By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
432,441 Members | 996 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 432,441 IT Pros & Developers. It's quick & easy.

Protecting PHP Code

P: n/a
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell to
other companies.

I would like to somehow protect the source code.

Here are some of the options I have thought about.

Can someone give me some ideas and feedback about these --

1. Host the most critical .php file on my own host server, and
everything else on their's.
I modify the HTML form elements to submit data to my site (using a
full URL, rather than a relative one).

The php file then connects to the database on their server using
the full host name or IP address.

After doing the processing, it redirects back to their site.

This solution is complex, there is a performance impact, cookies won't
work across sites, and there is a liability issue for me if my host
server is down and their business stops because of that.

2. A less complex solution is to rip out some of the key functions
from the .php files and host them as an include file on my server.
This way, the cookies will still work as-is, and there is a
slightly less performance impact.
But we still have the issue of their site being dependent on mine.

3. Use an obfuscator that sits between the web server and the PHP
runtime and encrypts/decrypts the .php files on the fly.

I have looked at some common obfuscators and they are no good.
All they do is replace function and variable names with some gibberish,
but a simple Find/Replace using Notepad can break the obfuscation.

Can anyone recommend a real obfuscator that is less stupid than the
person stealing the code?

4. The last option is to rip out the important functions and put them
in a C++ DLL and call the DLL from the PHP code.
This solution appeals to me the most, but means a lot more work for me.

I don't know much C++, but I know enough to write simple functions.

But I don't know which C++ to use - like which compilers, etc. so that
the DLL runs on their environment.
I think their host is UNIX/Linux based, but not sure which flavour.
Any help appreciated.

Thanks,
Harold.

Jul 17 '05 #1
Share this Question
Share on Google+
22 Replies


P: n/a
I think a lot of developers overestimate the risk of source code theft.
However, since you sound certain that your client will resell your code,
here are some options:

1.) Legal: Have a lawyer experienced in IP create a license that identifies
what the client may and may not do with your source. If they "steal" your
source, you have a legal recourse. This is your best option.
2.) Turn your license model into an Application Service Provider-- (i.e.,
you host the application) Be sure your client understands this. They will
ask what happens if you go out of business or your server crashes.
3.) Use an encoder like Zend Encoder or Ioncube. The drawbacks of these are
that not all hosting environments support them.

- Kevin

"Harold Crump" <or**********@yahoo.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell to
other companies.

I would like to somehow protect the source code.

Here are some of the options I have thought about.

Can someone give me some ideas and feedback about these --

1. Host the most critical .php file on my own host server, and
everything else on their's.
I modify the HTML form elements to submit data to my site (using a
full URL, rather than a relative one).

The php file then connects to the database on their server using
the full host name or IP address.

After doing the processing, it redirects back to their site.

This solution is complex, there is a performance impact, cookies won't
work across sites, and there is a liability issue for me if my host
server is down and their business stops because of that.

2. A less complex solution is to rip out some of the key functions
from the .php files and host them as an include file on my server.
This way, the cookies will still work as-is, and there is a
slightly less performance impact.
But we still have the issue of their site being dependent on mine.

3. Use an obfuscator that sits between the web server and the PHP
runtime and encrypts/decrypts the .php files on the fly.

I have looked at some common obfuscators and they are no good.
All they do is replace function and variable names with some gibberish,
but a simple Find/Replace using Notepad can break the obfuscation.

Can anyone recommend a real obfuscator that is less stupid than the
person stealing the code?

4. The last option is to rip out the important functions and put them
in a C++ DLL and call the DLL from the PHP code.
This solution appeals to me the most, but means a lot more work for me.

I don't know much C++, but I know enough to write simple functions.

But I don't know which C++ to use - like which compilers, etc. so that
the DLL runs on their environment.
I think their host is UNIX/Linux based, but not sure which flavour.
Any help appreciated.

Thanks,
Harold.

Jul 17 '05 #2

P: n/a
Dear Mr. Crump,

Have you considered a non-technical solution?
I mean, talking to a lawyer and getting your
clients sign a tough non-dislosure agreement?
Because if they really want to steal your
source code, even reverse engineering a DLL
will not be a problem for them.

