need help with some strategy

pck76

Hi Guys

I need some guidance around how to develop the app I'm working on.

It's basically a backend system to manage photos and slideshows (eg arrange photos in albums, decide which ones to publish, update names and captions etc)

I would like to avoid giving the source code to clients but would like to keep the actual photos and thumbnails on the client's server.

I'm not sure what would be the best way to achieve this. In my mind the steps are:
a) client uploads a photo to MY site
b) photo is registered into my DB
c) the original photo is moved to client's server
d) thumbnails are generated and saved on client's server

then the public site:
e) install the public website on my client's server;
f) when a user is browsing the client's website, the script gets the list of images to show from my database, and gets them from the local server.

(hope I made myself clear)

basically the question is: what's the best way to give the client minimal/no access to the source code?

big_nerd

pck76,

That is a difficult one to handle.

You have a few options to protect your source code..

1) Encrypt/Compile your source code into binary form, however this requires that the server your client is on to have an extension installed, this is true for all binary PHP formats. Also, if the client were so inclined, they could decrypt / reverse engineer the file to view the source code. You can optionally obfuscate it, making it essentially not worth your clients time.

Of course, this option needs an extension, and not many hosts will install one for you.

2) The other option that I would recommend is extremely harsh on your bandwidth:

Have the client upload the files, you can make the thumbnails then run a batch CRON job (nightly or whatever) to make the thumbnails and upload to the customers site via FTP (easy to do through PHP or Perl)
Update the links in the database to move to the clients site

This has its downsides because its intensive on your bandwidth, and even if you have a shared host promising 'unlimited' -- they always have an asterisks pointing out they can stop that on 'abuse' which is up to them, so not really unlimited.

3) Write a front end script to PASS parameters of the image names to your site:

Write a script to handle uploads & making thumbnails - this is easy and there are lots of examples on the net, so not a big deal for your customer to have THAT source.
Then modify your script to accept POST parameters to an XML file, and check against the IP address or pass a USER/PASSWORD (to ensure its your clients not some joe user), within the XML file you can have a modify_date field to tell you if you need to update your database or not
if the database needs updated, you can open a 2nd XML file (with all data) to grab the images & update your server
if no updates needed, just pass the info along

Keep in mind if you are hosting the software there will have to be an iframe OR a link to YOUR site which clients may not want.

4) Obfuscate the source code, mainly removing comments and using cryptic function names, etc. Have your clients sign a non-disclosure agreement, if they distribute the source code or release any information from having viewing of it, you can take them to court.

I recommend option #4, its the least intrusive, and will continue to work as expected as long as they don't touch the source, even if your server goes down, they won't be affected.

Also, I find most customers aren't familiar enough to do any damage from having the source code.