‘Why not add a product key?’ you ask!

Well yes a product key would do the job and avert the efforts of a portion of these people but obviously when using an interpreted/scripted language such as PHP they will be able to open up your source code, remove any license checking code and then pass the ‘cracked’ version around as before. Generally it’s not hard to find this sort of code… simply look for any filenames which hint at ‘licensing’ or ‘auth’, open them up (usually very small files) and put a ‘return true;’ at the start of the key checking method.  As I said this method stops a large portion of people from passing it around so it’s still worth doing.

What about a ‘call home’ script?

Same story here I’m afraid but more convenient for the seller (and you can get some lovely stats on the people using your code). A Call Home script is simply a piece of code that runs on the client site (per page load? per admin page load? every day on a CRON job?) and in effect sends a request back to a central server run by the code seller (you?) to simply authenticate sites. If, for example, example.com buys a script from my_premiumscripts.com then installs it on their server… Every so often the example.com server will call the my_premiumscripts.com server and have the following conversation:

example.com (e): Dude?
my_premiumscripts.com (m): Dude?
e: So… I’m just checking in with you, everything ok?
m: Ah great stuff, yes I see you purchased a copy of my code. Feel free to carry on using it.
e: Brilliant!
m: Indeed. don’t forget to check in with me tomorrow though.
e: Ok bye!

Or they could say this:

example_dotcomsmate.com (e): Dude?
my_premiumscripts.com (m): Dude?
e: So… I’m just checking in with you, everything ok?
m: Who are you again?
e: I’m a new site you don’t know about. I got your script from a friend (torrent? friend? unauthorised reseller?)
m: Oh ok, that’s fine with me but you have to send me some money first before you can use the software.
e: What? Hey I just want to have a look at it for a few days (years)
m: Nope sorry, I am going to deactivate the software on your site now. Bye!
e: Oh ok, bye!

Ok I jazzed up the conversation a bit but you get the idea. Call home scripts work really well from a protection point of view but have one really major drawback… they require you, as the seller, to have a 100% uptime server and it requires either the client server or the clients users to each initiate a request to that server. This means that both your server is going to get a lot of, what can only be described as, logging traffic (useless to everyone really) and the clients (servers or client machines) are going to get a worse (slower) user experience because of it. That and if you ever decide to move server or domain for the script then there is a lot of admin to do.

Either way there is the potential for you lose out on potential lovely cash. What we need is to be able to use the product key method with a way of stopping people from getting at the source code. There are a few ways to do this, some more awkward than others (both for the purchaser and the developer). The two worth mentioning are:

Code Encryption

This is the daddy of code protection. If your code is protected by an encryption algorithm then people are unable to look at the source code no matter how resourceful. The real downside of this is that you have to force your users to install additional server software before your code will run on their server. No simple FTP it up and start using it type system; this method is likely to involve your server host and a support ticket or two. An example of this would be any system that uses Ioncube Loader which, I understand to be, the same sort of thing.

Code Obfuscation

This is the lighter and more manageable version of the above. Whenever you look at an obfuscated file it will appear jibberish to the reader. PHP can interpret it because it doesn’t care whether a variable or function/method has a name which is human readable or not. Obfuscation works by removing all whitespace, renaming functions and variables and swapping out ascii text for a different characterset/encoding which is not immediately obvious to a novice that it’s text. Often these scripts make use of nested loops, dummy methods and evaluated code (code as a string which has then had the eval() function passed over it. Base64 encoding is popular but very easy to spot and decode to it’s use is on the decline. No additional software is required to run obfuscated code, it’s just a pain when there is an error in the code and the developer, for example, is on holiday for the next month! The downside of this for the developer is that it can be decoded and reverted to something resembling it’s original form (minus original function and variable names) by simply working backwards. Well… it’s not simple at all but is doable! Many virus script writers use this method of hiding a scripts intention. I have had to decode a few myself and it’s not fun.

Recommendations

My only recommendation is going to be to use neither and just go with a simple product key. Yes you are going to get taken for a ride by some people who want to redistribute it amongst their friends but think about it… they can’t get any updates from you, no support and if their source of the code disappears then they might even come and buy from you in the first place.

The key is to constantly be working on your scripts/applications. Don’t settle on a single version for too long, encourage a good community around the work and most importantly don’t rip people off in the first place… if the price is reasonable then people will happily pay it. A cheaper price is also a nice reason to offer sightly less involved support. It’s also a possible avenue of further income, premium support etc..