But if you insist, the reference compiler for
*nix platforms is GCC or, in this case, G++.
As for portability, application logic code
should not need to rely on platform-specific
features. Anyway, GCC ports exist for other
platforms as well, such as MinGW for Windows.
Be careful, it's very picky about the standard!

Hope this helps,
Felix

Jul 17 '05 #3

P: n/a
Harold Crump wrote:
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell to
other companies.


Why did you do business with them in the first place?

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
Jul 17 '05 #4

P: n/a
Thanks everyone for the suggestion.
I have some follow-up questions.
1.) Legal: Have a lawyer experienced in IP create a license that identifies what the client may and may not do with your source. If they "steal" your source, you have a legal recourse. This is your best option.


I agree, but the problem is how would I know when they steal the code
and to whom they re-sell it?
I am writing code for an industry where all the competitors provide
very similar services and the code would need very little customisation
when re-sold.

Some else asked me why am I doing business with them in the first place
- the answer is that it is a good business opportunity for me, and the
revenue is needed.

I can get a lawyer to create a contract agreement like suggested, but I
have no way of knowing when they will copy the code and re-sell it by
removing the copyright notices in the source code.

They have some in-house programmers, who know enough to change some
variable and function names by doing a global Find/Replace using
Notepad.

Even if I find out, I have neither the time nor the money to go after
them with a lawsuit.

Someone mentioned the GCC compiler for C++.
Are there any links and where is it downloadable from?

I can play with it and see what it would take to rip out some functions
into a C++ DLL.

I think there host is running Apache on Linux, but am not sure about
the versions.
Would GCC binaries work in this case?

Thanks,
Harold.

Jul 17 '05 #5

P: n/a
Harold Crump wrote:
Thanks everyone for the suggestion.
I have some follow-up questions.
1.) Legal: Have a lawyer experienced in IP create a license that identifies
what the client may and may not do with your source. If they "steal"

your
source, you have a legal recourse. This is your best option.


I agree, but the problem is how would I know when they steal the code
and to whom they re-sell it?
I am writing code for an industry where all the competitors provide
very similar services and the code would need very little
customisation when re-sold.


Basically you can't protect your code. If you add some "call home"
option, this is very easy to detect, and very easy to disable.
Some else asked me why am I doing business with them in the first
place - the answer is that it is a good business opportunity for me,
and the revenue is needed.
So so went for the quick money. From your story it sounds more like a
bad business opportunity.

Make them an offer they can't refuse then. Tell them that for every new
customer they bring to you they get x%, and free support and
extension(s) on the version they got.
I can get a lawyer to create a contract agreement like suggested, but
I have no way of knowing when they will copy the code and re-sell it
by removing the copyright notices in the source code.

They have some in-house programmers, who know enough to change some
variable and function names by doing a global Find/Replace using
Notepad.
So why did they hire you in the first place :-D.
Even if I find out, I have neither the time nor the money to go after
them with a lawsuit.

Someone mentioned the GCC compiler for C++.
Are there any links and where is it downloadable from?
You probably have to write your code in C(++) then. Are you able to do
that?
I can play with it and see what it would take to rip out some
functions into a C++ DLL.
Which can be copied. If they want to steal your software, they do it.
I think there host is running Apache on Linux, but am not sure about
the versions.
Would GCC binaries work in this case?


Think again:

- you think you are not able to do the lawsuit thing
- the code can be copied & modified, always (you only can make
modification a bit harder)

So why waste more time on this project? Give them the stuff. You are not
able to track if they stole your code anyway.

Also, if you want to do business with them, do business with them. Make
them a good offer.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
Jul 17 '05 #6

P: n/a
Hello,

on 01/04/2005 12:15 PM Harold Crump said the following:
I would like to somehow protect the source code. 4. The last option is to rip out the important functions and put them
in a C++ DLL and call the DLL from the PHP code.
This solution appeals to me the most, but means a lot more work for me.

I don't know much C++, but I know enough to write simple functions.

But I don't know which C++ to use - like which compilers, etc. so that
the DLL runs on their environment.
I think their host is UNIX/Linux based, but not sure which flavour.
Any help appreciated.


