First of all, this isn't a guide on how to use Ioncube, this is for those people who are hired at freelance sites, basically, contracted over the internet to do a PHP script. I'm not a PHP overlord, so don't expect the best coding you've ever seen in your life, but it gets the job done, and I have done this for every project ever since I thought of this.

Forgive me if it's not exactly 100% user friendly, if you're a PHP coder who does work that's expensive enough to have to protect, you should be able to follow the steps with ease.

Scenario: You are paid $2000 to write a PHP script for Joe Montana. Joe pays you, you send him the script, all is well, until Joe reverses the charges, leaves you out in the cold while you just wasted several weeks and he gets a free script. Now you have to stress yourself with tracking him down, pressing charges, which 99% of the time never happens. I just read the same story on another forum, which is all too common, and this prompted me to share this with hopes of protecting other programmers time and profit.

Step 1

Find the file that is absolutely necessary for the script to run AND won't required any modification by the client for configuration purposes, this could be the functions file (preferably), the administration home file.... etc.. basically find a file that if taken out of the picture, the entire php script (or the better part of it) would not work.

Add this snippet of code to the top of the file (it doesn't need to be the very top, it needs to be above the critical code though).

$lines = file('http://www.example.com/joemontana.txt');
foreach ($lines as $line_num => $line) {
$license = htmlspecialchars($line);
if ($license == "kill") {
exit("<font color=white><b>Your Script License Has Been Terminated<br><br>Please Contact <a href=mailto:YOUREMAIL><font color=white>YOURCOMPANY</a> Immediately</b></font>");
}
}

You'll want to edit the URL example.com to your website, and point it to a text file that is unique to this project (ie: joemontana.txt). You can also edit the HTML to say whatever you want.

What this does, is it opens this text file on your server, checks it, and continues with the script. If you write the one word...

kill

Inside the text file, his script will exit every single time someone tries to run it. If your server is down, the file doesn't exist, anything other then the word "kill" is in it, etc. etc. the script will run fine.

Step 2

You now need to encode this PHP file so that they cannot remove that code snippet and be on with their day. I prefer Ioncube, but if you use something else, by all means, go ahead... as long as it's secure.

Go to http://www.ioncube.com - Go to Products -> Online Encoder. It costs 50 cents to encode a file (You have to make a minimum $5 deposit though, which is good if you plan on doing this for all your projects). Encode the file. If you open it in a text editor, it should look like a bunch of jibberish.

Step 3

If you used Ioncube, when you distribute the script to your client, ensure that you include a ioncube loader for their server (it includes instructions on how to install it for their server administrator), and make sure you instruct them to upload the encrypted file in BINARY mode.

That's it. Now if you get a chargeback, just put the word 'kill' in that file that the code snippet points to and be on with your day. At least now if they screw you, you can screw them back.

I encourage you to let your client know that this one file is encrypted, but after a provisionary period of 1-2 months (whatever, long enough so that they can't charge you back) you'll send them the real file which won't require any more ioncube extensions.

This is a pretty basic solution, because there are some ways around it I'm sure, but only if they realize how you are doing it, I'm not going to publish any possible ways (and I encourage none of you to either) in the event that someone comes searching for a way to "undo" your protections.

These instructions are provided without warranty. Any damage or loss, yadda yadda yadda *insert long disclaimer here*, is your own fault. :D

Thats a mean trick. I like it very much!

What if YOU accidently delete the joemontana.txt file? You might want to make the encrypted file have an if/else statement.

The answer's in the code snippet :-)

If you delete the file, then you'll have no way of killing the remote PHP script as it looks for the work "kill". The customer will work fine.

I've been trying to figure something like this out for a while now. Thanks so much!

Thanks alot - I agree, thats a FANTASTIC idea :D

This is a great how to sort of thing. I may use it in one of my projects

You rock! I love this! :D
How about changing the message to "The owners of this website are weasels who don't pay for work" :D

That would be very mean but good :D

The only problem with this is that Joe can just set the dns entry for example.com to his server. When the script looks up example.com it will go to his server.

If the scripts encoded it wil be difficult for him to find example.com though. Overall this is a useful bit of code.

I have never thought of that. Thanks for the tip!

