How To: Protect your contracted work in PHP using Code Snip & IonCube

How To: Protect your contracted work in PHP using Code Snip & IonCube

First of all, this isn't a guide on how to use Ioncube, this is for those people who are hired at freelance sites, basically, contracted over the internet to do a PHP script. I'm not a PHP overlord, so don't expect the best coding you've ever seen in your life, but it gets the job done, and I have done this for every project ever since I thought of this.

Forgive me if it's not exactly 100% user friendly, if you're a PHP coder who does work that's expensive enough to have to protect, you should be able to follow the steps with ease.

Scenario: You are paid $2000 to write a PHP script for Joe Montana. Joe pays you, you send him the script, all is well, until Joe reverses the charges, leaves you out in the cold while you just wasted several weeks and he gets a free script. Now you have to stress yourself with tracking him down, pressing charges, which 99% of the time never happens. I just read the same story on another forum, which is all too common, and this prompted me to share this with hopes of protecting other programmers time and profit.

Step 1

Find the file that is absolutely necessary for the script to run AND won't required any modification by the client for configuration purposes, this could be the functions file (preferably), the administration home file.... etc.. basically find a file that if taken out of the picture, the entire php script (or the better part of it) would not work.

Add this snippet of code to the top of the file (it doesn't need to be the very top, it needs to be above the critical code though).




You'll want to edit the URL example.com to your website, and point it to a text file that is unique to this project (ie: joemontana.txt). You can also edit the HTML to say whatever you want.

What this does, is it opens this text file on your server, checks it, and continues with the script. If you write the one word...

kill

Inside the text file, his script will exit every single time someone tries to run it. If your server is down, the file doesn't exist, anything other then the word "kill" is in it, etc. etc. the script will run fine.

Step 2

You now need to encode this PHP file so that they cannot remove that code snippet and be on with their day. I prefer Ioncube, but if you use something else, by all means, go ahead... as long as it's secure.

Go to http://www.ioncube.com - Go to Products -> Online Encoder. It costs 50 cents to encode a file (You have to make a minimum $5 deposit though, which is good if you plan on doing this for all your projects). Encode the file. If you open it in a text editor, it should look like a bunch of jibberish.

Step 3

If you used Ioncube, when you distribute the script to your client, ensure that you include a ioncube loader for their server (it includes instructions on how to install it for their server administrator), and make sure you instruct them to upload the encrypted file in BINARY mode.

That's it. Now if you get a chargeback, just put the word 'kill' in that file that the code snippet points to and be on with your day. At least now if they screw you, you can screw them back.

I encourage you to let your client know that this one file is encrypted, but after a provisionary period of 1-2 months (whatever, long enough so that they can't charge you back) you'll send them the real file which won't require any more ioncube extensions.

This is a pretty basic solution, because there are some ways around it I'm sure, but only if they realize how you are doing it, I'm not going to publish any possible ways (and I encourage none of you to either) in the event that someone comes searching for a way to "undo" your protections.

These instructions are provided without warranty. Any damage or loss, yadda yadda yadda *insert long disclaimer here*, is your own fault.

__________________