WampServer

Hello everybody!

I got a new idea for protecting php script in localhost. The idea is as follows:

I have created a php script and I have defined the details of Mysql database name, user and password in a .php file.

Afterthat I have obfuscated the php file. I have created a Mysql database in a client's computer with the

password I have specified before. But I don't let my client to know the password of the user of that database.

The script will run without any problems for the cilent. If the client wants to duplicate the script in another persons' computer, he cann't do that. Because he doesn't know the password of the database. So whatever password he assign for the user of that database, the script won't run as the password of the user of that database doesn't match the password which was defined in the .php file by the created of the php script. So any client can run the script in localhost, but he cann't pirate the php script for anybody in localhost. Is this idea correct for protecting php script in localhost? Please respond to this idea quickly.

Hi,

if the client can access to the file "my.ini" it is not a good idea. (skip-grant-tables)

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

Otomatic Wrote:
-------------------------------------------------------
> Hi,
>
> if the client can access to the file "my.ini" it
> is not a good idea. (skip-grant-tables)


Respected Otomatic,

I have read the ''my.ini' file, but I couldn't find any password for any database I have created. So what is the danger? I am not able to understand what you mean. Could you please explain in detail ?
Yours lovingly,
Afroz Ahmad

Take a look at the MySQL documentation for the parameter Oto mentioned.

skip-grant-tables

That should explain all you need to know.

There is a link at the bottom of this post.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

RiggsFolly Wrote:
-------------------------------------------------------
> Take a look at the MySQL documentation for the
> parameter Oto mentioned.
>
>

skip-grant-tables

>
> That should explain all you need to know.
>
> There is a link at the bottom of this post.

Hello Riggs, Have a nice day.

I think you have not understood what I mean to say.

1. I have created a script.

2. I have created a file 'dbcommon.php' including a database, its user and a password for it.

3. I have sold the php script to a customer.

4. I have entered in phpmyadmin and created the database, user and the password mentioned in 'dbcommon.php' in my script.

5. But I have concealed the password for that database to the customer. I never tell the password for that user.

6. The script runs well in 'localhost' of that customer.

7. I have obfuscated the 'dbcommon.php' file in which the details of the database, username and password have been mentioned.

8. When the customer type localhost in the address bar of browser, the index.php file will check the 'dbcommon.php' file and if a database exists with the same name, username and the password, the php script will run, if such a database with the name along with the same name, same username and same password mentioned in 'dbcommon.php' file, the php script won't run.

9. When the customer enters into phpmyadmin, he will know the name of the database name and username for it. But he will not know the password created for that username. If he checks the 'dbcommon.php' file to know the details of database, username and password, he cann't know them. Because the 'dbcommon.php' file has been obfuscated. So he cann't read that file.

10. If the customer copies the php script and to 'htdocs' folder of his friend and create the same database in phpmyadmin, but he cann't create the same password for the user of that database as he doesn't know the password which was defined in 'dbcommon.php' file.

11. If he creates the database with the same user and create any password as he desires and type 'localhost' in the address bar of browser, the php script won't run. Because the username and password which were created for that database won't match with the username and password mentioned in 'dbcommon.php' file.

12. So the customer and his friend cann't run the same php script in any other computer.

This is the complete idea to protect a php script in localhost.

Am I right? Isn't it right process?

Please respond to this explanation. Thanks in advance.

afroz a écrit:
-------------------------------------------------------
> I have read the ''my.ini' file, but I couldn't find any password for any database I have created.
> So what is the danger? I am not able to understand what you mean. Could you please explain
> in detail ?

If the user can access to my.ini file he can add "skip-grant-tables" in it.

MySQL documentation:

skip-grant-tables

This option causes the server to start without using the privilege system at all, which gives anyone with access to the server unrestricted access to all databases. You can cause a running server to start using the grant tables again by executing mysqladmin flush-privileges or mysqladmin reload command from a system shell, or by issuing a MySQL FLUSH PRIVILEGES statement after connecting to the server.

---------------------------------------------------------------
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons

No.

Even using phpMyAdmin ( and there are more comprehensive tools ) if I click on the 'Users' tab, I can 'Export' each and every User account, complete with password and privilages.

