Is there a way to verify my app user?


I’m looking for a solution to secure an spp I will be making.

I’m going to write something CMS-like based on Yii Framework and plan to sell it for small fee.

The problem is, that a client that buys this software might sell it without my knowledge to other people.

The first solution that came to my head is a serial number (based on clients’ domain) which has to be entered during the installation of the app.

It works like this: I set up a server that generates serial number based on domain when I add a client manually. Those serial numbers are stored in database (or somewhere else). During the installation the app makes a query concerning the entered serial number. This way we get a combination of S/N and domain from which the query came. Based on that, my server gives the app info whether the entered S/N is proper or not.

The problem is that after installation, the client might simply copy the files and sell them. So the app should also check, let’s say once a day, if the serial number supplied in the config file or db is related with the domain the app is installed on.

The second idea is to watermark the software in some way. The watermark should be only accessible to me, so this way I would know from where the app came. The problem is, it could be probably easily removed from the php code so it should be secured in some way, maybe obfuscated?

I don’t want to use Ioncube as some people don’t have it available (the loader) on their hosting platforms.

Has anyone tried writing something like that? Is there any solution to my problem?

I’m not sure, but I think that once the client has the source code, its too hard to control the actions they take

Around here, I’m using a contract/agreement which states that resale of source code is punishable. It might not solve the problem, but with the client’s signature and agreement, the law can decide.

Anyway, i think that you could publish a webservice in your website which validates the serial number coming from your client’s backends once a month or every time the user logs in. However, the problem is the same…once the client has the source…

hope someone can share better ideas with us!!




the possibilities to protect php code are very limited.

Imo the most secure but (as you already mentioned) not the easiest way to handle are encoders that produce bytecode like Zend Guard, ionCube or Nu-Coder. But you’ll need a loader…

But for your idea of using licenses you may want to take a look at PADL (PHP Application Distribution License System)


Raffael, why don’t you try to use the SaaS (software as a service) aproach?