How to see if your script is located on only ONE server?

VooDooRT

I'm trying to write a protection function that checks to make sure a script is located on one server only. This way, no one can take the code, give it to someone else for free, then I start losing sales...

I'm guessing HTTP_REFERER might be a good way to go, but if they come from another page, then it won't work...

Not really sure about this...ideas?

VooDooRT

top...

VooDooRT

Doesn't anyone know? Bleh...Help please!!!

LoL

TimS

This probably isn't very much help but you could use
the IP $SERVER['SERVER_ADDR'] and/or
Host Name $SERVER['SERVER_NAME']. That should remain the same.

SpanKie

Unless you encode your php files with a utility such as Zend SafeGuard or equivelent. Protecting you code via code can prove to be useless; as anyone with experience can alter your protection or completely remove it.

For a more secure plan, I would recommend looking at encoder software, you can then explore suggested methods above or others prior to the file(s) encoding.

VooDooRT

The code WILL be encoded via Zend Encoder...

Now, I just need to make sure people don't give it out to other people!

SpanKie

// do software restriction check
$key_url="http://someurl.com/keycode.lic";
$keypage=fopen($key_url, "r");
$keycode=fgets($keypage, 4096);
$keycode=trim($keycode);

if ($SERVER_ADDR != "xxx.xxx.xxx.xxx" AND $keycode != "<code from file>") {
    echo "Some message or action";
    exit;
}

You can do something like this. This is a quickie write. There are two samples of protection being used here. Locking the php app to the server ip or having the app call to a remote server for a code verify. There are many ways to do it, this is just a quick sample, and maybe not the most efficient. But this should give you a start or idea.

VooDooRT

Would this work?...

// do software restriction check 
$key_url="http://clantek.net/clantek.lic"; 
$keypage=fopen($key_url, "r"); 
$keycode=fgets($keypage, 4096); 
$keycode=trim($keycode); 

if ($SERVER_ADDR != "xxx.xxx.xxx.xxx" AND $keycode != "$SERVER_ADDR") { 
    echo "Sorry, you are using an illegal copy of this script.  For a legal copy, please goto [url]www.clantek.net[/url]"; 
    exit; 
}
//Perform the LEGAL actions...

BUT, what happens if the servers IP address changes? Can you do this by domain name?

The KeyCode would be a small file that just had a list of the authorized server IP address' in it...

superwormy

The Zend Encoder and other similar products offer exactly this feature, to be able to limit the execution of this code to a specific domain or IP address.

If you're already encoding it, and already have access to this feature, why are you trying to code it again?

VooDooRT

I'm not sure the Small Business Program edition will have that ability. I think it's only the full version of the encoder.

TimS

Here is what I am working on I have tested it out and it works but it is far from complete.

I will include something like this in the app (Zend Encoded)

// License Check
$ip = $SERVER['SERVER_ADDR'];
$server = $SERVER['SERVER_NAME'];

// Check Authorization
$checkurl = "http://www.domain.com/lcheck.php?license=$license&ip=$ip&server=$server";
$in = @fopen ($checkurl, 'r');
if($in){
$source = fread ($in, 1);
fclose ($in);
}

if($source){
// If declined Notify and shutdown.
if($source == "N"){
echo"Invalid License";
exit;
}
}

It will connect to the url which is a php file that will verify the info
in a database.

Something Like this:
$ip = $GET['ip'];
$server = $GET['server'];
$license = $_GET['license'];

if((!$ip)||(!$server)||(!$license)){
echo"N";
exit;
}

// Pull the info from the database using license as key.

if($ip != "xx.xxx.xxx.xxx"){
echo"N";
exit;
}

if($server != "www.domain.com"){
echo"N";
exit;
}
echo"Y";
?>

This results in a Y or N single character returned to the app.

I also built in a bypass so if the server happens to be down
there app will still work. Not sure if thats a good idea or not.

I am going to have a restricted area for clients to update the
IP or Domain if it changes.

I am figuring with this setup all I will need to provide is the
license number at setup instead of having to encode a license
for each sale or sending more licenses when the info changes.

I also plan to add recording of failed license checks etc..

I am not sure this is the best way to do it. I am open for suggestions.

TimS

Zend Small business does not have that ability. It costs
several hundred dollars to add it. Also Zend
License Manager requires access to the php.ini file on the
server the licensed app will be installed on which would
probably be a problem for many people.

superwormy

The Small Business Program includes the full version of Zend Encoder, albeit on a yearly contract and a low price...

VooDooRT

Here's what I've tried (with no luck btw)...

File that will/will not work, depending on if they have a valid script

$ip = $_SERVER['SERVER_ADDR']; 
$server = $_SERVER['SERVER_NAME']; 
echo("$fontString $ip = IP and $server = SERVER");
// Check Authorization 
$checkurl = "http://www.clantek.net/lcheck.php?ip=$ip&server=$server"; 
$in = @fopen ($checkurl, 'r'); 
if($in){ 
$source = fread ($in, 1); 
fclose ($in); 
} 
if($source){ 
// If declined Notify and shutdown. 
if($source == "N"){ 
echo("$fontString You are using an illegal copy of <a href=http://www.clantek.net>ClanTEK</a>.<br>Please contact the ClanTEK
administration to obtain your own legal copy."); 
exit; 
} 
}

Here's check.php

<?
//php license check to ensure the user is using a legal copy of ClanTEK!!!!
require("db_cnx.php");
$ip = $_GET['ip']; 
$server = $_GET['server']; 
//$license = $_GET['license']; 

$result = @mysql_query("SELECT * FROM license_check WHERE (ip = \"$ip\" || server = \"$server\")");
$test = @mysql_fetch_array($result);

if((!$ip)||(!$server)||(!$license)){ 
echo"N"; 
exit; 
} 
?>

VooDooRT

I try to echo $source and all that comes up is S.

