Okay, I have a small company, Kurtz Web Soltions, and I provide simple apps for buisnesses. Like contact forms, help desks, password protection, etc. And although my source code will be OS, I have some "premium" feature, and I want to know if someone can point me in the right direction. I basically need away to only allow a script to be run if it has a correct registration key?

registration key?

because i know people distribute source code, I expect that but they must pay for premium features, is there a way I can "lock down" the script until they purchase a key from me? it could be a random string or something that doesnt matter

Make it password accessable, or use MD5 strings and trim them down. Im still not 100% what you really want here, but those two things are my suggestions.

The only problem with that theory is that these will be on remote servers, not on mine...

Using ionCube or Zend's encoder would be best.

Otherwise you can do the old base64 method.

So if I used base64encode...and had a mysql db on My server, would that be secure enough? that was in the core/congig.php file i would have a simple script that checks if the variable in registration.php = the value in my mySQL db & if the referer or site URL matches the one I have registered?

If their site HAS to hit your site to run, then there is no need to hide the fact using base64encode.

You should probably use a public/private key system.

You can crack md5 hashes. You can crack them even quicker with a "Rainbow table".

I would issue them an encoded string and a public key.

sorry to bug you, but could you give me some sort of example. are you talking about using the public key as like a encoder string?

http://php.mirrors.ilisys.com.au/manual/en/ref.gnupg.php
http://www.alt-php-faq.org/local/65/

Really you just need to read on methods for generating a key in a Public/Private manner and methods to exchange and validate those keys.

thank you, that does help alot!