Id suggest using a system which logs onto your server, logs in whenever ran, and an i,p of were its ran from is stored, so if more than one i,p uses it you can de-activate it by like hiding the login in a file thats required in every file, and it just exits that script, but you'll need to encode this file so people cant take out the login and sell it off.

I have been coding a mySQL based one, so when you do file() it opens the file and looks in a table for the domain. If the domain is not found it returns 0 which means no such licence, if its found but expired it returns 1, etc
And so far it works :)

I thought file() only displays html if its connecting to an external server?

Great script! Very neat idea and easy to work with... I like it. So now if I was going to sell any script away.. I'd definitely use this :).

An excellent idea and one that will come in very useful for many people. Some other products (for PHP coders anyway) that will help:

Zend Encoder - www.zend.com
SourceGuardain - www.sourceguardian.com

Not sure about other scripting languages (perl, python, ASP etc) - maybe other people can suggest alternatives?

Hi,

Was wondering how do you set it to ONE IP only, I mean so one client can use it only, IF it detect anther client is using it it'll fail. How do i set that in?? in my monanta.txt


What i want is a a .txt file on my server with all the IP that is valid to run my scripts. and if the .txt file doesn't have his IP in there and it kill the script.

how do i go doing that?

thanks!!

Or instead of resorting to dirty tricks you could just do business with people you can trust...

Just my $0.02

You cant trust anyone when it comes to the internet, so put your $0.2 back into your pocket. In an ideal world maybe.

If you can't trust anyone, maybe you are doing business with the wrong people.

I'm not saying I've never been cheated out of a few bucks, I have. But the vast majority of people I deal with are honest and reliable, and I consider "put no trust in your customers" to be bad marketing, bad customer service, and bad business.

It's also been my experience that the people most concerned about getting ripped off are the ones most likely to rip off others.

Hey your right, lets get rid of fraud protection and let 2checkout take us to the cleaners, after all its not the customers fault hes ripping scum, but lets let them off with it.

anyone

know how to set the code to check for IP?

like what IP can access the monata.txt list

something like this in monata.txt

kill
4.23.23.2
216.43.2.1
63.4.3.3

You know an so on.. how do i set that in the code??
please advise..
thanks

Yes good try. But what if you have to test it in the shared hosting environment and the hosting company does not support ioncube loader?
The best bet would be to get a php encoder with time limit. That will solve all your problems...

Business is ugly. You are better off not trusting anybody and playing it safe than assuming otherwise. Even life long friends betray each other in business; it's a classic story.

Here's the free and non-proprietary way...

Stick that code in the middle of a bunch of random files. Then, to make this have its fullest effect, hash the strings involved, and use a code obfuscator on your entire site. That code will be there to stay since they'll never find it. And as for the error message, just keep it out so they have nothing to work from.

Or just get a fulltime job as a programmer. :)

Great idea... :-) i have been doing something similar but not encrypting it. I never figured that my clients would be able to do it. heh I will definitely start doing it especially since ioncube only charges $.05 per script. :-)

Greetings,
in my opinion its insecure as described by pixd.. a user can run tcpdump, and he will see that a running script:
1. tries to resolve example.com
2. then it queries for a file called montana.txt and gets some text from it
3. he puts in /etc/hosts example.com 127.0.0.1 and creates montana.txt on his own server :)
4. he doesn't pay for a script :)

how to prevent this? encrypt all the traffic that goes from your host, for example using openssl in php.

Originally posted by insanex
4. he doesn't pay for a script :)
how to prevent this? encrypt all the traffic that goes from your host, for example using openssl in php.

If the user goes to all this trouble, he can as well strace and gdb the execution, look for the encryption calls, replace them with his own functions and nab the keys.

All this, however, will take more time and energy than recoding a component yourself.

For Java, check out RetroGuard from RetroLogic: http://www.retrologic.com/retroguard-main.html

I would recommend www.phpaudit.com for licensing.

Originally posted by zinet
The only problem with this is that Joe can just set the dns entry for example.com to his server. When the script looks up example.com it will go to his server.
Then use an IP number instead.

nice tips thanks alot

The only problem with this is that Joe can just set the dns entry for example.com to his server. When the script looks up example.com it will go to his server.

Someone suggested using an IP address instead. Would this fix this bug?



I've found another problem. As you say, if the server is down it does still work, but it comes up with the error...

