How to encrypt PHP source code and require “Activation Key”

raydenx, there are several ways doing this, for example:

  • you may encode the script with zend safeguard which supports licenses.[*]you may make you’re own license generation algorithm written in php end encode that file.

A custom generated license may look like this:

===== LICENSE (mysite.com, mysite.com, valid thru 2005-12-29) =====
AAFD28B592D6A8564E6F39D31594E5D0EDD783AEE18C3B609CB252000CF82B6F757Q
X3BAD829B13C3BD87C15A2A5408094FAEDX323A30352D31322D3239P
C6D65657770656F706C65696E747261666669632E636F6FDAB54F74401BC08249ABAF1BFC2DDB7BFCO
ACF008D2ED7AABD27A89C4A8A5D99872B6D65657470656F706C62696E747261666669642E636F9DQ
===== ENF OF LICENSE =====

User inputs this license while script installation, then it is stored in Db and is checked on each script execution. Php-files are encripted (for example with Zend Encoder74, InnoCube58), so user won’t be able to cut off license check calls.

Thanks guys… Zend’s product is way too expensive for me. I am looking for some kind of alternative to Zend…

I really would advise you to look at Zend or IonCube (SourceGuardian may compile to bytecode these days, I’m not sure).

IonCube also have an online encoder87, which can work out fairly inexpensive for small projects (btw I don’t work for IonCube).

     I briefly looked at codelock a year ago, responding to a couple of threads:
     [Free PHP script encoder](/t/free-php-script-encoder/1646/1)
      [ionCube -vs- SourceGuardian ??](/t/ioncube-vs-sourceguardian/1344/1)

     I wasn't impressed then, and I'm not sure much has changed.

     Excerpts from their own FAQ at [http://www.phpcodelock.com/faq.html](http://www.phpcodelock.com/faq.html)
     "Codelock for PHP is a strong deterrent."
     "The fact is, any PHP encryption program does needs to decrypt the file at some time, so the code will theoretically be available to experienced crackers during its execution."

  You could interpret experienced to mean "is able to replace eval with echo!"
     As I said then, if you're serious about protecting your code from prying eyes then I would stay well away from any PHP based encoding system.

 Just my $0.02

Off Topic:

I think this might actually be my first post in the Application Design (Advanced PHP) forum, a pity it couldn’t be more positive. I’ve learned a great deal from the threads in here over the last year, hopefully I’ll even be able to contribute more in future.

I wouldn’t touch PHPCodeLock at all. The reason it’s so cheap is that it’s stupidly insecure. Read the “How secure is it?” from their FAQ to hear that in their own words.

If you like the look of Zend but the price is the only thing that puts you off, you might want to take a look at their Small Business Program (http://www.zend.com/store/products/zend-smallbiz.php). This gets you Zend Studio and Zend Encoder for $395 (and then $295 every year) which are both excellent applications. Well worth a look smile

SourceGuardian v4 is a lot more secure than previous versions (which could be returned to some form of source). Adrian and the other people at SourceGuardian are happy to admit prior mistakes and talk about what happened, so if you are concerned then you shouldn’t hesitate to drop them an email. The features in SourceGuardian are roughly comparable to ionCube’s, so it’s well worth a look.

Out of all three, I would recommend ionCube to you. It’s secure, well priced from only $199 and Nick and his team are extremely good at supporting users. ionCube (and SourceGuardian) include methods for generating license files as well which should also be useful to you – with Zend you need to purchase their SafeGuard suite at $6000 or so to do that.

If you have the cash available, then you might want to consider offering both an ionCube encoded version of your script and also a Zend encoded one. Lots of companies do this and there’s nothing wrong with offering more choice to your users smile

I use IonCube. It works fine, plus it speeds up the application too. You can dynamically incldue the required dll’s or so’s if you don’t have access to the server’s pph.ini, so as long as dl() is enabled, you can use the IonCube Loaders on shared hosting too.

Zend looks good, but I’ve found it too expensive to have a look at.

Here are my questions to ioncube:

> Let’s say I wanna sell a PHP script and I want my customers to
> “register” their script so that they can use it on their web site. If
> they choose to refund their purchase after X days, I will reserve the
> right to remove the “license” so that they can’t use my script anymore.
> Can your software do that? Can I automate this process on my web site
> when a customer orders something?

You cannot physically remove license files, and we don’t provide any
“spyware” features in the Loader API. However, you could issue a short
term expiring license that runs the length of the initial refund period,
say 21 days, and then replace their license with a new one after that
period has passed and where they can no longer have a refund.

Alternatively, you could code in phone-home type idea using URL fopen.
Note though, that this is not enabled on some servers, and so you could
only phone home where it was.

Another alternative is simply not to allow refunds. Provide evaluations,
and say that customers should take advantage of the evalations to
determine whether or not your product is for them. State clearly that once
licensed, there are no refunds. This is a quite common practice in the
absense of phone home type systems.

We have considered putting in these features to the Loader, however the
problem would be accusations of spyware. No matter how clear it was that
the system was very specific, limited in functionality, and that no
personal details were transferred between machines, there would be those
that didn’t believe it and it could damage the product.

> Let’s say I wanna sell my software. So I give them a 30 day guarantee
> and they pay upfront. So I have to send them another copy of the
> software after 30 days? Do I need to generate the new license file for
> each customer? I just don’t wanna do it manually you know what I mean?

If you use our licensing system, you could just send them a new license
file. There’s a command line tool for creating licenses that could be run
programatically, and so it would be possible to even automate the sending
of new licenses. You would have to do some PHP coding for that though, but it would be interesting and you’d have a powerful setup once done.


From what I understand from their reply, I can dynamically generate a license key for every customer but I have to do the coding myself. Hopefully its not that complicated to do.

1 MONTH LATER
1 MONTH LATER
1 MONTH LATER
(Visited 16 times, 1 visits today)

Comments

comments

Leave a Reply