How to protect PHP code from theft and piracy after deploy? [duplicate]

4

Well, I'm working on a system SaaP (PHP / CodeIgniter + MySQL).

Initially the idea would be to deploy the deploy system to the client's choice hosting. The entire "setup" process would be performed by my team, so it would not have direct contact with the system code itself.

The fact is that I caught myself thinking, what would prevent one of my clients from hiring an obscure developer and asking him to hack the code? That way the customer could pass on to the "friends" or even resell at an extremely low value.

Of course, from a legal point of view, the integrity of my system can be protected, but we know that this alone does not inhibit malicious people.

Well, I burned a phosphate thinking about everything above and I came to basically a solution, which is not 100% efficient or practical, but that's what I thought.

Solution

Create a central class that connects to an external server (in my case) and, in a token-like schema, sends a hash (from the client) that was generated at the time of purchase and thus compared to the my server. If the hash was invalid, the class would make it impossible for the system to roll.

Illustration:

The problem is that any malicious developer could easily open the class and modify it so that this check was not made.

Then the doubt continues:

Does anyone know of any method or theory that could be applied in preventing piracy of PHP systems / codes?

    
asked by anonymous 30.01.2014 / 14:22

5 answers

8

In one way or another, if your application is hosted where the customer chooses, it will have access. A valid option is to extract the core of your system, that is, the part that really matters for an API, and make available to the client only the client that will consume its API. This way you can use various types of validations so that the system can use your system without exposing to your client any code that could put your business at risk.

    
30.01.2014 / 14:34
7

If you really want to hide your code, the client can not access the server.

Make the service hosting yourself.

    
30.01.2014 / 14:30
3

You can obfuscate the code of the class that makes the check (or the whole system).

There are several solutions (paid and free) such as PHPProtect , > PHPEncode and the Zend Guard that obfuscate code.

    
30.01.2014 / 14:30
2

Code obfuscation with ZendGuard or IonCUBE can give you basic security for ordinary users. However it is worth remembering the dozens of "desofuscadores" that are created daily. The most secure method would undoubtedly be to keep the entire application on its own server, as it will not achieve a level of security over access to code (especially in PHP) keeping it on the client host.

    
30.01.2014 / 18:22
1

What you can do is "compile" the code to run on a HipHop VM (HHVM). This practice is becoming more and more common (for a variety of purposes) and may be suitable for what you want.

    
30.01.2014 / 14:35