View Full Version : updating license project

08-20-2011, 05:20 PM
Hi everyone, awhile back i had someone put together a license project for me. Basically it is a down and dirty little script that i use to verify my members license for another script. This was written originally as a quick bandaid to a need with plans of making it better later, well later has now arrived. :p

Since this was originally written for php4 i thought it way over due to upgrade it. He was nice enough to put some php5 stuff in here and i have added that but Sadly this older gentlemen has passed away and that resource is no longer available.

Basically how it works is that when i sell some of my software i include this snippet file. Then that page is encoded. Every time that member uses that software the first thing it does is connect with my db to see if the license is valid. If so all is well, if not well then they cannot run the software.

The problem with this process is that it leaves an open db connection backdoor access which is why it works in the first place. But that also can be dangerious.

I have been doing some thinking and reading up on some possible improvements. One is to adapt a similar verify process that paypal uses with its ipn listener. The other one is to look at adapting or connecting to some part of the ftp process in order to borrow some the already installed security that comes with ftp. I am thinking that at least if im using the ftp then i can filter and manage that connection. Anything would be better than having a raw open connection at this point.

So my question here is this. What is the best way to manage such a connection. Are there php5 specific functions? I posted this here rather than in mysql because i am thinking it is more of a server connection management question than it is a db question.

just fyi, basically whats in the file is the following

db login info (raw login actual username db, pw)
db connection
query process
text replies approved or not.

its very basic structure and process.

08-20-2011, 05:27 PM
Why not just use cURL to a script on your server which does the check? - The script can then echo the result to your cURL request.

08-20-2011, 05:32 PM
That is an option i had not looked at, but i had heard about cURL before and i know people use a cURL process in many of the paypal verify routines and that is what originally started me thinking about that process.

So i suppose the best thing at this point is for me to start seeking some cURL process examples in order for me to get familiar with it. I know at one time along time ago i tried to use cURL on one of my paypal verifies and was not successful but im willing to give it a whack again. lol :thumbsup:

Thanks Tango...

08-20-2011, 05:54 PM
You could even use file_get_contents for a simple url call and output.

08-20-2011, 06:08 PM
yeah will look into that as well, the nice thing is that it does not have to insert anything on the connection, no updates, no modification to the db. It is just a simple query (the url of the customer exists or it does not exist in the table) so on or off.

then it either returns a message that license is not approved or if the url does exist then the member sees nothing but normal opperation.

here is the main process i would like to improve, and if using cURL would help then thats fine, i just dont want to change process over to cURL and end up right back at square one when im done.

bottom line is trying to protect that db login information more if possible other than just relying on the ioncube encoding.

Of course the data below has been changed for this example but I might also mention that this host url below is under pw protected directory from the server so no access directly to this url if you typed it in. There is another file that admin logs into to post the url to the db. But this host url does not even have an index php, there is no reason to have one because there is no purpose for user access other than the software snippet connection to check the db.

I guess what im saying is that if i can keep the db connection login values on my side and rather than in their file, that would be a big improvement on security in my mind.

// This will connect us to our database...


@mysql_select_db($database) or die( "Unable to select database");

$message = "\nDomain: ".$_SERVER['HTTP_HOST']."\nIP: ".$_SERVER['SERVER_ADDR'];
$message = wordwrap($message, 70);

$query = " SELECT * FROM users WHERE users.domain= '".$_SERVER['HTTP_HOST']."' AND users.address= '".$_SERVER['SERVER_ADDR']."'";

$result = mysql_query($query);

if (!$result) {
$mySqlError = mysql_error();
echo mysql_error();
} else {

$nbrows = mysql_num_rows($result);
while($rec = mysql_fetch_array($result,MYSQL_ASSOC)){

if($rec['status']=="Blocked") {
$variable = <<<XYZ

08-20-2011, 07:09 PM
Giving ANY one but the webmaster SQL login abilities is dangerous. Giving it to other webmasters from other websites is plain crazy :eek:

Seriously DG, get that code re-written to use some form of API instead. Keep the existing version for legacy users who are using old code that you can't forcefully update but for new software you should use a new system that doesn't allow any direct connection to your database. Also remember that should you change host at any time its quite common for many hosts to disable remote SQL connections themselves.