I think you want to use Roadsend PHP compiler. It turns PHP source code
in .DLL in WIndows or .so in Linux/Unix.

http://www.roadsend.com/
--

Regards,
Manuel Lemos

PHP Classes - Free ready to use OOP components written in PHP
http://www.phpclasses.org/

PHP Reviews - Reviews of PHP books and other products
http://www.phpclasses.org/reviews/

Metastorage - Data object relational mapping layer generator
http://www.meta-language.net/metastorage.html
Jul 17 '05 #7

P: n/a
On 04 janv. 2005, Sir "Harold Crump" <or**********@yahoo.com> claimed in
news:11**********************@f14g2000cwb.googlegr oups.com:
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell to
other companies.

I would like to somehow protect the source code.


You should use Zend Encoder, it was designed for that purpose... The only
problems are:
- You have to make your client install Zend Optimizer on their server.
- Zend Encoder is rather expensive $960...

Zend Encoder:

http://www.zend.com/store/products/z...coder.php?home

Zend Optimizer:

http://www.zend.com/store/products/zend-optimizer.php
Jul 17 '05 #8

P: n/a
"Harold Crump" <or**********@yahoo.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell to
other companies.


Put a backdoor into the program that let you hijack their server.
Jul 17 '05 #9

P: n/a
Chung Leong wrote:
"Harold Crump" <or**********@yahoo.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell to other companies.


Put a backdoor into the program that let you hijack their server.

Get yourself checked out. This is unethical.

Harold, by any chance are you writing a program to control a nuclear
reactor or a rocket ? If not, most likely your customers will be able
to find better source code to "steal" in the gazillion of Open Sourced
programs. Your software is not special, get over it. That will make
life easier for all involved.

Cheers
Raj Shekhar

Jul 17 '05 #10

P: n/a
> Someone mentioned the GCC compiler for C++.
Are there any links and where is it downloadable from?
That was me. Visit http://gcc.gnu.org/
if you like, but GCC should be included
with any GNU/Linux distribution, and
you're going to need one for the build
process anyway.
I think there host is running Apache on Linux, but am not sure about
the versions.
Would GCC binaries work in this case? It can be arranged by doing what is called
"static linking". You get a binary that
does not depend on any dll's.
Thanks,
Harold.

You're welcome :-)
Felix

P.S. I just realized you probably want to
write a PHP extension. Oops. You will also
need a program called SWIG (www.swig.org),
unless you can organize your C++ code as a
stand-alone program and call it with exec().

Jul 17 '05 #11

P: n/a
In article <11**********************@f14g2000cwb.googlegroups .com>,
"lunatech" <r.*******@gmail.com> wrote:
Chung Leong wrote:
"Harold Crump" <or**********@yahoo.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell
to other companies.


Put a backdoor into the program that let you hijack their server.

Get yourself checked out. This is unethical.

Harold, by any chance are you writing a program to control a nuclear
reactor or a rocket ? If not, most likely your customers will be able
to find better source code to "steal" in the gazillion of Open Sourced
programs. Your software is not special, get over it. That will make
life easier for all involved.

Cheers
Raj Shekhar


Or ensure that any contract you've signed gives your customer
"right-to-use" license for the software. Then put ways of identifying
your code into the source. If it ends up somewhere it shouldn't,
confront the company that's running the unlicensed copy and ask for a
license fee. File copyright infringement litigation if they refuse with
suitable publicity.

If you're doing "work for hire", forget it. They own anything you
produced and you have no grounds for anything. Then get a life and move
on.

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Jul 17 '05 #12

P: n/a
Resell them the hosting on top of the site coding and never give them
the password to the site.

Albeit, then you must support your code too.

enjoy,

Sean
"In the End, we will remember not the words of our enemies,
but the silence of our friends."

- Martin Luther King Jr. (1929-1968)

Photo Archive @ http://www.tearnet.com/Sean
Last Updated 29 Sept. 2004
Jul 17 '05 #13

P: n/a
OK, I understand your point in saying that the customer can find source
code elsewhere, but seriously. This guy came on here for help and you
respond with "your software is not special, get over it". That's
really nice. Maybe when you're done on the computer you can go kick a
couple of puppies, too.

