Results 1 to 4 of 4

Thread: Secure PHP Code

  1. #1
    Bronze Lounger
    Join Date
    Sep 2002
    Location
    Naples, Florida, USA
    Posts
    1,231
    Thanks
    40
    Thanked 3 Times in 3 Posts
    Hope this is the right forum for this. We are learning content creators and not software types. We've had a browser-based product developed for us, planning to sell it via our web site. It was developed in php and, I think, hard-coded and not data-based. We were told users would use a password (which they would pay for) to access the product (it's a business skills booster, Q and A format with animated gif graphics). Have just learned that the product is likely not at all protected and that anyone who gets access via the URL could then recreate the product using the view source information - and there goes our revenue.

    Is there any way of determining IF any protection against this was built in to the code? We are in dispute with our developer currently so asking him is not an option.

    If any Lounger can help us with this question, I would very much appreciate it! We are in shell shock at the moment.

    Thanks,

    Linda

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts
    PHP pages are scripts that generate HTML and send it to the browser. Anything sent to the browser can be saved by the user by one means or another. Perhaps the average user can be prevented from copying, but a determined person can always do it. The only want to prevent that is to take your site on the web.

    PHP pages also contain programming code that is never sent to the browser. Depending on the design of your site, that might be important or not: if the content is most of the value, then the fact that end users cannot access the PHP programming code probably doesn't really help you.

    One way to make content much harder to copy is to use a plugin-based solution such as Flash. I've never developed for Flash (other than converting a video), but you probably would have to increase your budget substantially to convert your project. And people still could record the screen and transcribe your questions by hand.

  3. #3
    Bronze Lounger
    Join Date
    Sep 2002
    Location
    Naples, Florida, USA
    Posts
    1,231
    Thanks
    40
    Thanked 3 Times in 3 Posts
    Thanks, Jefferson (is that correct?). Appreciate your prompt reply. I guess what it all comes down to is that as soon as a product gets "out there" on the web (or anywhere else, for that matter!), it's ripe for copying, in one way or other. Ergo, all the IP and copyright issues you always hear about!! Maybe we're putting too much emphasis on "built in protection" of some kind since a determined end user can always copy. And you're right: it's our content that's valuable, not so much the code. When we first asked the developer about copyright, he suggested there was very little in what they'd done that was "copyrightable" so he's used freely available code and not code he created just for us (at least, I think that's what he must have meant!).

    We are in final stages of development of the web site, too, so it is not hosting the product. Trying to get all this straight in my mind before we come to putting it "out there"!

    Again, many thanks. You helped clarify things for me!

    Linda

  4. #4
    New Lounger
    Join Date
    Dec 2009
    Location
    Some uncharted planet...
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Since I'm developing a commercial content management system in PHP I might be able to help on this one...

    PHP is, as jscher2000 mentioned, a script-based language whose program code is compiled into executable code when it's run on the server. (This is what the PHP executable or CGI module actually does.) Instead of supplying compiled executables like one would for downloadable software, distributing PHP-based applications means handing out the actual script files, which is tantamount to handing out your source code. Needless to say, this raises significant concerns when it comes to protecting intellectual property for commercial products.

    Now, that said, there are three primary approaches for deploying commercial software as PHP script: precompiles, obfuscations, and marked files. The precompile approach involves converting the raw PHP script into binary data that can be run on the server without having to be interpreted by the PHP module. Obfuscating, which can happen by itself or in tandem with precompiling, involves encrypting the source code so it's not human-readable but doing so in a way that can still be interpreted by the PHP module. Marked files is the most common method, wherein the source code is handed to the customer in raw form but contains buried identifying information that would allow the developer to discover who's let their copy get out onto the Internet.

    Each method involves a tradeoff. Precompiling makes updating far more complicated, but often makes PHP code run faster since the compiling's already done and the code can just be executed, instead of having to be compiled on demand by the server. Also, compatibility problems based on version-specific command behavior can plague precompiled PHP code. Obfuscation is slightly easier to update and maintain but loses the performance benefit of precompiling. Marking the source code means easy maintenance but no performance boost, and grants the ability to know who to sue for illegally distributing your IP, but once that happens your IP is out there anyway.

    vBulletin, the massive commercial bulletin-board product coded in PHP, uses a marked-file approach - the customer's serial number is all over every file to such an extent that you'd have to wreck the code to remove it - and although I may be wrong I believe the most recent versions also "call home" to a vBulletin server to announce the product's presence.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •