use php but not access the source

Re: use php but not access the source

"/dev/null" <dev.null@Begin Thread.com> wrote in message
news:upJPb.9811 0$Rc4.607914@at tbi_s54...[color=blue]
> I have some php-based software that I'd like to make available to some
> businesses that run on my web server (apache on Linux).
>
> These businesses have full access to all their web files. I'd like to set
> up my php code in such a way that their web sites could take advantage of
> the code without them being able to see or download the code.
>
> Is the best way to do this put the code in a directory they don't have
> access to and add it to the php path?
>
> Any other suggestions welcome.
>
> Thanks!
>
>[/color]

Nope, if the webserver can execute it, then the webserver can dump it.

you can try this neat little tool I found on the web :)



--
Mike Bradley
http://www.gzentools.com -- free online php tools

Re: use php but not access the source

If you are looking to not spend any money, your best option is to alias the application
directory. This can be done easily in apache in their virtual host definition.


Main server w/ php scripts @ http://example.com/theapp/thefile.php
On their domain, http://theirdomain.com/theapp/thefile.php

httpd.conf (in their vhost setup)
Alias /theapp/ /home/approot/theapp/

Now you have the added benefit of sharing this application with other clients if they
can benefit from this code. Obviously you should modify the scripts so it uses some
sort of id to identify each client's customizations. ..

Don't be fooled into thinking you have to run some encoder against your scripts...

Good luck,

--
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~~~~
Wil Moore III, MCP Site : www.quicksitedesign.com?em
Application Developer Site : www.digitallysmooth.com?em
~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~ ~~~~~~~
"/dev/null" <dev.null@Begin Thread.com> wrote in message news:upJPb.9811 0$Rc4.607914@at tbi_s54...
I have some php-based software that I'd like to make available to some
businesses that run on my web server (apache on Linux).

These businesses have full access to all their web files. I'd like to set
up my php code in such a way that their web sites could take advantage of
the code without them being able to see or download the code.

Is the best way to do this put the code in a directory they don't have
access to and add it to the php path?

Any other suggestions welcome.

Thanks!

Re: use php but not access the source

CountScubula wrote:[color=blue]
> you can try this neat little tool I found on the web :)
>
> http://www-1.gzentools.com/encoder.php[/color]

Or:



Cheers,


Andy

Re: use php but not access the source

On Thu, 22 Jan 2004 08:17:07 GMT, "CountScubu la"
<me@scantek.hot mail.com> wrote:
[color=blue]
>"/dev/null" <dev.null@Begin Thread.com> wrote in message
>news:upJPb.981 10$Rc4.607914@a ttbi_s54...[color=green]
>> I have some php-based software that I'd like to make available to some
>> businesses that run on my web server (apache on Linux).
>>
>> These businesses have full access to all their web files. I'd like to set
>> up my php code in such a way that their web sites could take advantage of
>> the code without them being able to see or download the code.
>>
>> Is the best way to do this put the code in a directory they don't have
>> access to and add it to the php path?
>>
>> Any other suggestions welcome.
>>
>> Thanks!
>>
>>[/color]
>
>Nope, if the webserver can execute it, then the webserver can dump it.
>
>you can try this neat little tool I found on the web :)
>
>http://www-1.gzentools.com/encoder.php[/color]

May I ask a question about your tool (and about encoders in general)?

Surely it only prevents the client (as in customer) from viewing the
source code. It cannot stop them from making a copy and distributing
(or selling) to other people. Or have I misunderstood how your program
works?

--
David ( @priz.co.uk )

Re: use php but not access the source

David Mackenzie wrote:[color=blue]
> May I ask a question <snip> about encoders in general?
>
> Surely it only prevents the client (as in customer) from viewing the
> source code. It cannot stop them from making a copy and distributing
> (or selling) to other people.[/color]

Correct.

However, you can protect the code within the script however you like
(e.g. restricting it to a given IP address only) and they won't be able
to view it.

Cheers,


Andy

Re: use php but not access the source

"David Mackenzie" <me@privacy.net > wrote in message
news:qtiv001rc4 cdugstk2okul9v6 6idstpp2f@4ax.c om...[color=blue][color=green]
> >http://www-1.gzentools.com/encoder.php[/color]
>
> May I ask a question about your tool (and about encoders in general)?
>
> Surely it only prevents the client (as in customer) from viewing the
> source code. It cannot stop them from making a copy and distributing
> (or selling) to other people. Or have I misunderstood how your program
> works?
>
> --
> David ( @priz.co.uk )[/color]

You are correct, it does not prevent somone from copying it and using it
elsewhere. However to prevent that on a simple level, on can write into the
top of the script, a simple host check:

if ($_SERVER['HTTP_HOST'] != "www.allowd_dom ain.com"){
print "Sorry, Unauthorized use.\n";
exit();
}

--
Mike Bradley
http://www.gzentools.com -- free online php tools

Re: use php but not access the source

On Thu, 22 Jan 2004 19:01:52 GMT, "CountScubu la"
<me@scantek.hot mail.com> wrote:
[color=blue]
>"David Mackenzie" <me@privacy.net > wrote in message
>news:qtiv001rc 4cdugstk2okul9v 66idstpp2f@4ax. com...[color=green][color=darkred]
>> >http://www-1.gzentools.com/encoder.php[/color]
>>
>> May I ask a question about your tool (and about encoders in general)?
>>
>> Surely it only prevents the client (as in customer) from viewing the
>> source code. It cannot stop them from making a copy and distributing
>> (or selling) to other people. Or have I misunderstood how your program
>> works?
>>
>> --
>> David ( @priz.co.uk )[/color]
>
>You are correct, it does not prevent somone from copying it and using it
>elsewhere. However to prevent that on a simple level, on can write into the
>top of the script, a simple host check:
>
>if ($_SERVER['HTTP_HOST'] != "www.allowd_dom ain.com"){
> print "Sorry, Unauthorized use.\n";
> exit();
> }[/color]

My company has only done a few web developments (we tend to go for
client applications instead) and we've never had a problem with giving
our customers the source as there isn't really anything worth
stealing. They're just query front ends for databases so there aren't
any top secret algorithms we need to protect.

Some of our applications do contain industrial secrets and if our
customers wanted that done via a web interface we'd most likely wrap
them up into a dll and call it from PHP/ASP/whatever.

Is it a major concern for people who write web-based applications, or
just paranoia? Do people have industrial secrets they need to protect?

--
David ( @priz.co.uk )

Re: use php but not access the source

http://www.gzentools.com -- free online php tools
"David Mackenzie" <me@privacy.net > wrote in message
news:giq110dode k0kkchv0vdm1hs8 722idd470@4ax.c om...[color=blue]
> On Thu, 22 Jan 2004 19:01:52 GMT, "CountScubu la"
> <me@scantek.hot mail.com> wrote:
>[color=green]
> >"David Mackenzie" <me@privacy.net > wrote in message
> >news:qtiv001rc 4cdugstk2okul9v 66idstpp2f@4ax. com...[color=darkred]
> >> >http://www-1.gzentools.com/encoder.php
> >>
> >> May I ask a question about your tool (and about encoders in general)?
> >>
> >> Surely it only prevents the client (as in customer) from viewing the
> >> source code. It cannot stop them from making a copy and distributing
> >> (or selling) to other people. Or have I misunderstood how your program
> >> works?
> >>
> >> --
> >> David ( @priz.co.uk )[/color]
> >
> >You are correct, it does not prevent somone from copying it and using it
> >elsewhere. However to prevent that on a simple level, on can write into[/color][/color]
the[color=blue][color=green]
> >top of the script, a simple host check:
> >
> >if ($_SERVER['HTTP_HOST'] != "www.allowd_dom ain.com"){
> > print "Sorry, Unauthorized use.\n";
> > exit();
> > }[/color]
>
> My company has only done a few web developments (we tend to go for
> client applications instead) and we've never had a problem with giving
> our customers the source as there isn't really anything worth
> stealing. They're just query front ends for databases so there aren't
> any top secret algorithms we need to protect.
>
> Some of our applications do contain industrial secrets and if our
> customers wanted that done via a web interface we'd most likely wrap
> them up into a dll and call it from PHP/ASP/whatever.
>
> Is it a major concern for people who write web-based applications, or
> just paranoia? Do people have industrial secrets they need to protect?
>
> --
> David ( @priz.co.uk )[/color]


some people write really cool code, and dont want it getting basterdised, or
sometimes, they may charge a client in a web design situation, and they do
not want the client screwing around with it messin it up

--
Mike Bradley

Re: use php but not access the source

> My company has only done a few web developments (we tend to go for[color=blue]
> client applications instead) and we've never had a problem with giving
> our customers the source as there isn't really anything worth
> stealing.[/color]

I'm sorry your company hasn't developed anything that would be worth
stealing.

I've developed some source that brings in about $300 - $400 US a month
without the owner having to do anything. I plan on selling the rights to
use the code to other site owner that would host their companies on my
server, but not the code itself.

Re: use php but not access the source

laidbak wrote:
[color=blue]
> If you are looking to not spend any money, your best option is to alias
> the application
> directory. This can be done easily in apache in their virtual host
> definition.
>
> Main server w/ php scripts @ http://example.com/theapp/thefile.php
> On their domain, http://theirdomain.com/theapp/thefile.php
>
> httpd.conf (in their vhost setup)
> Alias /theapp/ /home/approot/theapp/[/color]

The only problem with this is that if the httpd.conf is set up to be
read by someone on the server, then these files can still be gotten
without a lot of trouble.

Another option of doing this is to have the scripts all reside on a
separate server that doesn't allow shell access. However, there is ore
planning involved with this since you'd have to basically use a
call/retrieve method like using wddx or something to query the server
and retrieve the results you want back.
[color=blue]
> Now you have the added benefit of sharing this application with other
> clients if they
> can benefit from this code. Obviously you should modify the scripts so
> it uses some
> sort of id to identify each client's customizations. ..[/color]

Same thing applies here, and you don't have to limit it to customers on
a certain server.
[color=blue]
> Don't be fooled into thinking you have to run some encoder against your
> scripts...[/color]

It just all depends on how you want to go about it, and how badly you
want the code protected (or how hard it will be to decode it).

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Official Google SERPs SEO Competition: http://www.koivi.com/serps.php

Re: use php but not access the source

> > httpd.conf (in their vhost setup)[color=blue][color=green]
> > Alias /theapp/ /home/approot/theapp/[/color]
>
> The only problem with this is that if the httpd.conf is set up to be
> read by someone on the server, then these files can still be gotten
> without a lot of trouble.[/color]

In my case they aren't, I'm the only one with that kind of access.
[color=blue]
> Another option of doing this is to have the scripts all reside on a
> separate server that doesn't allow shell access. However, there is ore
> planning involved with this since you'd have to basically use a
> call/retrieve method like using wddx or something to query the server
> and retrieve the results you want back.[/color]

Yes, I think eventually I'm going to just give them some php that connects
up to my site (on the same server) and requests my site do the work.

There will be an added overhead, but it fits my business model better. In
the future I'm going to be expanding what this code does and modifying how
it builds its results, I'd hate to have to go "upgrade" hundreds of site
with the new code every time I make a change.

And it would allow that their site could eventually reside on another
server, although that's not an optimal solution.

Re: use php but not access the source

/dev/null wrote:[color=blue]
> Yes, I think eventually I'm going to just give them some php that connects
> up to my site (on the same server) and requests my site do the work.[/color]

Being on the same server isn't going to help you any, because shell
access will still allow the files to be read. However, you could chroot
the ftp, then the users can only browse the files in their home
directory - if they only have ftp access.
[color=blue]
> And it would allow that their site could eventually reside on another
> server, although that's not an optimal solution.[/color]

Maybe not an optimal solution, but if you don't want the code to get out...

--
Justin Koivisto - spam@koivi.com
PHP POSTERS: Please use comp.lang.php for PHP related questions,
alt.php* groups are not recommended.
Official Google SERPs SEO Competition: http://www.koivi.com/serps.php

Re: use php but not access the source

On Fri, 23 Jan 2004 21:26:22 GMT, "/dev/null"
<dev.null@Begin Thread.com> wrote:
[color=blue][color=green]
>> My company has only done a few web developments (we tend to go for
>> client applications instead) and we've never had a problem with giving
>> our customers the source as there isn't really anything worth
>> stealing.[/color]
>
>I'm sorry your company hasn't developed anything that would be worth
>stealing.[/color]

That's only on the web side of things. Our web developments to date
have typically been simple front ends to databases.

It's like the director who makes adverts for furniture stores. They're
not particularly innovative, they'll never win any awards, but it
keeps them going and helps pay the bills.

We mostly do bespoke work, we don't tend to develop our own products.
Some of our bespoke applications implement "secret formulae" that the
client has given us.
[color=blue]
>I've developed some source that brings in about $300 - $400 US a month
>without the owner having to do anything. I plan on selling the rights to
>use the code to other site owner that would host their companies on my
>server, but not the code itself.[/color]

You make it sound so easy...

--
David ( @priz.co.uk )

Re: use php but not access the source

> >I've developed some source that brings in about $300 - $400 US a month[color=blue][color=green]
> >without the owner having to do anything. I plan on selling the rights to
> >use the code to other site owner that would host their companies on my
> >server, but not the code itself.[/color]
>
> You make it sound so easy...[/color]

It is easy. :-)

And the company is easily worth $70,000 - $100,000 as an investment.

We'll probably sell it for much less.