#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    2
    Rep Power
    0

    Tamper Protection for PHP code I'm selling.


    Hello everyone.

    I'm currently working on a PHP project for a startup company that plans on selling this software to several small businesses in the area. The businesses will be charged based on how much they're using the database. I'm still talking to the other owners of the company to determine if it's going to be based on the number of queries, or just on the number of clients (rows) in the main table.

    In any event, my concern is that if we sell this to someone, they could easily manipulate the raw PHP code when I'd check the number of rows in the table and have it return some static value (e.g. $numrows = 400; instead of $numrows = mysql_num_rows($result) I'm aware that mysql_* is depreciated, but it's just an example. Anyhow, I'm looking for good ways to ensure the code isn't tampered with after we set up the buyers with the software.

    As of yet I've had two ideas: 1. To use apache's mod_rewrite to rewrite all URL's to a page that checks the hash of whatever page is being called (or just the page calculating the cost to them) that would shut it down if the hash doesn't match what it should. OR
    2. Running a system service (if hosted on windows) that checks the hash and stops the server and removes permissions from the files (e.g. cacls index.php /P Guest:N ) if it detects that the hashes don't match.

    I know that other people sell their PHP code that works in a similar fashion, and that they have some way of monitoring it, I just have no idea how they do it. I googled for "PHP tamper protection" but I just kept getting results from symantec's anti-tamper module files that people uploaded.

    Does anyone have any recommendations?
    Thanks everyone.
    -Primux
  2. #2
  3. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,295
    Rep Power
    9400
    Anything running on a client's machine can be compromised.

    This business model is typically handled as an API: you give them code to access the API, or even let them write their own code, but you do the real work (including calculating billing) on the server.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2013
    Posts
    2
    Rep Power
    0
    Unfortunately at present not an option. Hopefully in the future we could host the database elsewhere. Beyond that they can do whatever they wish with the code, since we're charging by db usage.
  6. #4
  7. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,295
    Rep Power
    9400
    Then you might be stuck with something like ionCube. Does require the customer use an extension with PHP, I believe, but it's just about as close as you can get to something that's tamper-proof.
  8. #5
  9. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    We're in a similar situation, although we're writing it our selves and selling it ourselves

    Quite simply, we will never release the code - the code will always be run on our servers. With the cost of VPSs and 'cloud' computing tumbling I can commission a virtual-dedictaed server with full root access for as little as 7/month (for 10Gb HDD & 256Mb Ram) through my hosting company's API (so its automated).

    This is known as "Software as a Service", SaaS, and it is software bought as if it were a service (eg paid for monthly, and we host, maintain, update etc etc)

    Our software has a modular and event based plugin architecture for php-based extensions and a complete ReSTful API for remote (including JS-based client interface) management.

    We charge based on number of users, number of modules, hard disk space used by the application and bandwidth. Pricing is initially tiered based on users & modules (as this tends to scale proportionally with the space and bandwidth requirements). Exceptional cases can commission extra space, extra servers, load balancers, solid state drives, etc etc.

    Updates are managed by version control software: each server checks daily for a new release and if one is found then it downloads, runs tests and updates the 'local' code base.
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]

IMN logo majestic logo threadwatch logo seochat tools logo