Guide 93 – Protecting PHPRunner developments

This article is the result of the study of this topic, requested by the developer Rubén.

Rubén has a development with which he wants to sell services to other companies and due to the characteristics of the facilities he needs to "protect" his development against possible fraudulent copies.

If you look online, you will see that since PHP is not a compiled language (it is interpreted) it is not possible to protect it 100%, but what you can do is make it a little more difficult and that is what we have tried.

The assumption we have used is the following:

1.- The application (PHP) and the database (MySQL) are installed on a Windows machine of the Client. In addition to the protection of the development, we have to provide the system with backup copies executed by the Client (non-technical user) and the ability to update the parameterization tables on which the solution is based.

2.- The application is installed on a hosting service of the company supplying the software (turnkey service). Backup/restoration support for the application is also provided. Each client company must be offered a separate access domain and its data cannot be accessible or shared with other clients. The backups will only contain your company's data.

With the assumption (1), other developers also asked me how to make a local installation with a specific number of evaluation days and after those days, the application would not work. With this solution, this requirement can also be solved.

Technical Solution

To address this issue we have worked on these configuration lines:

• We need to have a single Production application version for all installations and we have been working on having a configuration file that we can update without having to open the application in the PHPRunner development IDE. Solution for this article .
• For the management and control of the installations, we need a License/Installation Manager, which in addition to the installation customization data, also has the administrative information of the contact person and the start and end dates of the contract, so that the application can consult this data (centrally) and function or not, according to them.
• A configuration file obfuscation solution to make it as difficult as possible for those who want to "copy" our software. I have used this solution with very satisfactory results: https://php-minify.com/php-obfuscator/
• There is also a solution for PHP compression (Minify), which has less impact on programming changes than could be applied to all PHP code, but for the moment, we have decided not to use it.

In summary, the same application distributed across remote servers (Client installation) and servers managed by the organization (service to multiple companies), but with the same application.

We have carried out a proof of concept to validate and verify that the system works, and this is what I am going to explain to you.

License Management is a single application that manages all companies and primarily manages this information.

In table (1) all the information of the Company, the Administrative and the Technical, is organized.

This information is delivered to the application instances through the connection of a RestFull Api service, making the License Manager the “RestFull Api Server” and the applications the “RestFull Api Client”.

In the example, all the technical information for connecting to the Database is delivered through this communication, with nothing of the same existing in the application.

There is also information about the start and end dates of the contract, as well as a check that allows you to temporarily block the application.

The A piKey field in the table ( 1) is going to be used to identify the Company. The goal is to make the identification key non-deducible and therefore more difficult to impersonate.

In table (2), all the requests that reach the system are stored, whether they have been correct and have provided data, as well as any errors that may have occurred.

For the RestFull Api server, I have used the SLIM 4.0 framework , it is very simple and powerful.

If you are interested in the code and want to have the example, keep reading the article in this link.