RE: [PHP] hosting "closed" web application for multiple users
2) user cannot trick other root processes to read script.php for her. Is there a better alternative? Depending on your budget yes there is. Zend has a PHP encoding utility which performs two functions, first off since it needs to run through their optimizer your PHP scripts will tend to run faster (at the expense of a bit more memory consumption) and also you don't need to worry about preventing the source code from being read as the php scripts are converted into a binary executable. License to use these programs are I believe around $600 per year but offer a wide range of additional features but I would consider it well worth it to a company rather than spending countless tech hours and security testing to prevent the source from being viewed. http://www.zend.com Sincerely, Craig Vincent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] hosting "closed" web application for multiple users
Actually, We _are_ considering of buying Zend Encoder, but in the middle of thinking for alternatives... :-) However, sometimes vendors do not want user to have access to the _binary also_ (and then run it somewhere else), so that needs some extra protection other than the Encoder too. Regards, Steve At 19/05/2001 21:47, Craig Vincent wrote: > >2) user cannot trick other root processes to read >script.php for her. > >Is there a better alternative? > > >Depending on your budget yes there is. Zend has a PHP encoding utility >which performs two functions, first off since it needs to run through their >optimizer your PHP scripts will tend to run faster (at the expense of a bit >more memory consumption) and also you don't need to worry about preventing >the source code from being read as the php scripts are converted into a >binary executable. License to use these programs are I believe around $600 >per year but offer a wide range of additional features but I would consider >it well worth it to a company rather than spending countless tech hours and >security testing to prevent the source from being viewed. > >http://www.zend.com > >Sincerely, > >Craig Vincent -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] hosting "closed" web application for multiple users
The only idea i have is not perfect, but would stop people without time on
their hands from getting your code. (But it could be time consuming for you
(but free))
1) make the source code a string
2) encrypt it, (but try use bizzare, unheard of functions so that it takes
longer to work out how to decrypt it)
3) when running the code decrypt it, (use some hash to check the code has
been decrypted ok)
4) eval() the code
If some code was encrypted as above so people didn't have too much of a clue
what was happening.
1) make the code include("httP://www.yoursite.com/code-custid=43824";);
2) maybe cache it on the server for a period of time (otherwise every
execution would hit your server, and performance would certainly drop).
Assuming the code works, doesn't bring in gaping security holes, and
performance doesn't suffer too much then this could be used in a situation,
that if someone doesn't pay renewal of license fess (or you fall out with
them), you can revoke their access to your code.
This would probably work much better if it is a binary from Zend, as people
would have the binary, but without getting the ok from your server then the
binary stops working.
I've used the principle in Visual Basic (where code is compiled so quite
safe), and been able to stop people using my software for ever.
Not tried it in PHP though... If this is a stupid idea, don't shoot me, I've
slept for the 30 hours, and instead of working to get projects finsihed, I'm
answering newsgroups ;-)
I'd be interested to hear what others think anyway
Yours
Mr. Adam ALLEN.
[EMAIL PROTECTED]
http://www.dynamicinteraction.co.uk
> -Original Message-
> From: Steven Haryanto [mailto:[EMAIL PROTECTED]]
> Sent: Saturday, May 19, 2001 3:56 PM
> To: Craig Vincent
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: [PHP] hosting "closed" web application for multiple users
>
>
> Actually, We _are_ considering of buying Zend Encoder, but in the
> middle of thinking for alternatives... :-)
>
> However, sometimes vendors do not want user to have access to
> the _binary also_ (and then run it somewhere else), so that needs
> some extra protection other than the Encoder too.
>
> Regards,
> Steve
>
> At 19/05/2001 21:47, Craig Vincent wrote:
> >
> >2) user cannot trick other root processes to read
> >script.php for her.
> >
> >Is there a better alternative?
> >
> >
> >Depending on your budget yes there is. Zend has a PHP encoding utility
> >which performs two functions, first off since it needs to run
> through their
> >optimizer your PHP scripts will tend to run faster (at the
> expense of a bit
> >more memory consumption) and also you don't need to worry about
> preventing
> >the source code from being read as the php scripts are converted into a
> >binary executable. License to use these programs are I believe
> around $600
> >per year but offer a wide range of additional features but I
> would consider
> >it well worth it to a company rather than spending countless
> tech hours and
> >security testing to prevent the source from being viewed.
> >
> >http://www.zend.com
> >
> >Sincerely,
> >
> >Craig Vincent
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] hosting "closed" web application for multiple users
> -Original Message- > From: Steven Haryanto [mailto:[EMAIL PROTECTED]] > > > I have a requirement like this: > > - the php script should be runnable by httpd user only. > - the php script will include other files. > - the php script should run as the user. > - the user must not be able to access the source code >of the scripts. > Take a look at apc (apc.communityconnect.com), it is primarily a cache, which will boost your performace, but also allows you to take the cached compiled files from the file system and distribute them. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
RE: [PHP] hosting "closed" web application for multiple users
btw, have people tried apc 1.0.9 with php-4.0.5? apc runs fine for some of my scripts (though performance improvement is not great at all, or am i doing something wrong). but for some of my more complex scripts, it crashes the httpd binary with segfaults. btw, can you just take the compiled cache file and distribute it? does the file need to be run with apc also? or can the plain zend engine handle it? steve At 19/05/2001 22:45, Matthias Winkelmann wrote: > > -Original Message- > > From: Steven Haryanto [mailto:[EMAIL PROTECTED]] > > > > > > I have a requirement like this: > > > > - the php script should be runnable by httpd user only. > > - the php script will include other files. > > - the php script should run as the user. > > - the user must not be able to access the source code > >of the scripts. > > > >Take a look at apc (apc.communityconnect.com), it is primarily a cache, >which will boost your performace, but also allows you to take the cached >compiled files from the file system and distribute them. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
