Need some suggestions regarding licensing

[ChintanBhat]

Hi guys, well i'm on my way to complete one project of php pased model. So i just want to know that how i can secure my php script? Like i know that "Security is myth" but still i can improve the security encryption too. So i need suggestions from you guys that how i can make a well secured script. And one more thing after the completion of my project, i'll give one license to my Babiato's family also to test the product.

And in this community we null the scripts but never try to understand or discuss this so it may be useful for many developers too.

As already mentioned above that don't give advice that security is myth so i need suggestions regarding securing the script not advice that you can't.

Hoping some best suggestions

 

[wooyihoo]

you might want to check the code of EventPortal

https://babia.to/threads/null-request-event-portal.33001/

in folder admin > stp > php files.

It has an elaborate way of securing codes. I'm not sure if they used an obfuscation software, but it's quite impressive.

You can also offer software as a service. This way your codes resides in your own server. This is what I'm doing.

Hope this helps.

Cheers!

 

[ChintanBhat]

you might want to check the code of EventPortal

https://babia.to/threads/null-request-event-portal.33001/

in folder admin > stp > php files.

It has an elaborate way of securing codes. I'm not sure if they used an obfuscation software, but it's quite impressive.

You can also offer software as a service. This way your codes resides in your own server. This is what I'm doing.

Hope this helps.

Cheers!

See even if i make such a function like SQL file will be downloaded from my server but still even after someone having my purchased product and he/she can share the SQL Dump file and it can be null easily by manipulating the script. Yes, i like your idea but i need some more intense security encryption. Like what if i can do one thing that always it will check the license from my server or what if i can host all my buyer's SQL in my server then if will allow only the person having license code, then he/she only can access to the script. What you say? And i'll make a session query that even if someone will make SQL file then also it will not be accessible because it will ask for session json token. And the json token will be generated randomly by my server.

 

[phpCore]

See even if i make such a function like SQL file will be downloaded from my server but still even after someone having my purchased product and he/she can share the SQL Dump file and it can be null easily by manipulating the script. Yes, i like your idea but i need some more intense security encryption. Like what if i can do one thing that always it will check the license from my server or what if i can host all my buyer's SQL in my server then if will allow only the person having license code, then he/she only can access to the script. What you say? And i'll make a session query that even if someone will make SQL file then also it will not be accessible because it will ask for session json token. And the json token will be generated randomly by my server.

And if this person is a member on babiato, your script will be for sure nulled

The solution is : applications in the cloud

 

[slvrsteele]

That mean permanent query to your server. With low number of queries won't be a problem but if that number gets high either your hosting will filter or if you're behind cloudflare those queries will be blocked or your hosting will disable your server for DDoS like attack. And beside that who can stop someone to replicate the queries on local where script is installed and bypass requests to your server? One option would be ioncube but if the script is worthy then some can be tempted to pay to decode it.

 

[ChintanBhat]

And if this person is a member on babiato, your script will be for sure nulled

The solution is : applications in the cloud

Yeah! I thought the same but then i think if somethings happen with my server, like if it's gets crash or like it's runtime error for like also even for 10 sec then buyers will get panic. That's why i dropped this idea.

 

[ChintanBhat]

That mean permanent query to your server. With low number of queries won't be a problem but if that number gets high either your hosting will filter or if you're behind cloudflare those queries will be blocked or your hosting will disable your server for DDoS like attack. And beside that who can stop someone to replicate the queries on local where script is installed and bypass requests to your server? One option would be ioncube but if the script is worthy then some can be tempted to pay to decode it.

Yes, IONCube is not the only solution for licensing because it may also get decode. And you're right server may get disable but what if i have my own dedicated server? And yes it can be bypass the request from the server. This idea is also dropped

 

[phpCore]

Create you own iconcube alternative

 

[ChintanBhat]

Create you own iconcube alternative

Bro then it would take me more 10 years to complete and sell it on the market and even till that i would be of age 45

 

[HeyMakarina]

Every script can be nulled regardless how you encrypt. Even latest ioncube can be decoded. Question is your script is good enough to pay decoding service.

Also depending on your product, you might consider SaaS option since end users do not get script on their hands.

 

[ChintanBhat]

Every script can be nulled regardless how you encrypt. Even latest ioncube can be decoded. Question is your script is good enough to pay decoding service.

Also depending on your product, you might consider SaaS option since end users do not get script on their hands.

