Web Analytics Made Easy -
StatCounter Selling PHP apps - how to secure your code??? - CodingForum

Announcement

Collapse
No announcement yet.

Selling PHP apps - how to secure your code???

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Selling PHP apps - how to secure your code???

    Over the past year or so I've developed some decent php apps that I'd like to begin selling to small businesses. I'd like to secure the code in some manner such that the company I sell to cannot simply copy an paste the code and resell it as theirs. I've heard that you can compile php into a binary. This would seem to be the way to go.

    Has anybody had experience selling a php app? How do you secure your code? Or do you not worry about that and just make a user agreement that says they can't modify / re-distribute the code?

    Thanks
    Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
    Zend Certified Engineer


  • #2
    Never used it, but this would probably be your best bet:
    http://www.zend.com/store/products/z...uard-suite.php

    Other option: include a small image in one of the pages that is stored on your own webspace somewhere, and then check your logfiles to see from which servers the image was requested. Chances are they wount examine your code well enough to find the include...
    Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

    Comment


    • #3
      bcarl, I'm in exactly the same situation as you are, and I've been pondering this for some time. The Zend Encoder and Safeguard Suite are quite expensive, if your customer base isn't that great or the revenue is not that big. I'm currently looking at ionCube encoder (http://www.ioncube.com/sa_encoder.php), their product has a more reasonable price. It requires the dynamic loading or installing of a runtime extension, I don't know if this could get hairy, I've yet no experience with this tool.

      Regarding the user agreement: Whether or not your files are encoded, it's a good measure to force the client to sign/accept the license, and that ensures that you can sue them if they violate that contract.

      IANAL, but the tiny image hack won't be so much protection as it seems. It's just a reminder who's using your app from where, and once you contact those who don't abide to the contract, they'll hunt down/remove the code and pretend they have no idea what you're saying. After all, the referer header can be spoofed far too easily.
      De gustibus non est disputandum.

      Comment


      • #4
        Thanks Mordred,quite interesting. Zend is about $1000. That's pretty darn pricy if you ask me, but I suppose if you can sell something for $300 or so, you should make that up quickly enough.

        I'm also hearing about something called MMCache. Anybody know about that?

        I'm not a top level programmer (yet) but I think the apps I'm going to sell could go for anywhere from $15 to $30 so obviously $1000 is a bit too steep for me. The ionCube at about $200 is looking better, but I'm still wondering if there's anything out there for less.
        Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
        Zend Certified Engineer

        Comment


        • #5
          http://www.phpclasses.org/browse/package/1226.html
          I'm also hearing about something called MMCache. Anybody know about that?
          I suppose you mean Turck MMCache
          http://turck-mmcache.sourceforge.net/
          webinterface class for it:
          http://www.phpclasses.org/browse/package/1226.html
          checked it out a few months back but didn't use it because in the end, i think that compiling your code in order to avoid illegal distribution isn't realy the best move for a starting business, precisely because getting your code widely distribution (wether you earn a buck of it or not) is a key factor in getting some ground on the softwaremarket (Microsoft would never have become mainstream if would not have been masively copied ).

          I think there is more money to gain in offering support, customization, adding additional features on demand and the contracts you get from the free publicity of your tools, then from trying to only sell licensed packadges...
          Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

          Comment


          • #6
            Hm raf, but Microsoft's software was compiled and did not ship with it's sources attached, didn't it? But with every unencoded PHP script you give the source away. Encoding the script is not so much about controlling distribution, but rather securing your intellectual proprety that went into the development of the app.

            There may different reasons to encode a script. You don't want your client tinkering with the script, and once he breaks everything, to put the blame on you and demand bugfixes. If he hasn't access to the source that's not so likely to happen.
            De gustibus non est disputandum.

            Comment


            • #7
              on the risk of getting off topic...
              Originally posted by mordred
              Hm raf, but Microsoft's software was compiled and did not ship with it's sources attached, didn't it? But with every unencoded PHP script you give the source away.
              My point was that you should not build in any restrictions concerning your scripts distribution, even if you don't directly benefit from a wide dstribution. Because the indirect benefits can be considerably bigger.

              If MS would have undertaken a strict policy/distributionmethod so that you could only use each package on 1 machine, then it never would have been so succesfull.
              Take a look at mySQL and you'll see where they gain their money ...