Jul 17 '05 #14

P: n/a
OK, I understand your point in saying that the customer can find source
code elsewhere, but seriously. This guy came on here for help and you
respond with "your software is not special, get over it". That's
really nice. Maybe when you're done on the computer you can go kick a
couple of puppies, too.

Jul 17 '05 #15

P: n/a
syren wrote:
OK, I understand your point in saying that the customer can find source
code elsewhere, but seriously. This guy came on here for help and you
respond with "your software is not special, get over it". That's
really nice. Maybe when you're done on the computer you can go kick a
couple of puppies, too.


Puppies, hah, that's for beginners :-D.

--
John MexIT: http://johnbokma.com/mexit/
personal page: http://johnbokma.com/
Experienced programmer available: http://castleamber.com/
Happy Customers: http://castleamber.com/testimonials.html
Jul 17 '05 #16

P: n/a
What kind of contract do you have with the company? If it's an
agreement where they are paying you $X an hour to develop the code then
they own the code just as if you were working on an assymbly line
making cars, they own the car and you get paied for your time. If they
said we need the ability to do X, Y, Z and you said alright, I'll
develop an application for that then you have a bit more flexability.
I'd use Zend because it's closly tied with the PHP group. As you made
it sound, you are in a Windows enviroment. I only work in a *nix
enviroment so I'm not sure how Zend works in Windows, but it's worth
the try. Now as far as the licencing fee, build the code and encode it.
Forwarn the client that in order to run the code they will be required
to purcease a licence of the Zend server and that it will be approx.
$1000

Jul 17 '05 #17

P: n/a
TheLobster at Gmail dot Com wrote:
What kind of contract do you have with the company? If it's an
agreement where they are paying you $X an hour to develop the code then
they own the code just as if you were working on an assymbly line
making cars, they own the car and you get paied for your time. If they
said we need the ability to do X, Y, Z and you said alright, I'll
develop an application for that then you have a bit more flexability.
I'd use Zend because it's closly tied with the PHP group. As you made
it sound, you are in a Windows enviroment. I only work in a *nix
enviroment so I'm not sure how Zend works in Windows, but it's worth
the try. Now as far as the licencing fee, build the code and encode it.
Forwarn the client that in order to run the code they will be required
to purcease a licence of the Zend server and that it will be approx.
$1000


<snip>
The Zend Optimizer is a free application that runs the files encoded by
the Zend Encoder and Zend SafeGuard Suite, while enhancing the running
speed of PHP applications.

Benefits

* Enables users to run files encoded by the Zend Encoder
* Increases runtime performance up to 40%.
</snip>

Not sure why any production php application would not be using the free
optimizer? Just buy the encoder and forget the rest... Well worth the
cost if you write code people want to resell.

As far as who owns the code.. It depends on where you developed the code
and who was the majority manager of the effort. If they were independent
of the project other than developing requirements then it is most likely
your code. If they worked you like one of their own programmers then
your out of luck.

-JI
Jul 17 '05 #18

P: n/a

"Harold Crump" <or**********@yahoo.com> wrote in message
news:11**********************@f14g2000cwb.googlegr oups.com...
Greetings,

I have a PHP/MySQL application that I am deploying at a client's.

I am fairly certain that they will steal my source code and re-sell to
other companies.

I would like to somehow protect the source code.

Here are some of the options I have thought about....
[snip]
3. Use an obfuscator that sits between the web server and the PHP
runtime and encrypts/decrypts the .php files on the fly.

I have looked at some common obfuscators and they are no good.
All they do is replace function and variable names with some gibberish,
but a simple Find/Replace using Notepad can break the obfuscation.

Can anyone recommend a real obfuscator that is less stupid than the
person stealing the code?


(Warning: Biased observer ahead. We supply an PHP obfuscator).

I feel compelled to observer that most thieves are stupider :-}
That's not the point of an obfuscator.

It is true that obfuscators most scramble identifier names.
(They also remove your carefully crafted comments
describing the how the code works, too. You do
have such comments, right?)