08-20-2011, 07:39 PM
yes i agree totally, i am guessing there are some basic api tutorials someplace regarding structure. Obviously the main factor will not change and that is that the software has to connect for approval.

My last software i spent over two months adding key values to each page and verifing those contents against not only the master key but also the url converted sha1 key. So basically if someone trys to hack the file and change any links to any files, or tries to load the software on any other site, not only does it totally lock up but i get an email with the key code that tells me what site url and also what page they are attempting to hack by its code, and what the server ip is.

That process works very well and has prevented some hacking. The limitation with that sort of security is that if they are successful in reverse engineering the software and hacking the keys. Then i have no remote way of keeping them from distributing hacked software to their delight.

Which is why i was attempting to come up with a remote way to prevent this due to this limitation. Also having a remote license can also be more efficient in setting up the software for a client, because as it is now, it takes me an hour per client to set up their software with keys.

That being said i agree that the way it does what this does is dangerious and so this is what i am focusing on.

I suppose the answer is prob not as complicated as i am making it out to be. If i move the db connect to my side then the software can just dial up a url when it is fired up by the user and that url can grab the referring url and ip and check that against the db rather than having it the way it is.

This way the security is covered and the process still remains active and fairly much the same with the difference only being that the db values are now under my umbrella.

08-20-2011, 08:10 PM
yes i agree totally, i am guessing there are some basic api tutorials someplace regarding structure.

You don't need one. An API is simply a method of code interaction that follows a standard that you define.

I will PM you an example on one of my sites.

08-21-2011, 02:22 AM
well i took a look and honestly it confused me. I guess because i cant wrap my brain around the fact that it is so complicated to to just include a remote file. I understand the dangers of that but i also understand that if i make that choice to do so, i should be able to not only specify which files to include as far as server security but i also should be able to just say in my php ini allow url include yes and give it a file name. That technically should be the end of it right. Atleast in my opinion it should be.

The only way i can get this right in my head is to keep it simple. So with that said this is what my objective is.

On the customers file that i include in their software. At the top of that file is this

// This will connect us to our database...

and of course the host name be it local host or what have you.

with that code in that file the software works beautifully.

what i want to do is change that and put something like this


which inside of this include is the exact same db info.

I guess i dont understand why a huge api script is requried to do such a simple task. And do it securely.

Update this is what i am attempt now just fyi but of course its not working lol go figure lmao

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "http://www.license.mysite.com/includes/dbconfig.php");
curl_setopt($ch, CURLOPT_HEADER, 0);

08-21-2011, 04:10 AM
please tell me this much, how do i see what $ch looks liike so i can figure this out one step at a time.

its giving me resource id and i did print r and it gave me resource id.

so how do i look at $ch from the code above please.

Update, i was just sitting here noodling over this and it occured me to i can prob do this very easily with a auto submit form just like i do with my db bridge that i did. Just grab the server url and ip, put it in a hidden form input, and auto submit it. mmmmm im kinda getting happy again lmao

08-21-2011, 06:11 AM
resolved, lol after all that all i needed was what i already had lol...

i can post the auto submit form in the software and then have the db and checking process on my side. i guess im guilty of complicating this matter also. auto submit i love you sooooooo much lmao ... :thumbsup:

Thanks for the help tango, i do appreciate your time on this.. :thumbsup:

08-21-2011, 02:24 PM
well i took a look and honestly it confused me.

Thats because it doesn't do the same as your script. It does everything completely differently to what you're trying to achieve in a secure way. It does not provide any direct database access. You tell the script what you want it to do via the URL and it does it and returns the appropriate data. This is why its called an API: "Application programming interface". It allows the end user (another programer) to interface with someone elses code in an easy secure way. In the case of my site via a _GET/_POST request with no direct DB access.

I guess because i cant wrap my brain around the fact that it is so complicated to to just include a remote file.

No its not that complicated. What is complicated is your understanding of my saying "don't provide direct access to your DB or you will live to regret it - Instead provide an API for your remote scripts to interface with". You don't appear to understand the point of this so let me explain:

You continue to provide direct DB access to your users remote scripts. Your script becomes massively popular (like vBulletin forum) and it doesn't take long for some of your users to discover you're providing direct DB access. Suddenly your sales stop rolling in - why? - That'll probably be because someone is selling cheap licences for your software and then directly injecting their validations into your DB. Result? - Someone else makes money for your hard work because you didn't want to secure its licence code.