              Originally posted by mordred
              Encoding the script is not so much about controlling distribution, but rather securing your intellectual proprety that went into the development of the app.
              Euh. But i don't see anything in this thread that suggests that that is the reason why bcarl314 want's to encode it.
              I may be reading it wrong, but i interpret it as : 'how can i prevent people to resell my code'. And my position on it is that it is not desirable to do so.
              Wether it is your intellectual property is also completely something else. It's not because you wrote something, that it could be considered as your intellectual property...
              And it's not because it isn't encoded and easy to modify/copy, that it is less protected as intellectual property. And don't at all understand your argument there since the ease to copy/modify something, has nothing to do with your property-rights.
              Registrationrules are getting looser and looser, as you probably know, and you might actually be breaking quite some patents with your own product. Did you check ?
              I wonder wether any of the code you and bcarl314 are planning to distribute, uses 3 party soft like mySQL that can not be included in a commercial product without you getting a license from mySQL ...
              And why would a company not be able to resell an encoded package? Include a check so that it can only run on one machine/for one IP might not be legal, since the user buys the rights to use that package for his own use. Like you buy the rights to listen to a CD for personal use regardless of the machine you play it on. So you might get sued if you prevent the user from freely migrating the package between his machines (as now happens for recordcompanys who sold CD's that can only be played on certain CD-players and not on CD-roms)
              So you would be forced to ship a hardwarekey with each package so that it can be installe on all his machines, but can only be used at one machine at a time.

              I'm not a layer, but if you want to get to the bottom of this, then you might find that all this protection of 'your' intellectual property and making money from your propriatary rights, might not be as simple. In fact, the only way to do so might be to get it patented, get it freely ditributed hoping that a big company will use it without respecting/knowing that it is patented, and then go after them.
              Originally posted by mordred
              There may different reasons to encode a script. You don't want your client tinkering with the script, and once he breaks everything, to put the blame on you and demand bugfixes. If he hasn't access to the source that's not so likely to happen.
              Very true. This can indeed solve some of the blame-issues.
              But if a package where you charge $100 for doesn't work, then it might cost you $1000 (mainly in hours) to fix it and distribute the fixes etc. If it's a non-complide/non-encoded package that is distributed 'as is, and customize/improve it as you see fit', they there are fewer strings attached.
              And if you keep a backup of the code (just put in on a CD-rom and snail-mail it to yourself to get a closed, datestamped envelop), then it's easy to demonstrate wich is the original code and wether it is buggy or not... It's my personal experience that users don't like unalterable, closed blackbox, tools.

              Anyway, just my 2 cents.
              Last edited by raf; Feb 11, 2004, 08:45 AM.
              Posting guidelines I use to see if I will spend time to answer your question : http://www.catb.org/~esr/faqs/smart-questions.html

              Comment


              • #8
                The reasons I would like to secure my code are exactly as mordred mentioned: 1) To protect my work, and 2) To offer support and 3) stop others from reselling. As mordred mentioned (and this has happened to me before) if you let the client tinker with the source code, and they break it, sometimes they'll try to claim it's a bug in your software and either 1) ask for a refund or 2) demand that you fix it free of charge.

                One client I had actually tried to reinstall some scripts I set up which ended up resetting a few files like my globals.php and dbConn.php along with others which have default values / constants which I usually change when installing for the client. Of course they didn't tell me this and I had to figure out what was wrong and started from the assumption that it was my code (which they claimed up and down it was) rather than thinking about what they might have done. It only took about a couple of hours to find out they reinstalled the files (didn't even come to mind at first) but those were non-billable hours, which I like to avoid whenever possible.

