How do I protect PHP code from theft and piracy after deploying?

Asked

Viewed 12,657 times

6

Well, I’m working on a system Saap (PHP/Codeigniter + Mysql).

Initially the idea would be to effect the deploy of the system in the client’s choice hosting. The entire "installation" process would be carried out by my team, so that it would not have direct contact with the system code itself.

The fact is, I found myself thinking, what would stop one of my clients from hiring an obscure developer and asking him to hack the code? This way the customer could pass it on to the "friends" or even resell it for an extremely low value.

Of course, from a legal point of view, the integrity of my system can be protected, but we know that that alone does not inhibit malicious people.

Well, I burned a phosphate thinking about everything above and came up with basically a solution, which is not 100% efficient or practical, but that’s what I thought.

Solution

Create a central class that connects to an external server (in my case) and, in a token scheme, send a hash (from the client) that was generated at the time of purchase and so compared to the database of my server. If the hash was invalid, the class would make it impossible for the system to run.

Illustration: inserir a descrição da imagem aqui

The problem is that any malicious developer could easily open the class and modify it so that this check would not be done.

So the doubt continues:

Does anyone know of any method or theory that could be applied in preventing PHP code/systems hacking?

php protecting
  • 3

    Unbeatable protection against malicious users: do not deploy

  • I haven’t worked with PHP for years, but would solutions like Zend Guard, ionCube and the like not solve your problem?

  • 3

    If you deliver a solution to the customer, you have already delivered the source code. If it is script is directly visible, if it is compiled it can be decompiled. Finally, any form of code obfuscation is just false security, as a dedicated person is able to reverse engineer it independently. If you want to keep your "industrial secret" a secret, host your solution outside the customer’s machine park.

  • @Renan commentary on Brazil was poorly placed, in fact it is not only a local problem. Edited.

  • @Kazzkiq edited my comment too.

5 answers

8


One way or another, if your application is hosted where the customer chooses, they will have access. A valid option is to extract the core of your system, that is, the part that really matters for an API, and provide the client only with the client that will consume your API. This way you can use various types of validations so that it can use your system, without exposing to your client any code that can put your business at risk.

6

If you really want to hide your code, the client cannot have access to the server.

Make the service hosting yourself.

3

You can obfuscate the code of the checking class (or the whole system).

There are several solutions (paid and free) as the Phpprotect, Phpencode and the Zend Guard code obfuscation.

2

Code obfuscation with Zendguard or Ioncube can provide basic security for ordinary users. However it is valid to remember the dozens of "desofuscadores" that are created daily. The safest method would undoubtedly be to keep the entire application on its own server, as it will not achieve a level of security regarding code access (mainly in PHP) keeping on the client host.

1

What you can do is "compile" the code to run on a Hiphop VM (HHVM). This practice is more and more common (for the most diverse purposes) and may serve for what you want.

Browser other questions tagged php protecting

You are not signed in. Login or sign up in order to post.