PHP-Security - Tamper Protection for PHP code I'm selling.

Hello everyone.

I'm currently working on a PHP project for a startup company that plans on selling this software to several small businesses in the area. The businesses will be charged based on how much they're using the database. I'm still talking to the other owners of the company to determine if it's going to be based on the number of queries, or just on the number of clients (rows) in the main table.

In any event, my concern is that if we sell this to someone, they could easily manipulate the raw PHP code when I'd check the number of rows in the table and have it return some static value (e.g. $numrows = 400; instead of $numrows = mysql_num_rows($result) I'm aware that mysql_* is depreciated, but it's just an example. Anyhow, I'm looking for good ways to ensure the code isn't tampered with after we set up the buyers with the software.

As of yet I've had two ideas: 1. To use apache's mod_rewrite to rewrite all URL's to a page that checks the hash of whatever page is being called (or just the page calculating the cost to them) that would shut it down if the hash doesn't match what it should. OR
2. Running a system service (if hosted on windows) that checks the hash and stops the server and removes permissions from the files (e.g. cacls index.php /P Guest:N ) if it detects that the hashes don't match.

I know that other people sell their PHP code that works in a similar fashion, and that they have some way of monitoring it, I just have no idea how they do it. I googled for "PHP tamper protection" but I just kept getting results from symantec's anti-tamper module files that people uploaded.

Does anyone have any recommendations?
Thanks everyone.
-Primux

Anything running on a client's machine can be compromised.

This business model is typically handled as an API: you give them code to access the API, or even let them write their own code, but you do the real work (including calculating billing) on the server.

Unfortunately at present not an option. Hopefully in the future we could host the database elsewhere. Beyond that they can do whatever they wish with the code, since we're charging by db usage.

Then you might be stuck with something like ionCube. Does require the customer use an extension with PHP, I believe, but it's just about as close as you can get to something that's tamper-proof.

We're in a similar situation, although we're writing it our selves and selling it ourselves

Quite simply, we will never release the code - the code will always be run on our servers. With the cost of VPSs and 'cloud' computing tumbling I can commission a virtual-dedictaed server with full root access for as little as £7/month (for 10Gb HDD & 256Mb Ram) through my hosting company's API (so its automated).

This is known as "Software as a Service", SaaS, and it is software bought as if it were a service (eg paid for monthly, and we host, maintain, update etc etc)

Our software has a modular and event based plugin architecture for php-based extensions and a complete ReSTful API for remote (including JS-based client interface) management.

We charge based on number of users, number of modules, hard disk space used by the application and bandwidth. Pricing is initially tiered based on users & modules (as this tends to scale proportionally with the space and bandwidth requirements). Exceptional cases can commission extra space, extra servers, load balancers, solid state drives, etc etc.

Updates are managed by version control software: each server checks daily for a new release and if one is found then it downloads, runs tests and updates the 'local' code base.