                Actually, that incident is the reason I started looking into pre-compiling / source restriction on my code.
                Last edited by bcarl314; Feb 11, 2004, 08:53 AM.
                Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
                Zend Certified Engineer

                Comment


                • #9
                  Originally posted by raf
                  Include a check so that it can only run on one machine/for one IP might not be legal, since the user buys the rights to use that package for his own use. Like you buy the rights to listen to a CD for personal use regardless of the machine you play it on. So you might get sued if you prevent the user from freely migrating the package between his machines (as now happens for recordcompanys who sold CD's that can only be played on certain CD-players and not on CD-roms)
                  I think the problem with CD restrictions is that the RIAA / CD thugs are not up front about that practice. There are fair use clauses in copyright law, but my understanding is that those all relate to "personal use", not professional use. Not that I plan on restricting the install to one machine, but and IANAL, I don't think it's illeagle to do so.
                  Create accessible online surveys -::- Koobten.com - compare netbook prices and reviews -::- Affordable, reliable hosting for less than $20 per year
                  Zend Certified Engineer

                  Comment


                  • #10
                    Originally posted by raf
                    My point was that you should not build in any restrictions concerning your scripts distribution, even if you don't directly benefit from a wide dstribution. Because the indirect benefits can be considerably bigger.
                    You can only benefit indirectly from a wider distribution if the user can still identify you with the product. Let's say that my logo is somewhere in the user interface, and links to my website. Wide distribution fully ok in this case, the app will generate traffic and possibly some benefit. But then there is EvilCompany, takes my code, rips out the logo, replaces it with theirs and a link to their site, and distribute it. How do I get any benefit from a ripped product like that?

                    Take a look at mySQL and you'll see where they gain their money ...
                    If I decide to look at how Oracle gains it's money instead, what does that tell me then? I don't question the open source business model, but I don't think it can be applied to every possible situation, and pointing to MySQL does not help me much in this decision.

                    Euh. But i don't see anything in this thread that suggests that that is the reason why bcarl314 want's to encode it.
                    I may be reading it wrong, but i interpret it as : 'how can i prevent people to resell my code'. And my position on it is that it is not desirable to do so.
                    I read it slightly different, as shown above. Perhaps it would make sense to distinguish between the app itself, and the source code used to produce it. There could be much more value in the code than in the app for some companies, yet they might only be willing to pay the low price for the app.

                    As an example, I might employ my own MVC framework in this app. It could have taken 100 hours to complete it. A company who buys the app which actually is for something else, but makes use of the framework, for say, 10 Euro, and has the source attached and also does web application development, would have the whole MVC framework at their hands. The license would not permit them to use it, but... what if they do anyway, how do I get hold on such an abuse, especially when the code they produce is not accessible to me? This MVC framework would be what I described as "intellectual property". Compiling the source would secure the code itself much more, as it makes the effort to obtain the raw code much much harder.

                    Wether it is your intellectual property is also completely something else. It's not because you wrote something, that it could be considered as your intellectual property...
                    Whose else? Surely it isn't trademarked or patented, but it's still my work, what I have done with my brain and hands. If the "intellectual" part should be the problem, I did not mean that if I wrote a guestbook code, I've had the right to demand licenses from all other guestbook coders. I meant that I had to invest time for thinking, research, writing concepts etc.

                    And it's not because it isn't encoded and easy to modify/copy, that it is less protected as intellectual property. And don't at all understand your argument there since the ease to copy/modify something, has nothing to do with your property-rights.
                    ACK. Legally the protection is the same, but practically it's not.

                    Registrationrules are getting looser and looser, as you probably know, and you might actually be breaking quite some patents with your own product. Did you check ?
                    Nope, I didn't. I don't consider my code so magnificent that it might conflict with a serious patent.

                    I wonder wether any of the code you and bcarl314 are planning to distribute, uses 3 party soft like mySQL that can not be included in a commercial product without you getting a license from mySQL ...
                    No again, I don't distribute MySQL with my app. What does this have to do with the original question about securing the source code of a PHP app?

                    And why would a company not be able to resell an encoded package? Include a check so that it can only run on one machine/for one IP might not be legal, since the user buys the rights to use that package for his own use.
                    Way off. The user's rights are defined in the contract the user signs when he buys the product. Of course within the boundaries defined by customer and commerce laws. Look at any pricing scheme of enterprise CMS and you see many restrictions on how many machines it can be run simultaneously.

                    Like you buy the rights to listen to a CD for personal use regardless of the machine you play it on. So you might get sued if you prevent the user from freely migrating the package between his machines (as now happens for recordcompanys who sold CD's that can only be played on certain CD-players and not on CD-roms)
                    Things seem two be different here in Germany. People get sued because they circumvented CD protection schemes to make them run on CD-Roms, and distritubed the programs to do that.

