Is it enough to check for customer existence in DB after IONCUBEing the script?
I'm about to release my script ,, But i want to make sure that i'm doing it the right way开发者_运维问答 .. I'll IONCUBE the script to reserve my rights or use fopo.com.ar to obfuscate the script ( btw, what is your opinion about fopo , is is better than asking customers to install IONCUBE?) ..
is it enough to call my website from within the script and returning TRUE if it exists in my DB and is a real customer or else don't run the script !? or I'm missing something here. ?
Above all, don't do your "let's check on my website if this script is registered". Just don't. Because of a lot of reason :
- Your customer server might forbid these kind of functions (fopen, etc.) in the php.ini
- Your customer's website might be in an intranet, so offline.
- Your site might be down
- Your site might be long to respond
/* Insert here zillions of other good reasons */
This said, let's continue with ionCUBE. It looks like a good idea, as ionCUBE is really simple and easy to install on a dedicated/private server. Forget about selling your script to customer that have only a shared server : they have no control over php.ini, and even less about copying/adding file on the server.
Last of all, obfuscating your code. Works on every configuration, but less restrictive action. Basically you just prevent people from understanding your code, not using it. If you use this solution, you have to be sure to have a robust, well-documented, almost bug free code, as your customer will not give you good log of encountered bugs, due to the obfuscation.
You need to ask yourself what degree of security you really need.
A request your script makes to check the validity of a license could be intercepted, and redirected to a malicious server that always returns "ok", with not too much effort, so to make 100% sure you would have to start encrypting your communication, which in turn could be cracked by an expert etc. etc.....
In most cases, though, if you serve to end users and companies that can't afford the risk of cracking things, the protection you describe should be sufficient. Just make sure you disclose that the script needs to connect to your server to work.
Obfuscation will work too, however it will be very easy to remove the license check from a script that is merely obfuscated.
Also, most shared hosting setups won't allow for IonCube encoded scripts to run. See Clement's very good answer for details.
Personal opinion
Having to install Ioncube would be a major turn-off to buy a script for me. It would have to be really, really good, unique and worth the hassle, and I would have to trust both your code quality (as I'd have no chance to fix bugs) and the likelihood that you won't go out of business anytime soon (so you can provide me with updates without which the product will become useless after a few years).
If that's not the case, I'd look for alternatives that ship with source, even though they are more expensive than yours. I'd think long and hard whether it is really necessary to encode the script. I am a believer in shipping with source and scaring the customer off unlicensed copying using an agreement with a breach penalty.
Just my 2 cents.
精彩评论