What makes your program hard to understand is lot of structure
and complexity, and a complete absence of good cues for
deciding how it works. Obfuscators succeed (to the extent they do)
by removing such cues.

Most useful programs are complex enough so that even with
good naming conventions and careful comments,
they are hard to understand. Witness
the cost of conventional software maintenance.
Obfuscators push this to the extreme.
To recover a name, and "used Notepad to break
the obfuscation", the thief has to first figure
out what the code means.

Now, if your code is so simple (e.g., a few pages,
pure straight-line code, no algorithms) that a thief
can figure out the names of everything of interest
easily, an obfuscator won't help you. But then,
if it is that simple, the thief (well, the smart ones,
er, contradiction?) can code the functionality
themselves.

If you have dozens of pages with complex logic,
a thief will have a very hard time recovering all
the code.

Obfuscators also have the advantage (over
most of the other encrypting solutions) of not
making you force your customer to configure
his PHP server *your* way.

The other "encrypting" solutions aren't really different.
They don't stop a thief from stealing your code.
They simply raise the price. The question
for you is, how to raise the price higher than
most thieves want to go?

Regarding other discussions: I agree that a legal
agreement is a good thing to have, also. Having
said that, it assumes that your customer is willing
to play by the rules or at least be sued in a court with rules, and it
assumes that you have the courtroom staying power
to stick out the contest. If your customer isn't
in your legal jurisdiction, you may find it hard
to enforce your rights. (The Chinese don't
seem much concerned that Hollywood is unhappy
with bootleg movies).

If you *do* succeed in getting him to court,
then asking him to cough up his source code
to prove it is his is likely to occur. If what
he has is clearly "obfuscated" code with a
few Notebook-restored variables, he'll have
a tough time explaining why.

-- IDB

Jul 17 '05 #19

P: n/a
lunatech wrote:
Chung Leong wrote:

<snip>
Put a backdoor into the program that let you hijack their server.


Get yourself checked out. This is unethical.


LOL! Are you a newcomer? Aren't you reading alt.fan.chungleong? ;-)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Jul 17 '05 #20

P: n/a
syren wrote:
OK, I understand your point in saying that the customer can find source code elsewhere, but seriously. This guy came on here for help and you respond with "your software is not special, get over it".

Maybe working with Free software has made me think that getting the
source code of the software I use is my right (and I should provide my
customers with the same rights). My aim in pointing out that his
software is not special was that he should spend more time in making
his software robust and user friendly rather than finding means to put
in backdoors in them. Trust me, if you are good people will come to
you. Maintenance of code is hard work.

Obfuscation does not work, period. Google has some pretty nifty
javascript tricks in Google suggest AND has taken pains to obfuscate
it. However, it has been dissected
http://developers.slashdot.org/artic.../12/18/0139249 .

To put it politely "All your base are belong to us" [1], get over it
;-)

[1] http://en.wikipedia.org/wiki/All_you...e_belong_to_us

--

Raj Shekhar
System Administrator, programmer and slacker
home : http://rajshekhar.net
blog : http://rajshekhar.net/blog/
work : http://netphotograph.com

Jul 17 '05 #21

P: n/a
R. Rajesh Jeba Anbiah wrote:
lunatech wrote:
Chung Leong wrote:

<snip>
Put a backdoor into the program that let you hijack their server.


Get yourself checked out. This is unethical.


LOL! Are you a newcomer? Aren't you reading alt.fan.chungleong? ;-)


heh, yes I am a newcomer to the usenet (using google groups). An old
hand in some other mailing lists :-)

--
Raj Shekhar
System Administrator, programmer and slacker
home : http://rajshekhar.net
blog : http://rajshekhar.net/blog/
work : http://netphotograph.com

Jul 17 '05 #22

P: n/a
lunatech wrote:
R. Rajesh Jeba Anbiah wrote:

<snip>
LOL! Are you a newcomer? Aren't you reading alt.fan.chungleong? ;-)

heh, yes I am a newcomer to the usenet (using google groups). An old
hand in some other mailing lists :-)


Cool, welcome to the world of saints:)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Jul 17 '05 #23

This discussion thread is closed

Replies have been disabled for this discussion.