                    But if a package where you charge $100 for doesn't work, then it might cost you $1000 (mainly in hours) to fix it and distribute the fixes etc. If it's a non-complide/non-encoded package that is distributed 'as is, and customize/improve it as you see fit', they there are fewer strings attached.
                    You mix up two kinds of distribution models. If you sell someone an app, and it does not work, the customer might demand fixes if he paid you to develop the app, or he can give it back and get a refund. Just like when he buys a fridge. If you distribute something "as is", that sounds as if it's open source, and the "as is" clause is often included to prevent lawsuits.

                    It's my personal experience that users don't like unalterable, closed blackbox, tools.
                    Users? You mean developers, yes. Look at any commercial computer game and tell me again that users generally don't like unalterable tools.
                    De gustibus non est disputandum.

                    Comment


                    • #11
                      I am on both sides of this fence and agree mostly with all the arguments above

                      However , I must say that I for one would not dream of purchasing a compiled/encoded PHP script unless that script had a very , very good pedigree , eg if phpmyadmin were to release a compiled commercial version I would consider its purchase , but no way in the world would I part with any $ for say phpbb with its chequered past if I were not able to look inside and poke around myself.

                      Its also true to say that your scripts will be copied and shared regardless of their compilation or otherwise if they are interesing enough, only some restrictive form of activation could protect against that & I dont think anyone much likes that type of arrangement ?

                      & Check the Zend site again I am sure there is a much better offer available if your turnover is < $x? , it was nearly a third of the price as I recall.

                      Vbulletin have proven that there is money to be made for 'open source' developers & I suspect that they just take the copying/piracy on the chin.
                      resistance is...

                      MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

                      Comment


                      • #12
                        firepages,
                        congrats on the 1000th post, m8.

                        concerning the topic @ hand,

                        with any open source product used to create a possibly profitable one, you run into issues like this. From my personal experience and opinions, I've found that in some cases yes, some cases no.

                        raf has a an excellent point or 3 regarding intellectual property. Counter points proposed by all are good too. The idea of a client breaking your code and expecting you to pay for it is...less than reasonable.

                        IMO, if it is a product (code) you are going to sell, then you should do all you can to protect the integrity of your product, lest (as mentioned) it become manipulated/broken/and/or distorted. If it's your code, and someone screws it up and republishes (still under your name) then your reputation gets smattered. Protect your product, protect your name.

                        However, IMO, if it is *not* something that brings profit, by all means feel free to share it!!! That's part of the beauty of OS, and helps the idea of free stuff continue to prosper. Feel free to encode and protect things like that as well, but don't get so caught up in protection that you forget about distribution and education. (You learn a lot by having other people comment on your code).

                        mordred, excellent point regarding licensing. That takes into play an entirely new argument, which I'm pretty sure is beyond the scope of this board.

                        -Celt

                        Comment


                        • #13
                          If you have a permantent webhost you can always include a php file with a list of serials and the domain registered to each and have an option that reads the serials and the domain it is reading from. If either one is different such as a wrong serial or someone has the right serial but the wrong domain display an error message or illegal usage message.

                          Somehow maybe create it so if someone removes the process of this that it disables the whole script.

                          Just a thought that spawned when I read this post, or most of it.
                          Dawson Irvine
                          CEO - DNI Web Design
                          http://www.dniwebdesign.com

                          Comment


                          • #14
                            The best way that you can secure your code would be to encrypt a file that checks for the liscence that your client bought and then (assuming that you store these client data into a db on your server) connecting from the script. Then in the encrypted data you would create a var and assign an md5 value where this value can be compared in diff pages....
                            in diff page you would have same encrypted code that has another variable with the same value and you would compare if value1 == value 2.

                            i think this can save you money from encrypting the code from IonCube and you don't have to do it whenever you have a release....

                            when i say encrypted data i mean secure your code with IonCube.
                            |Tip: Use a template engine to separate your PHP code from HTML [Smarty]
                            |Helpful: Follow the forum rules and posting guidelines, they apply to all of us [Rules] - [Posting Guidelines]
                            |Me: [MSN][Y!][AIM][@] - fimi

                            Comment


                            • #15
                              dni, that method would deter the very most basic folks.

                              the problem is that being open, anyone could setup their own server script, and change the function that calls the server to call their own...

                              Comment

                              Working...
                              X