Results 26 to 50 of 55
-
10-01-2004, 11:11 PM #26Junior Guru Wannabe
- Join Date
- Oct 2004
- Posts
- 44
Greetings,
in my opinion its insecure as described by pixd.. a user can run tcpdump, and he will see that a running script:
1. tries to resolve example.com
2. then it queries for a file called montana.txt and gets some text from it
3. he puts in /etc/hosts example.com 127.0.0.1 and creates montana.txt on his own server
4. he doesn't pay for a script
how to prevent this? encrypt all the traffic that goes from your host, for example using openssl in php.
-
10-05-2004, 08:18 AM #27WHT Addict
- Join Date
- Oct 2004
- Posts
- 100
Originally posted by insanex
4. he doesn't pay for a script
how to prevent this? encrypt all the traffic that goes from your host, for example using openssl in php.
All this, however, will take more time and energy than recoding a component yourself.
-
10-05-2004, 08:20 AM #28WHT Addict
- Join Date
- Oct 2004
- Posts
- 100
For Java, check out RetroGuard from RetroLogic: http://www.retrologic.com/retroguard-main.html
-
11-10-2004, 10:13 PM #29Temporarily Suspended
- Join Date
- Jun 2004
- Posts
- 216
I would recommend www.phpaudit.com for licensing.
-
11-11-2004, 10:28 PM #30Aspiring Evangelist
- Join Date
- Aug 2004
- Posts
- 359
Originally posted by zinet
The only problem with this is that Joe can just set the dns entry for example.com to his server. When the script looks up example.com it will go to his server.
-
12-08-2004, 11:05 AM #31Disabled
- Join Date
- Dec 2004
- Posts
- 7
nice tips thanks alot
-
12-29-2004, 02:09 PM #32Junior Guru Wannabe
- Join Date
- Nov 2004
- Posts
- 36
Vulnerabilities
The only problem with this is that Joe can just set the dns entry for example.com to his server. When the script looks up example.com it will go to his server.
I've found another problem. As you say, if the server is down it does still work, but it comes up with the error...
Warning: file(http://www.my-site.com/licence.txt): failed to open stream: HTTP request failed! HTTP/1.1 404
So, if your server happens to go down, the person will realise which file the script is looking for anyway. Is there a way to get rid of this error message if the file cannot be found?
Would it be something along the lines of...
if(!$connection){
echo'';
} else {
* REST OF SCRIPT HERE *
}
That's just a total guess!Daniel Mercer,
danielmercer[@]gmail[.]com
-
12-31-2004, 12:46 AM #33WHT Addict
- Join Date
- Jul 2004
- Location
- Indiana, USA
- Posts
- 154
Daniel, the solution to that is a rather simple one. Just put this above the code that checks for the license:
Code:error_reporting(0);
Dave Scott
President/CEO
The Sonic Group, LLC
Core Team Member - International Web Developers Network
-
01-22-2005, 11:16 AM #34WHT Addict
- Join Date
- Jan 2005
- Posts
- 119
Very nice, thank you
-
01-22-2005, 03:48 PM #35Web Hosting Master
- Join Date
- Dec 2004
- Location
- Canada
- Posts
- 1,097
Right, and now he can no longer maintain the code that he paid for. I think encoding the code in contracted projects is unethical and if I were hiring developers I would refuse to pay for such obfuscation. What if you die and he needs to modify the software? What if he just wants someone else to do it for him, or wants to do it himself? What if you're an *******?
I'm paying you to write code. I'm not paying you to put backdoors into my system and give me a product that I can't fix. It really doesn't matter to you at all what I want to do with it afterwards, you have no right to restrict that.Last edited by error404; 01-22-2005 at 03:52 PM.
-
02-08-2005, 10:23 AM #36New Member
- Join Date
- Feb 2005
- Posts
- 3
What about rentacoder.com?
Is there something wrong with their service?
-
03-24-2005, 03:16 PM #37WHT Addict
- Join Date
- Feb 2005
- Posts
- 124
I would let anyone working for me to encode their scripts. I pay them to give me source code, not play game with me.
Think it from a stand point of buyer. I pay for the work and get encoded stuff and at any time seller can disable it.
My business suggestion is work in a trusted marketplace with dispute resolution service. And pay based on % of work completed. Then there will not be $2,000 for everything one time deal.
-
07-19-2005, 12:33 AM #38DigitalPunchCardMaker
- Join Date
- Oct 2004
- Location
- Moji
- Posts
- 2,107
pixd's way is really good to protect yourself being scammed.
However from a customers point, after I paid 100% I don't want programmer still have the control to stop the script anytime s/he wants.
Best solution for me is a well planned contract:
1. Project will be made for xxx$
2. After job is done, it will be encoded and sent to the customer.
3. Customer tests the product, confirms that it is working.
4. Customer pays the price, programmer sends the raw code.
5. If customers doesn't pay, pixd's solution will be used...
-
07-20-2005, 05:21 AM #39Web Hosting Guru
- Join Date
- Oct 2002
- Location
- York, United Kingdom
- Posts
- 279
Yes but the protection is incase you dont pay! Its happened to me before but luckly i used the code snippet and made sure if they wernt going to pay me they wouldnt use it
adamlivesley
http://84degrees.com
-
07-20-2005, 05:01 PM #40Retired Moderator
- Join Date
- Oct 2003
- Location
- Scotland, UK
- Posts
- 2,916
Originally posted by BurakUeda
pixd's way is really good to protect yourself being scammed.