Once I have the exported User, I have all the information I need to recreate that user to any MySQL Db I like.

I am afraid you this is commonly called 'Security via ignorance', i.e. you are hoping your client does not understand how to use mysql, and it is an unrealiable method.

There are very few ways of obfiscating PHP code and non of them are completely fool proof, and all of them cost money or a lot of time to come up with your own.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-



Edited 1 time(s). Last edit at 04/25/2014 10:16AM by RiggsFolly.

RiggsFolly Wrote:
-------------------------------------------------------
> No.
>
> Even using phpMyAdmin ( and there are more
> comprehensive tools ) if I click on the 'Users'
> tab, I can 'Export' each and every User account,
> complete with password and privilages.
>
> Once I have the exported User, I have all the
> information I need to recreate that user to any
> MySQL Db I like.
>
> I am afraid you this is commonly called 'Security
> via ignorance', i.e. you are hoping your client
> does not understand how to use mysql, and it is an
> unrealiable method.
>
> There are very few ways of obfiscating PHP code
> and non of them are completely fool proof, and all
> of them cost money or a lot of time to come up
> with your own.


Dear RiggsFolly ....

Thanks alot for your valuable suggestions.

I got an Idea.

If I get 'xampp' portable edition and if I altered the 'phpmyadmin' script so that there should be no 'Export' users option in 'Phpmyadmin', then the protection method I described above will be worked fine. Isn't it? Because the client won't be able to export the 'users' as he doesn't have 'Export' option in the 'Portable Edition of Xampp' I give to him. So he cann't run the php script other than in his computer as he doesn't know the 'password' of the user for the database and he cann't export the users.

Now, is this good idea or not?

Thanks in advance

What is then stopping someone installing a new/different version of phpmyadmin?

Basically you are still relying on ignorance for your security, and that is not a realiable mechanism.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

RiggsFolly Wrote:
-------------------------------------------------------
> What is then stopping someone installing a
> new/different version of phpmyadmin?
>
> Basically you are still relying on ignorance for
> your security, and that is not a realiable
> mechanism.

Ok. Dear Riggs Folly.... Thanks alot for your response.

I agree that I am relying on ignorance for security in localhost.

Then What is the complete security system to protect a php script from being pirated. It should run in localhost of a client's computer. But it should not run on other computer in localhost.

Please help me.

With regards,

Afroz Ahmad

I am afraid I have no idea.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

RiggsFolly Wrote:
-------------------------------------------------------
> I am afraid I have no idea.


Dear RiggsFolly,

This is very bad with php. If we cann't protect our php applications, then why should we create php applications? Should we create php applications to offer them as free applications only?

I want to make some money and I have created some php applications. Here in India, I have to sell those scripts to the clients and install them in localhost only.

So what can I do to stop piracy of my php applications?

Thanks in advance.

Afroz Ahmad

If you want a protection mechanism you are going to have to pay for it
( I guess this is not what you want to do )
or write something yourself.


You have tried writing it yourself and seen it is not easy.

Do a search for tools that will protect your php script, if they are any good you will have to pay for them though.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-

RiggsFolly Wrote:
-------------------------------------------------------
> If you want a protection mechanism you are going
> to have to pay for it
> ( I guess this is not what you want to do )
> or write something yourself.
>
>
> You have tried writing it yourself and seen it is
> not easy.
>
> Do a search for tools that will protect your php
> script, if they are any good you will have to pay
> for them though.


Dear Riggs Folly,

Thanks for quick response.

Yes. I can buy a protection system software. But all the protecting and obfuscating software products are intended for Online Protection only. Each and every php protection system software can obfuscate the php script and bind it to an ip or a domain name. It is nice for online.

But I would like to protect the php script in localhost.

Now, I got an idea.

I will buy USB stick which is non-copyable. So I will put portable web server and the php script in that USB Stick and sell it to the customer.

So, customer can use the software through the USB Stick but he cann't copy the files in the USB to another USB stick.

Doesn't is sound good?

I think this is the ultimate protection system.

Please respond quicky.

Yours lovingly,

Afroz Ahmad

Cannot comment on that I have no experience of USB sticks that you cannot copy.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.3.4 64bit) Aestan Tray Menu 3.2.5.4
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.23>
Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-