In effect, what is the point of having a licence program that is not secure and allows anyone to grant themselves a licence?

I guess i dont understand why a huge api script is requried to do such a simple task. And do it securely.

Hang on.. you're writing PHP programs that you sell right? and you think one little licence script API is a huge job? - What on earth are you selling then lol? - "Hello world" scripts??? :D

Seriously it is not a big job. Look at my API again:
?mode= ip html page
&command= simple IP - eg:
list Comma (,) seperated list of ip hosts*

So you want to know your own IP: ?mode=ip - returns a html page (eg "Your IP is: <xxx.xxx.xxx.xxx>")

Simple no html IP only output: ?mode=ip&command=simple - returns xxx.xxx.xxx.xxx

You want a list of hosts that offer the simple IP only output ?mode=ip&command=list - returns host1.com,host2.com,host3.com,etc

Simple PHP code is like this:

//Demo for durangod to demo how simple any API could be made to work.

switch $_GET['mode'])
case 'ip':
//User wants IP address related services
switch ($_GET['command'])
case 'simple':
//Print IP only
case: 'list':
//DB lookup - No direct external DB access -it's internal to this script:
$Hosts = get_hosts();

//Print CSV hosts
print $Hosts
//Output IP address in html page
print ip_with_html_page();
//Main webpage output

Whats complicated about that?

It's up to you durangod, you can run insecure licence code if you want but if you do, let me know where i can download your project as i'll make a few $$$ from it :thumbsup:

08-21-2011, 03:29 PM
tango bud, i think you took offense when none was meant, i only said it confused me, i did not say it was junk or anything negative about it, i only said it confused ME.

What i meant by complicated was that everyone had me looking at cURL and all kinds of stuff trying to do this which was not necessary.

compare your api to this bud. this all i needed to solve my issue.

<form name="verifylicense" method="POST" action="http://www.license.mysite.com/check.php">
<input type='hidden' name='mhost' value='<?=$myhost?>' />
<input type='hidden' name='mip' value='<?=$myip?>' />
<script type="text/javascript">
function verify_notify()

<script type="text/javascript">
// -->

you have your way and this is how i did it, both solve the problem, one is easier than the other but both serve well.

all i was saying is that i ended up reading and researching the topic yesterday and ended up not using any of that cURL stuff or messing with my server config or any of that. All i needed was this auto submit. Because now the db info is under my unbrella and all that is on the customer side is this auto submit form.

I never said one api was a huge job, what i meant was that why build a tower when all i needed to solve my issue was a tent.

To better explain myself .
Years ago when i ripped my software apart to rebuild it, i found complicated long drawn out code that is not necessary. I found code that was half a page long that only needed to be a few lines. They both had the same result but i prefer simple to the point, easy to follow code is all, not that yours is not i guess i just didnt have all the information i needed about it yet.

so i meant no offense to you or your project ok. I also want to add that i never used this software because of the way it left me exposed. I had it tucked away until i could improve it. That is why when i secured my affiliate softare i used the key secure method that i talked about and not this software. And now i can use both because now this is safe.

So my very sincere apologies if you took offense to anything i said ok. You are 10x the coder that i am that is for sure. I will never pretend otherwise. All i was looking for was a simpler resolve is all. When i first posted this i had forgotten that i used a auto submit form to bridge my social site paypal and my affiliate software paypal process and i didnt think of that. I was thinking way up here when what i needed to solve it was way down there ya know.

08-21-2011, 03:57 PM
No mate I never took any offence but from what you were saying you were still quite happy to have people directly connect to your SQL server which frankly seemed bonkers!

08-21-2011, 04:02 PM
its all good bro, i updated my previous post with some extra text just in case you didnt see it. I was not happy with the way it worked which is why i wanted to change it, i knew how dangerious it was and sorry i gave the impression that i was..

I am 47 today, ill never be and ill never pretend to be a php expert, sometimes simple is good enough.