PHP CMS: "Call Home" function of sorts on install
I am developing a web application that will be downloa开发者_JAVA百科ded free for trial with other licenses for production sites. I know that these sorts of things are frowned upon but I would like to include a line or two in the install file to save the current install URL back to my database so I can cross check that with paying users. I am not trying to validate licenses (yet) these URLs would not be used in any way except to monitor for piracy. If the user removes this code or doesn't have an internet connection (installing locally) then there would be no error. Also, for legal reasons I would make the user aware of this function in the EULA.
Most call home functions out there use file_get_contents
but they are validating, I just want to store a URL. Is sending a request with the URL escaped in a GET variable a viable option? Security, speed and functionality on a wide variety or server setups is key.
Any alternate suggestions are also welcome... I am still trying to figure out the best way to license and "protect" this software.
Thanks in advance for any help!
This is a fairly simple version of the system, but it should do the job for now. It works by providing the current server's URL as the key, however you could swap that for a unique ID for the license.
For the CMS/application:
<?php
define('SITE_INVALID', 'invalid');
define('AUTH_SITE', 'http://www.example.com/verify.php');
function verify_install($key){
$result = file_get_contents(AUTH_SITE.'?key='.urlencode($key));
if($result == SITE_INVALID){
return false;
}
// Valid
return true;
};
?>
Then somewhere in your page (early on):
<?php
$site_key = $_SERVER['SERVER_NAME']; // Use current site URL (eg: www.example.com)
if(!verify_install($site_key)){
// Invalid
echo 'Your account is disabled';
exit();
}
// Continue as normal
?>
And on the license server:
<?php
define('SITE_VALID', 'valid');
define('SITE_INVALID', 'invalid');
function verify_remote_install(){
if(!isset($_GET['key'])){
// Nothing sent - assume fine
return true;
}
$key = urldecode($_GET['key']);
// (Check if key in database, etc)
$result = key_is_valid($key); // Replace with your own method
if(!$result){
// Invalid
return false;
}
// Valid
return true;
}
?>
Then to verify:
<?php
$result = verify_local_install();
if(!$result){
echo SITE_INVALID;
} else {
echo SITE_VALID;
}
?>
You'll need to replace the key_is_valid()
function with your method of verifying the key, whether that be checking if it's in the database or otherwise.
Also you'll be better to assume it is valid if you're unsure (eg: if the connection to the verification server fails, or if the key is not sent), that way should something go wrong that is outside the user's control, you'll give them benefit of the doubt. You want to give the best experience to the legitimate users, and stop the pirates if possible, rather than inconveniencing your paying users.
As said before, anyone with a basic knowledge of PHP (or even just able to read) could easily find this and disable it if the code is not obfuscated in some way. An open-source application to do that for you can be found at http://code.google.com/p/phpobfuscator/. If you want to still allow developers to modify the application, you could consider just obfuscating the licensing code, putting in a separate file and giving it an fake, innocent name.
I recommend checking out how http://www.socialengine.net/ encrypts their source code and gets the decrypt key and authorization. They are pretty big and would have reliable methods. I tried to crack it a while back for fun, but failed.
精彩评论