The real issue with any form of code protection is that updates and critical fixes won’t work without the original developer putting a new package together and, often, the entire fileset being replaced. If something goes wrong and the developer is not available then the job can not be outsourced which causes more issues. This is why I would always recommend you stand behind a well written Terms and Conditions document which must be agreed before the software can be used. Generally a block in the code is a challenge to be overcome, a legal document that requires signing and makes you liable is not!

Thanks for reading!

nb: example.com, example_dotcomsmate.com and my_premiumscripts.com are fabricated and although they might exist have no relation to the content in this article.

The  code at the bottom of this post is the raw HTML file I wrote. I obviously made it into a WordPress plugin as well. see below example.

Example

Yes, it’s basic but it works well for demonstrative purposes.

Usage

write sb_countdown in square brackets in a post or page and you will get the above example. If you want to edit the text or style it then just open the plugin file and right near the top is a few defines to get you going. I didn’t spend a lot of time on it so didn’t create an admin page. I may well do in the future though.

The Download

Raw HTML Version

<html>
 <head>
 <title>Countdown Timer</title>

 <style>
 body {
 font-family: tahoma;
 }

 #countdown_div {
 font-weight: bold;
 font-size: 56px;
 }

 #body_wrapper {
 padding: 10px;
 margin: 20px;
 }
 </style>

 <script>
 function do_countdown() {
 var start_num = document.getElementById("value").value;
 var unit_var = document.getElementById("countdown_unit").value;

 start_num = start_num * parseInt(unit_var);

 var countdown_output = document.getElementById('countdown_div');

 if (start_num > 0) {
 countdown_output.innerHTML = format_as_time(start_num);
 var t=setTimeout("update_clock(\"countdown_div\", "+start_num+")", 1000);
 }

 return false;
 }

 function update_clock(countdown_div, new_value) {
 var countdown_output = document.getElementById(countdown_div);
 var new_value = new_value - 1;

 if (new_value > 0) {
 new_formatted_value = format_as_time(new_value);
 countdown_output.innerHTML = new_formatted_value;

 var t=setTimeout("update_clock(\"countdown_div\", "+new_value+")", 1000);
 } else {
 countdown_output.innerHTML = "And... Stop!";
 }
 }

 function format_as_time(seconds) {
 var minutes = parseInt(seconds/60);
 var seconds = seconds - (minutes*60);

 if (minutes < 10) {
 minutes = "0"+minutes;
 }

 if (seconds < 10) {
 seconds = "0"+seconds;
 }

 var return_var = minutes+':'+seconds;

 return return_var;
 }
 </script>
 </head>

 <body>
 <div id="body_wrapper">
 <form id="countdown_form" onsubmit="return do_countdown();">
 Countdown from: <input style="width: 50px;" id="value" />
 <select id="countdown_unit">
 <option value="1">Seconds</option>
 <option value="60">Minutes</option>
 <option value="3600">Hours</option>
 </select>
 <input type="submit" value="Go" />
 </form>
 <div id="countdown_div">&nbsp;</div>
 </div>
 </body>

</html>

I have been in a coding mood today so thought that I would bash together a tiny little PHP script to emulate the same thing. Yes it’s basic but works from two text files which are defined in the first few lines of the file itself. It’s not the most elegant bit of code I have ever written but if you know anything about PHP or have a web server then why not have a fiddle and see what you can make it do?

Consider this… it doesn’t have to be learning events. Why not use it as a kind of ‘What shall we do tomorrow?’ kind of thing. eg: ‘Do a 5 mile run with a friend dressed as a horse’ or ‘Do go out and get a bit merry’.

The Code

<?php

$cwd = getcwd();
$outcome_source = $cwd . '/' . 'activities.txt';
$method_source = $cwd . '/' . 'methods.txt';

$outcomes = file($outcome_source);
$methods = file($method_source);

$outcome = trim($outcomes[array_rand($outcomes)]);
$method = trim($methods[array_rand($methods)]);

echo 'Do ' . $outcome . ' as a ' . $method . '.';

?>

The Download

The file is available as a download here: Learning Event Generator (1.23 kB)

References

The original idea is available on the following website and is credited to John Davitt