However from a customers point, after I paid 100% I don't want programmer still have the control to stop the script anytime s/he wants.
Best solution for me is a well planned contract:
1. Project will be made for xxx$
2. After job is done, it will be encoded and sent to the customer.
3. Customer tests the product, confirms that it is working.
4. Customer pays the price, programmer sends the raw code.
5. If customers doesn't pay, pixd's solution will be used...Alasdair
Long time ex-host, ex-billing software owner/developer/support staff. Recent lurker.
-
08-03-2005, 06:48 PM #41WHT Addict
- Join Date
- Jun 2002
- Location
- Hat Yai, Thailand
- Posts
- 121
My suggestion is to use SourceCop. You can limit the script to run under a specific IP and you can set the expiry date.
You set the expiry date to one year and encode the script (just ONE main file). After one year, I guess it is unlikely that your customer will carry out a transaction reverse. Before the expiry date, re-send him the encoded script - but this time, with the exipiry date removed. He he he . . . .Janwawa Group Tour Management
- http://janwawa.com
-
09-05-2005, 09:27 AM #42Newbie
- Join Date
- Jul 2005
- Location
- Southampton, England
- Posts
- 7
Excellent idea IMO pixd. Can never tell if someone is gonna rip work from you, so this gives you peace of mind when sending them the code.
Thanks
lemonadeX
-
09-20-2005, 06:23 PM #43Retired Moderator
- Join Date
- Feb 2005
- Location
- Delaware
- Posts
- 587
Very Cool. Thanks for the tip.
-
12-16-2005, 05:54 PM #44Web Hosting Guru
- Join Date
- Nov 2005
- Posts
- 282
I'm not going to publish any possible ways (and I encourage none of you to either)
So its very easy to break if the server operator disables allow_url_fopen ini directive.
You can add the following code in your script to prevent such tampering.
PHP Code:if( !( ini_get(allow_url_fopen) ) ) exit('Configuration Error: allow_url_fopen must be turned on for this script to work');
for those worried about error messages, just drop the @ character before the functions in the script
so @fopen instead of fopen.Last edited by Korvan; 12-16-2005 at 05:59 PM.
-
12-26-2005, 07:35 AM #45New Member
- Join Date
- Dec 2005
- Posts
- 2
Wow I love your idea Very well written.
-
01-21-2006, 12:10 PM #46New Member
- Join Date
- Jan 2006
- Posts
- 3
IMO, the general idea of this thread has a purpose. There are people out there that do take code and chop it up and resell it or just take your software and charge back as he suggested before. It is real and it happends on a daily basis.
The reason I see that it is good is for one, and person or company writes software and lease's the software on a monthly basis. (ie. ModernBill) They require a monthly fee and issue license according too your contract. So if you do not pay they can shut down your script. This level of protection is needed by developers who are choosing to lease a script as such.
Therefore I see good reason too have such protection.
Now coming up with a solution that is secure enough to thwart all efforts of compromise.
-
01-21-2006, 12:17 PM #47WHT Addict
- Join Date
- Jan 2005
- Location
- Toledo, OH
- Posts
- 143
point it to an IP so that a DNS change cannot over-ride what server its hitting
-
01-21-2006, 12:18 PM #48WHT Addict
- Join Date
- Jan 2005
- Location
- Toledo, OH
- Posts
- 143
You could also make it database driven instead of pulling up a text file pull up something like license.php?projectID=5551 that way you don't have a billion text files for all of the projects that you have
-
01-21-2006, 12:53 PM #49Retired Moderator
- Join Date
- Oct 2003
- Location
- Scotland, UK
- Posts
- 2,916
The most recent versions of the ionCube encoder and SourceGuardian (retailing from $259/$250) include a licensing section where you can encode the files and then generate a seperate licensing file (enter a specific domain/ip where the files can run) or encode the files with the details included. Expiry dates can also be built in, so if you agree to give them source after 6 months, you simply include an expiry of 7 months to allow for some give time (or even issue 6 one-month licenses for more control and then hand the source code over). You've stopped them selling your script, stopped them using it past a certain date if they chargeback and also removed the need to maintain any sort of licensing server.
It won't give you as much control, but, it avoids thinking about things like "what happens if they change DNS", "what if they firewall my server out", "what happens if my server goes down", "what happens if I need to change my IP" etc... Peace of mind for them and you You could also purchase a specialised licensing package which should take care of issues like that for you.Alasdair
Long time ex-host, ex-billing software owner/developer/support staff. Recent lurker.
-
01-28-2006, 04:52 PM #50
The best way to handle licenses isn't via text files, but via mysql databases. This way you can control what ip's the licenses are used from, and all of that, pretty easily. It's really not that hard to do.
Secondly, and much more importantly!
If you're going to use ioncube as a protection agent, remember NOT everyone likes the way ion attempts to control your php loaders, and most will refuse to run ion scripts. Provide a Zend alternative, which will help out everyone in general.Tom Whiting, WHMCS Guru extraordinaire
Linux problems? WHMCS Problems? Give me a shout
Check out my WHMCS Addons