1

Is it possible to make PHP Script Domain-dependent, without using Zend guard or another third party tool, so that if it tried to be executed on any other domain it will get corrupted.

  • 1
    If someone takes your script and puts it on another server then chances are they know how to remove any part of it that guards against execution on other servers. – apokryfos Feb 03 '17 at 08:51
  • Possible duplicate of [Is it possible to hide/encode/encrypt php source code and let others have the system?](http://stackoverflow.com/questions/18203112/is-it-possible-to-hide-encode-encrypt-php-source-code-and-let-others-have-the-sy) – apokryfos Feb 03 '17 at 08:57
  • @apokryfos No not duplicate, I don't want to use Zend Guard or Third Party Encodes. –  Feb 03 '17 at 09:14
  • I doubt this is possible without any 3rd party intervention. You're basically trying to bypass the normal PHP interpreter in favour of something that will decrypt and then execute your code. – apokryfos Feb 03 '17 at 09:25
  • I think it will require a handler before compiler. –  Feb 03 '17 at 09:33
  • Yes, but the handler will also need to be distributed to decrypt the code so a memory dump will reveal the PHP bytecode which is easy to reverse engineer. In these cases it's just a matter of making things harder because you can never make things impossible. – apokryfos Feb 03 '17 at 09:34
  • right ..we can never make things impossible.. –  Feb 03 '17 at 09:44

2 Answers2

1

You could test for HTTP_HOST to determine if to execute the PHP, for example:

$allowed_hosts = array('foo.example.com', 'bar.example.com');
if (!isset($_SERVER['HTTP_HOST']) || !in_array($_SERVER['HTTP_HOST'], $allowed_hosts)) {
    header($_SERVER['SERVER_PROTOCOL'].' 400 Bad Request');
    exit;
}
else{ 
   // PHP here
}

In this case, PHP is executed server side and therefore not visible to users running the code. Only someone with access to the .php file on the server can read it.

Philip Thomson
  • 173
  • 10
0

Here you go:

if ($_SERVER['HTTP_HOST'] == 'www.domain.com') {
 ...
}
Svekke
  • 1,470
  • 1
  • 12
  • 20
  • In this case, if anyone will check the script and can bypass the condition. I have to make sure that no one can see how it is working. –  Feb 03 '17 at 08:53
  • PHP is run server side, someone will need access to the server to read the file – Philip Thomson Feb 03 '17 at 08:59
  • @PhilipThomson I think they want to sell/distribute software written in PHP and not have people be able to read the source. – apokryfos Feb 03 '17 at 09:00
  • @apokryfos In that case, two options: It would either be best to keep the software private and set up instances on your own servers for users. Or keep core parts of the and dependencies away from the users it has been distributed to. See [this](http://security.stackexchange.com/questions/4637/are-there-drm-techniques-to-effectively-prevent-pirating) article on DRM. – Philip Thomson Feb 03 '17 at 09:08