source code that they can easily understand and use. That’s the whole point.
Mike
Yes I dont mind giving unobfuscated source code to the client.But thing is I dont want him to copy the code and export database and sale it to someone else.The thing is I have given code to many people before but it was online project so I wasnt worried.But in this case I need to add some feature where he can work with it but can not redistribute my work.One more thing.It is a small application and I dont want to pay anything for protecting it.I hope I made it clear 
Why are you concerned the client would give your code to someone else? Is your little script that unique and that special that everyone in the world wants it? Yet you do not want to pay anything to protected? That to me says it is worthless. In the case you should just stop being concerned and paranoid about it.
Then you should have agreed that with the client in the first place.
If you didn’t do that, you should discuss it with the client now, and ask them to agree not to re-sell it. If they don’t agree, that’s your problem, not the client’s. Put it down to experience, and don’t make the same mistake next time.
In any case, encrypting or obfuscating the source code is definitely not the answer.
Mike
Like I said this can take on several different forms like:[LIST=1]
[]Having the application get a ‘verify’ key using a Jason service and JSONP; I have used this technique for other type of site to site data communication; however it could also be used to accept a key once but not twice.
[]Although I have never used this approach some people use file_get_contents() - see http://stackoverflow.com/questions/5657873/php-cms-call-home-function-of-sorts-on-install
[*]There are ‘license key’ classes out there, A long time ago when I did this type of functionality, I wrote my own so I didn’t look at the quality of this something like this PADL class: http://www.phpclasses.org/package/2298-PHP-Generate-PHP-application-license-keys.html#description
[/LIST]If you were to go this route this could be set to allow only one instance of your code with a key to register and run; without it the application code would not run - this also means that the application would not run unless connected to the Internet. Even if your client unlawfully redistributes this code then it could only be run by the first party that starts the application code.
You could also ensure that your client is aware of the rules of use governing your code. You could develop a license that he they have to sign when taking possession of the code. Ensure at this time you review the ‘Important’ facts of the license just prior to them signing it. It then has to be a purposeful violation of your license if they redistribute without your consent.
Steve
Thanks a lot for your valuable reply ServerStorm.I guess this will help.
I have downloaded PADL class from php classes.But their is no documentation available on how to use it.If you have used such kind of classes earlier, can you please tell me how to use it or where to start from?Is any script supposed to be put on every pages?
I am not sure what files you downloaded, but i downloaded the tar.gz bundle and it had many examples and well documented code; although not web based documentation like you may be more familiar with.
To get to the examples do:[LIST=1]
[]go to and open your extracted padl-2005-06-22 folder
[]go to and open the app folder
[]you will see the ‘example.callhome.php’ file, I think this may be the one the you want although obviously it is up to you. The example.oninstall.php may also be of interest.
[]Open these php files and see how the object is instantiated and used; it is well documented with helpful comments.
[/LIST]Regards,
Steve
Yes I have gone through the files you have mentioned.So am I supposed to use the classes given their?And how the code will run in my application?Do I need to add the code in all pages?Sorry to bother you,but I have never used such classes before.
Those files are examples of how to use the class for different things like the 'example.callhome.php file. So you simply use these examples as guides on how to do the same thing in your script.
If you have one central place like a controller (where the application routes people to index.php and other pages) then you would only need to include the class and implement it like in the examples. Otherwise if you don’t have a centralized structure then you will need to put this on each of your pages.
It is hard to give you specific examples because I don’t know anything about how your application is designed and what the current code base looks like. I understand also that you do not want to publish this as you feel it is proprietary. So you will need to do your best in including a class.
Typically including a using a class goes something like this:
require_once('ColourMe.php'); // include the class
require_once(Pdo.php); // include the database class
/* Instantiate the PDO Database class. We will use this to
Query the database to get our list of colours */
$o_Pdo = new Pdo();
/* Instantiate the Colour_Me class. We will use this to
to return colours*/
$o_ColourMe = new ColourMe($o_Pdo)
/* Use the methods of a class */
/* pass a colour by name the object returns the hexidecimal or RGB values */
$background_red = $o_ColourMe->getColour('dark red', 'rgb'); // return rgb value
$paragraph_border_colour = $o_ColourMe->getColour('medium grey', 'hex'); // return hexidecimal value
You can see by this very basic example I needed to:[LIST=1]
[]require the class
[]instantiate the class
[]furthermore the class has a dependency (the database object) so I need to create the Pdo object first so that I could satisfy $o_ColourMe’s dependency.
[]Using the methods of the class also required dependencies; the colour as a string, and the return type as a string of either ‘rgb’ or ‘hex’
[*]So objects can have dependencies and you need to fulfill the dependencies before the object will function properly.
[/LIST]The PADL class also has dependencies, so in whatever pages you decide to integrate the license code you will need:
# copy the server vars (important for security, see note below)$server_array = $_SERVER;
# include the classesrequire_once('../shared/class.license.lib.php') //You will likely have to adjust the paths to match
require_once('class.license.app.php');
# initialise the class with mcrypt off to maximise compatability with servers$application = new license_application('license.supplied.dat', false, true, false, true);
# initialise the class with mcrypt off to maximise compatability with servers$application = new license_application('license.supplied.dat', false, true, false, true);
# set the server vars
$application->set_server_vars($server_array);
On your server you would need to create a MySQL database. The PADL folder has a file called db.mysql.sql. This script contains the tables that you need to create. I don’t know how you work with MySQL but you could import or run these in PHPMyAdmin or MySQL workbench.
In your home MySQL server you would need to generate a Key for the applications. This is stored as the ĹICENSE_KEY in the licenses table.
In his call home example he has the following setup. If you want to do this then you will need to emulate this:Has a form setup on the home server that is used to validate the clients license with the info in the mysql db. In the example he is calling the validate method on your home server using this line:
$set_data = $application->validate(false, true, 'www.buggedcom.co.uk', 'http://www.buggedcom.co.uk/distributionlicense/files/server/demo.receive.license.php');
This validate method validates the server key and returns a data array ‘RESULT’:
/*** validate** validates the server key and returns a data array. ** @access public * @return array Main object in array is 'RESULT', it contains the result* of the validation.* OK - key is valid* CORRUPT - key has been tampered with* TMINUS - the key is being used before the valid start date* EXPIRED - the key has expired* ILLEGAL - the key is not on the same server the license was registered to* ILLEGAL_LOCAL - the key is not allowed to be installed on a local machine* INVALID - the the encryption key used to encrypt the key differs or the key is not complete* EMPTY - the the key is empty* 404 - the the key is missing**/function validate($str=false, $dialhome=false, $dialhost="", $dialpath="", $dialport="80")
If you open class.license.app.php you will get a much better idea of what the validate and call home scripts are doing.
You will use the class.license.gen.php to create your licenses. Again open this class and read through the comments.
In this readme he also state
The demo folder contains a demo single file application, you should note that both the app folder and server also contain seperate demo files. The App folder
contains the classes that would be required by the application using this class.
And the Server folder contains the class that would be used by your license
server setup.
The additional folder, Shared, contains the main distributionLicense class and
is needed by both the app and server classes. The demo files should explain
the new setup.
If this is your first time working with classes this may be too much. But hopefully this gets you going.
Regards,
Steve