Warning: file(http://www.my-site.com/licence.txt): failed to open stream: HTTP request failed! HTTP/1.1 404

So, if your server happens to go down, the person will realise which file the script is looking for anyway. Is there a way to get rid of this error message if the file cannot be found?

Would it be something along the lines of...

if(!$connection){
echo'';
} else {
* REST OF SCRIPT HERE *
}

That's just a total guess! :P

Daniel, the solution to that is a rather simple one. Just put this above the code that checks for the license:


error_reporting(0);


From here (http://us2.php.net/manual/en/function.error-reporting.php).

Very nice, thank you :)

Right, and now he can no longer maintain the code that he paid for. I think encoding the code in contracted projects is unethical and if I were hiring developers I would refuse to pay for such obfuscation. What if you die and he needs to modify the software? What if he just wants someone else to do it for him, or wants to do it himself? What if you're an *******?

I'm paying you to write code. I'm not paying you to put backdoors into my system and give me a product that I can't fix. It really doesn't matter to you at all what I want to do with it afterwards, you have no right to restrict that.

What about rentacoder.com?

Is there something wrong with their service?

I would let anyone working for me to encode their scripts. I pay them to give me source code, not play game with me.

Think it from a stand point of buyer. I pay for the work and get encoded stuff and at any time seller can disable it.

My business suggestion is work in a trusted marketplace with dispute resolution service. And pay based on % of work completed. Then there will not be $2,000 for everything one time deal.

pixd's way is really good to protect yourself being scammed.
However from a customers point, after I paid 100% I don't want programmer still have the control to stop the script anytime s/he wants.
Best solution for me is a well planned contract:

1. Project will be made for xxx$
2. After job is done, it will be encoded and sent to the customer.
3. Customer tests the product, confirms that it is working.
4. Customer pays the price, programmer sends the raw code.
5. If customers doesn't pay, pixd's solution will be used...

Yes but the protection is incase you dont pay! Its happened to me before but luckly i used the code snippet and made sure if they wernt going to pay me they wouldnt use it ;)

Originally posted by BurakUeda
pixd's way is really good to protect yourself being scammed.
However from a customers point, after I paid 100% I don't want programmer still have the control to stop the script anytime s/he wants.
Best solution for me is a well planned contract:

1. Project will be made for xxx$
2. After job is done, it will be encoded and sent to the customer.
3. Customer tests the product, confirms that it is working.
4. Customer pays the price, programmer sends the raw code.
5. If customers doesn't pay, pixd's solution will be used...

There's also the problem of the customer paying, and then doing a chargeback/reversal at their credit card processor once they have the source code. Embedding some sort of licensing/call back option into a script is always a good idea - you can never be 100% sure who you are dealing with.

My suggestion is to use SourceCop. You can limit the script to run under a specific IP and you can set the expiry date.

You set the expiry date to one year and encode the script (just ONE main file). After one year, I guess it is unlikely that your customer will carry out a transaction reverse. Before the expiry date, re-send him the encoded script - but this time, with the exipiry date removed. He he he . . . .

Excellent idea IMO pixd. Can never tell if someone is gonna rip work from you, so this gives you peace of mind when sending them the code.

Thanks :)

lemonadeX

Very Cool. Thanks for the tip.

I'm not going to publish any possible ways (and I encourage none of you to either)
Not that I mean to but it doesnt take much to realize the file has to be accessed remotely to determine if you have a valid license.
So its very easy to break if the server operator disables allow_url_fopen ini directive.

You can add the following code in your script to prevent such tampering.

if( !( ini_get(allow_url_fopen) ) ) exit('Configuration Error: allow_url_fopen must be turned on for this script to work');


allow_url_fopen can only be set manually and ini_set cannot turn it on.

for those worried about error messages, just drop the @ character before the functions in the script

so @fopen instead of fopen.

Wow I love your idea :D Very well written.

IMO, the general idea of this thread has a purpose. There are people out there that do take code and chop it up and resell it or just take your software and charge back as he suggested before. It is real and it happends on a daily basis.

The reason I see that it is good is for one, and person or company writes software and lease's the software on a monthly basis. (ie. ModernBill) They require a monthly fee and issue license according too your contract. So if you do not pay they can shut down your script. This level of protection is needed by developers who are choosing to lease a script as such.

Therefore I see good reason too have such protection.

