简体繁体 English

如何使PHP应用程序需要密钥才能工作？

[英]How can you make a PHP application require a key to work?

原文 2009-09-10 23:22:56 4 3 php/ key/ encryption

About 4 years ago I used a php product called amember pro, it is a membership script which has plugins for lie 30 different payment processors, it was an easy way to set up an automated membership site where users would pay a payment and get access to a certain area. 大约4年前，我使用了一个名为amember pro的php产品，它是一个会员脚本，有30个不同的支付处理器的插件，这是一个简单的方法来建立一个自动会员网站，用户将支付付款并获得访问权限某个地区。

The script used ioncube http://www.ioncube.com/sa_encoder.php to prevent non-paying users from using the script, it requered that you register the domain that the script would be used on, you were then given a key to enter into the file that would make the system/script work. 该脚本使用ioncube http://www.ioncube.com/sa_encoder.php来防止非付费用户使用该脚本，它重新注册您注册了将使用该脚本的域，然后您获得了一个密钥进入使系统/脚本工作的文件。

Now I am wanting to know how to do such a task, I know ioncube encoder just makes it hard to see the code, in the script I mention, they would just have a small section at the tp of 1 of the included pages that was encrypted and without that part of the code it would break and in addition if the owner of the script did not put you domain in the list and give you a valid key it would not work, also if you tried to use the script on a different domain it would not work. 现在我想知道如何完成这样的任务，我知道ioncube编码器只是让人很难看到代码，在我提到的脚本中，他们只会在包含的1页的tp中有一个小部分。如果脚本的所有者没有将你的域放在列表中并给你一个有效的密钥它就不会起作用，如果你试图在不同的地方使用脚本，那么加密并且没有那部分代码会破坏域名它不起作用。

I realize that somewhere in the encrypted code that is must of sent you key to there server and checked that it was valid for the domain name it is on, or possibly it did not even do that, maybe the key would just verify that it matched the domain the script was on, that more likely what it did. 我意识到加密代码中的某个地方必须将密钥发送到服务器并检查它是否对其所在的域名有效，或者可能它甚至没有这样做，也许密钥只是验证它匹配脚本所在的域，更有可能是它所做的。

Here is where the real question is, How would you make a script require the portion that is encrypted? 这是真正的问题所在，如何使脚本需要加密的部分？ If I made a script and had a small encrypted part at the top, it would seem a user would be able to easily just remove the encrypted part and figure out what the non encrypted part is doing and fix it to work. 如果我制作了一个脚本并且在顶部有一个小的加密部分，那么用户似乎可以轻松地删除加密部分并找出未加密部分正在做什么并将其修复工作。 Any ideas? 有任何想法吗？

3 个解决方案

fever has a similar model, you sign up, download the software (also PHP), then get an activation key. 发烧有类似的模型，你注册，下载软件（也PHP），然后获得激活密钥。 You can see how it works in the demo video (towards the end). 你可以在演示视频中看到它是如何工作的（到最后）。

If you're giving away the source code, there's no way you can prevent someone with programming knowledge from patching out whatever copy protection / security you put in. 如果您要泄露源代码，那么您无法阻止具有编程知识的人修补您放入的任何版权保护/安全性。

One thing I can think of is distributing a C/C++ compiled program or extension that the PHP app calls in to to verify the license. 我能想到的一件事是分发PHP应用程序调用的C / C ++编译程序或扩展来验证许可证。 That compiled part could then phone home, etc. Even that could be easily circumvented though. 那个编译好的部分可以打电话回家等等。即便如此，也可以轻易绕过。

You can see some other ideas in these similar questions: 您可以在这些类似问题中看到其他一些想法：

Basically if you're giving away the code you're in an arms race with putting increasingly complex copy protection, which can always be broken in the end. 基本上，如果你放弃了你正在进行军备竞赛的代码，那就是提出越来越复杂的复制保护，最终总是会被打破。 You'll have to decide how much effort is worth it. 你必须决定付出多少努力。 I personally wouldn't invest much effort. 我个人不会投入太多精力。

Not a perfect way of doing it, however you could use an encoder to hide the code and make it call a page on your server that returns a value that is difficult to forge. 这不是一个完美的方法，但是您可以使用编码器来隐藏代码并使其调用服务器上的页面，该页面返回难以伪造的值。 It would be server intense, but could do what you want. 这将是服务器激烈，但可以做你想要的。 You would want to do something where time was involved. 你会想要做一些涉及时间的事情。 Updating the code so often. 经常更新代码。

I have seen it done multiple ways. 我已经看到它做了多种方式。 Just about any software method you think of can be bypassed if somebody is interested enough to work at it. 如果有人对它有兴趣，可以绕过你想到的任何软件方法。 We use ioncube to encrypt our non-hosted products and back it up with a USB hardware dongle. 我们使用ioncube加密我们的非托管产品，并使用USB硬件加密狗进行备份。 Can it be cracked? 可以破解吗？ Yes. 是。 But, people are basically honest. 但是，人们基本上是诚实的。 I think the thing to do to keep people paying for the script is to make it a pain to crack and release frequent updates with new features that people won't want to wait for. 我认为要让人们为脚本付费的事情就是让人们不愿意等待的新功能破解和发布频繁的更新。 If your price isn't too high, people will just decide to pay for it instead of cracking. 如果你的价格不是太高，人们就会决定支付而不是破解。