I think it's getting connected but it ALWAYS allows access to the site, it never errors out saying it's not authorized.

Here's the code to check it:

$ip = $_SERVER['SERVER_ADDR'];  

$server = $_SERVER['SERVER_NAME'];  

// Check Authorization 
$checkurl = "http://www.clantek.net/check.php?ip=$ip&server=$server"; 

$in = @fopen ($checkurl, 'r');  

if($in){  

$source = fread ($in, 1);  

fclose ($in);  

} 
echo("$fontString Source = $source<br>");  

if($source){  

// If declined Notify and shutdown. 
if($source == "N"){  

echo("$fontString You are using an illegal copy of <a href=http://www.clantek.net>ClanTEK</a>.<br>Please contact the ClanTEK 
administration to obtain your own legal copy.");  

exit;  

}  

}

VooDooRT

Here's the check.php file:

<?
//php license check to ensure the user is using a legal copy of ClanTEK!!!!
require("db_cnx.php");
$ip = $_GET['ip']; 
$server = $_GET['server']; 
$sql = "SELECT * FROM license_check WHERE (ip = \"$ip\" || server = \"$server\")";
echo("$sql");
$result = @mysql_query($sql);
$test = @mysql_fetch_array($result);

if((!$ip)||(!$server)){ 
echo"N"; 
exit; 
} 
?>

VooDooRT

Here's what I'm trying now...

functions.php:

$key_url="http://fuziontek.com/ct_license/$_SERVER[SERVER_NAME].php?server=$_SERVER[SCRIPT_NAME]";  

$keypage=fopen($key_url, "r");  

$keycode=fgets($keypage, 4096);  

$keycode=trim($keycode);  

if ($keycode != "$_SERVER[SERVER_NAME]") {  

    echo "<centeR>$fontString Sorry, $_SERVER[SERVER_NAME] is using an illegal copy of this script.  For a legal copy, please goto <a href=http://www.clantek.net target=_blank>ClanTEK</a></center>"; 
 $ault1 = @mysql_query("SELECT * FROM site_info");
 $rrow = mysql_fetch_array($ault1); 

exit;  
}

Here's the file it's trying to get:

<?
require("db_cnx.php");
$_GET['server'];
$result = @mysql_query("SELECT * FROM license_check WHERE server = \"$server\"");
$test = @mysql_fetch_array($result);
$var = $test[server];
if (mysql_num_rows($test) > 0) {
echo("$var");
}
else{
echo("aass1122");
}
?>

I'm getting the following error when I execute the file it grabs from:

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/voodoo/public_html/ct_license/www.fuziontek.com.php on line 7
aass1122

Some reason it's giving this error and automatically echoing the invalid license text...I'm just totally tired of messing with this and it's getting on my nerves. It's time to stop for a while, and hopefully you guys can help me out...ugh...

TimS

Here is what I have so far.

The script to check it is here:

// License Check File
// Temp test file will be expanded to do actual check later.

// Make DB Connection
$link = mysql_connect(localhost, user, pass);
if (!$link)
{
die ("Couldn't Connect To Database");
}
if (!mysql_select_db (databasename, $link) )
{
die ("Couldn't open $db: ".mysql_error() );
}

// GET VARS
$ip = $GET['ip'];
$server = $GET['server'];
$license = $_GET['license'];

if((!$ip)||(!$server)||(!$license)){
echo"N";
exit;
}

// Pull Info From Database
$sql = "SELECT * FROM license WHERE LicenseNum = \"$license\"";
$result = @($sql,$link) or die("Couldn't execute query");

if($result){
$num = mysql_num_rows($result);
}
if($num > 0){
$row = mysql_fetch_array($result);
$L_IP = $row["IP"];
$L_server = $row["ServerName"];

  // Check IP And Server Name Match
  if(($ip != $L_IP)||($server != $L_server)){
      echo"N";
  }else{
      echo"Y";
  }

}else{
echo"N";
}

mysql_close($link);

It takes the license number IP and Server Name from $_GET
checks it against the license database and prints either Y or N.

Included in the app(encoded)

// License Check
$ip = $SERVER['SERVER_ADDR'];
$server = $SERVER['SERVER_NAME'];

// Check Authorization
$checkurl = "http://www.domain.com/licensecheck/lcheck.php?
license=$license&ip=$ip&server=$server&checkdate=$checkdate";
$in = @fopen ($checkurl, 'r');
if($in){
$source = fread ($in, 1);
fclose ($in);
}

if($source){
// If declined Notify and shutdown.
if($source == "N"){
echo"Invalid license text will be here";
exit;
}
}

This sends the license number, IP, and server name to the url
specified then reads the one character string. If Y it lets the
scripts run if N it will display the Invalid text message and call
exit; to stop execution.

I still have to add a way to handle database errors but it is working.

Does anyone have any ideas on how to set it up so it does not
do the check on every run? I though about setting a session
variable to flag that the check has been done. But if they figured
that out they could set the session variable themselves and
bypass the check.

daveyboy

just my pennysworth:

it seems daft to have the script demand a valid licence from your server to execute, or fail if it cannot connect: it is trivial to stop a server connection to yours with a firewall. it also makes the performance of every site dependent on that of yours.

in your position, i would look to the masters of the trade, doubleclick, barnes & noble etc. and go for a webbug. just have each page impression - or every 100th page impression - logged to your server by a webbug or, better still, a php call, and sift through your logs for unlicenced versions.

again, all contact with your server can be blocked at the firewall.

one final alternative would be to build some exclusive, very esoteric code into each page and rely on google to spot this for you.