See my question is not about my script is good or bad. My query is how i can make my script more secure licensing. And i think end user Saas is also not be a good option

 

[slvrsteele]

As I said to a developer on this forum some time ago: if your script is worthy then people will buy it to support it. Tho the buyers will be like 40-50% of the uses is still a gain. What should be your concern are the low price resellers and GPL sites.
There is no bullet proof encryption and licensing (think that php has to be interpreted for script to work so one way encryption is out of discussion). Focus on features and quality and people will buy it on long term run. Don't expect a pot of gold from the beginning.
You can offer a try before you buy option for couple weeks then the script goes in complete lockdown. In that trial period have the script always get data from your server. As we don't know exactly what your script is doing can only assume a way of work.

 

[ChintanBhat]

As I said to a developer on this forum some time ago: if your script is worthy then people will buy it to support it. Tho the buyers will be like 40-50% of the uses is still a gain. What should be your concern are the low price resellers and GPL sites.
There is no bullet proof encryption and licensing (think that php has to be interpreted for script to work so one way encryption is out of discussion). Focus on features and quality and people will buy it on long term run. Don't expect a pot of gold from the beginning.
You can offer a try before you buy option for couple weeks then the script goes in complete lockdown. In that trial period have the script always get data from your server. As we don't know exactly what your script is doing can only assume a way of work.

See it will be a backend controlling for the website, those who have cart functionalities or kind of payment controlling and they want to secure their API call from the gateways to over fluctuate the call function for returning a successful payment notification upto this it will help to secure your payment as well as it will take your website security to the next level like i can give you some overview for the project is like it's a php based cloudflare and more over functionalities i'm thinking to add so after a first release i would take suggestions from you guys as well as from buyers that what extra they need. i hope you got your answer about my script. Well i don't know whether my script is good for you or not but i'm giving my best to the script to make it very useful and more powerful. And i think you're right i can give trial period for the script and i'll buy a dedicated server for the backend handling for the packages, SQL and all then it will be little bit easy for me to check my own server only regard contacting my hosting support again and again.

 

[wooyihoo]

software as a service has been working for me for years. scaling is the only way to handle huge amounts of workloads (ie. 200 requests per second). put it in cloud flare, then a load balancer server connecting to php servers (depending on the load of each server), then php server connecting to database clusters.

 

[ChintanBhat]

software as a service has been working for me for years. scaling is the only way to handle huge amounts of workloads (ie. 200 requests per second). put it in cloud flare, then a load balancer server connecting to php servers (depending on the load of each server), then php server connecting to database clusters.

Well will clusters will handle the GET and POST request if there will be increase in both the commands?

 

[HeyMakarina]

just an idea.
if you can implement OTP like verification on your server side, and client server side.

Once client server executes php code, it requires token from your server, which is very likely coded to OTP. Your server checks license, then send back generated token to their server, and code will executed. Also chain set last requested token to wait for next request.

Then encode with ioncube

 

[wooyihoo]

Well will clusters will handle the GET and POST request if there will be increase in both the commands?

The php servers will handle those. You just need to separate the database server from the web servers so it will be easy to scale. In my case, i have 10 web servers connecting to 1 database server (with 2 replicated readonly database servers).

 

[ckeeper]

Majority of the nullers have challenges on completely nulling a script if there is a part that makes api calls to your licensing servers in order to get activated. Whmcs has a licensing feature so does bunch of others, but creating a cloud application that responds to calls if they are registered sounds like the best approach. Good luck.

 

[wooyihoo]

If you really need to give away the code to your client and let them store and run them in their servers, another idea would be to run part of that script in your server. What I meant is that some functionality in your script are processed in your server. For example is the user roles , all user roles data are only stored in your server (not in the script database) and will require the license key to be sent to your server. Then your server return the data required for the by the script after validating the license.

This way nulling will be useless as the script / app requires part of the functionality to be connected in your server.

What do you think?

Cheers!

 

[ChintanBhat]

If you really need to give away the code to your client and let them store and run them in their servers, another idea would be to run part of that script in your server. What I meant is that some functionality in your script are processed in your server. For example is the user roles , all user roles data are only stored in your server (not in the script database) and will require the license key to be sent to your server. Then your server return the data required for the by the script after validating the license.

This way nulling will be useless as the script / app requires part of the functionality to be connected in your server.

What do you think?

Cheers!

Yeah!! This thing is really something that i can work in. Thankyou let me do some more research on this.