Now coming up with a solution that is secure enough to thwart all efforts of compromise. :P

point it to an IP so that a DNS change cannot over-ride what server its hitting

You could also make it database driven instead of pulling up a text file pull up something like license.php?projectID=5551 that way you don't have a billion text files for all of the projects that you have

The most recent versions of the ionCube encoder and SourceGuardian (retailing from $259/$250) include a licensing section where you can encode the files and then generate a seperate licensing file (enter a specific domain/ip where the files can run) or encode the files with the details included. Expiry dates can also be built in, so if you agree to give them source after 6 months, you simply include an expiry of 7 months to allow for some give time (or even issue 6 one-month licenses for more control and then hand the source code over). You've stopped them selling your script, stopped them using it past a certain date if they chargeback and also removed the need to maintain any sort of licensing server.

It won't give you as much control, but, it avoids thinking about things like "what happens if they change DNS", "what if they firewall my server out", "what happens if my server goes down", "what happens if I need to change my IP" etc... Peace of mind for them and you :) You could also purchase a specialised licensing package which should take care of issues like that for you.

The best way to handle licenses isn't via text files, but via mysql databases. This way you can control what ip's the licenses are used from, and all of that, pretty easily. It's really not that hard to do.

Secondly, and much more importantly!
If you're going to use ioncube as a protection agent, remember NOT everyone likes the way ion attempts to control your php loaders, and most will refuse to run ion scripts. Provide a Zend alternative, which will help out everyone in general.

The best way to handle licenses isn't via text files, but via mysql databases. This way you can control what ip's the licenses are used from, and all of that, pretty easily. It's really not that hard to do.

Secondly, and much more importantly!
If you're going to use ioncube as a protection agent, remember NOT everyone likes the way ion attempts to control your php loaders, and most will refuse to run ion scripts. Provide a Zend alternative, which will help out everyone in general.


I agree with you.. and in fact, if you dont want to have any loaders on the server side, you can use sourcecop.. I've been using it for a while now, and I am happy with it.

Right, and now he can no longer maintain the code that he paid for. I think encoding the code in contracted projects is unethical and if I were hiring developers I would refuse to pay for such obfuscation. What if you die and he needs to modify the software? What if he just wants someone else to do it for him, or wants to do it himself? What if you're an *******?

I'm paying you to write code. I'm not paying you to put backdoors into my system and give me a product that I can't fix. It really doesn't matter to you at all what I want to do with it afterwards, you have no right to restrict that.

I agree with this. While there are some people that will try to sell the script, there are also the other reasons stated above.

an odd question but as the intial post says this was to protect the coder. But most freelance stuff requires you to give away complete rights. So, you can't have a licensing system. Moreover, the coder can also block the script forever ;)

I agree with you.. and in fact, if you dont want to have any loaders on the server side, you can use sourcecop.. I've been using it for a while now, and I am happy with it.

As I think may have been corrected elsewhere too, Linux-tech was incorrect with regards to Zend and ionCube Loaders, as there's no "taking control" with ionCube at all. In installation terms it's the same as ZO if using the php.ini file, and both ZO and ionCube can be installed if required (and often are by WHT members), with the added benefit of it being often possible to install without editing the php.ini file, and without the downside of decreasing performance of unencoded requests that ZO tends to do (see other threads on the performance degradation that ZO can cause).

Even though ionCube and SG can often be run without editing the php.ini file giving effectively a transparent install for the end user, if not wanting any component at all, S'COP and others will do the job. There is a performance penalty though and scripts are trivially reversible either oneself or with one of the online services, but that may not matter for some applications.

RH Swaroop, this is a good point, and people procuring scripts from freelance developers would be well advised to secure source rights. The provider of the scripts can always put into the contract that the end user has no rights to sell the scripts if that's appropriate, and the developer can retain the rights to develop the code into other commercial products if that's appropriate. These are the aspects that should be negotiated upfront and that affect the contact price. Encoding isn't necessary in this case and in the best interest of the end user. We have certainly had a few people come to us with sorry stories of how they hired a developer to produce code that they didn't know was protected, how the developer disappeared, and how only then did they realise that they couldn't change the code.

right, you are, phpa! And, not just changing the code, they might end up with a non-working script as I explained. The coder can just simple block the license and that's it, the script is gone!