I have a system for a business with multiple branches. I wonder if any employee could modify. Php, edit the script, and access to parts of the database to which it has no access, etc.

tuxit wrote:
I have a system for a business with multiple branches. I wonder if any employee could modify. Php, edit the script, and access to parts of the database to which it has no access, etc.

Hi Tuxit,

If they really want to hack it, yes, they could.

It's true for almost any software, or website. Of course, the fact the PHP-GTK2 is a script language makes it even easier.

If you're more comfortable with a .exe application, then maybe PHP-GTK is not for you at this point in time. Hopefully a PHP-GTK compiler will come out soon.

If you're still keen in using PHP-GTK2 (maybe for it's ease of development, ease of distribution, ease of maintenance, open source, etc.), then you might try the following:

1) Suppose all your clients are on LAN, make all of them run your PHP-GTK application remotely. That is, put your PHP-GTK2 in one shared folder. Everybody will only run this copy of application.

a) Make sure this php-gtk script is read-only. This will ensure that nobody can change any code inside.

b) In your application, add some code to make sure that the application is run remotely. If someone tries to copy it to their local machine and run it from there, your application will automatically quit and display a warning. (By the way, try to bury this code deep inside your application. Don't make it the first few lines or the last few lines of your applicatoin.)

2) If you're ok with other languages, then do a combination. For example, you could code the bulk of your codes in php-gtk, and the business sensitive one (e.g. the part that access your database) in, say c++. Then from within php-gtk, use system or pipe to interface with these modules.

3) Obfuscate your php-gtk script. This doesn't stop the prying eyes, of course. But at least it makes it more difficult to read and understand the code.

I'm sure there are many other innovative ways that people use to deploy php-gtk apps.

Anyone of you would like to share...?

Regards,
/kksou

kksou wrote:

Anyone of you would like to share...?


As kksou pointed out anything can be hacked or reverse engineered if people take the time.

I have a way that somewhat secures the code. It does require access to an apache web server (may work on other web servers just not tested).

Basically what I done was have a plain text file called phps.dll this file simply has 2 line's in it.

Code:

$dll = "WEB ADDRESS TO PHPS CODE"; ini_set('user_agent', 'MADE_UP_USER_AGENT');

Why do I call it dll? Well most people are scared of DLL's and wont mess with it. Security through obscurity. Then my actual code is as follows:

Code:

Then on the web server in the apache config I have the following:

Code:

SetEnvIf User-Agent ^MADE_UP_USER_AGENT let_me_in Order Deny,Allow Deny from all Allow from env=let_me_in

So any attempt to access the secure file will get a Forbidden error unless the User Agent matches what you set it to. Keep in mind someone could still write an application to bypass your security, but for them to figure out exactly what you are doing may take a bit. The average person is not going to figure this out. -- Nitro7

your method of defining a certain user-agent is quite interesting for software that uses a apache as auth backend or something. but it only is interesting when the source of the phpgtk app is compiled eg with zendGuard and you are using https for the connection. only then the safety of the user-agent "key" is guaranteed.

you might not use this for open source ;)

my method of doing it:

- use https for authentication
- transfer a user/pass combination towards the server
- server validates user and md5(pass)
- server gives an auth okay and a list of random keypairs
- use keypairs for later client-server transactions
- keypairs is like pins/tans :)

mfg RR

try the ion-encoder http://www.ioncube.com/ i use this to hide my php gtk code for a commercial application. Works very well.

I think there is a free trial.

relic245 wrote:
try the ion-encoder http://www.ioncube.com/ i use this to hide my php gtk code for a commercial application. Works very well.

Hi Relic245,

Would you mind share a bit more? I know ioncube can be used to encode/decode PHP scripts. I didn't know it can be used to for PHP-GTK scripts.

Are you using PHP-GTK or PHP-GTK2? Does it work with PHP-GTK2 scripts? How does it take care of those PHP-GTK2 specific commands and structures?

Also, do you encode the entire PHP-GTK script or just part of it?

Thanks and Regards,
/kksou

Hi Kksou,

yes works fine with php_gtk 1 and 2. You don't have to do anything different than you would with regular php scripts. It just works.

Here is a part of an encoded script (its actually one of your example from the site :) )

4+oV5AC6vflNojhSkjXpkFQNJn99TOHW0X1p1jKZW3zUi4KaIP1vfAb6HGJDakFBgTO7EDZ5imz+
hOM2+5V0nXVFRgG/DDB6FXqYeFXx/DPHYg+3RHNsKNCHdeBKs6OLouDwIMiiBd3SCL+sL5VCw3q/
D8KC07k6kOc6nldYAYlJKCqhWNPg3tZQ9VaXkyOwY7dfvV8o9yhhn9W5xu1cANQ3vkkeZEjJ/Dpf
kSk+h04IjHdpBzVN1zPV9FAvotswMvNaxTxCBlOkukad8MfiC6k46VkcgeS8FftHN7sz1VP8nKf8
z08vKjsSJu+a7wg/jknFzyqftOxMY0f02UKqI+lqKgzsHGOemMaB6R88qmJXixkdQbB9s6mgOMeo
1RSodtxaRKdj2cX2e/v1KpMrphYJtse4Kc0184cQVgYjsWtVyx8ZfZ4dxVlKboZLxAMZolFIsP3K
5+v41kRslBbnb4/Z021mCLHb99I3WVWapt9somqd7yZ0PT4w5RWC98q4xKVoI1mEtmMDYdPO9RJr
yYfWk4Vq1F9l5xqVdVPWE1gEPRaz+HtVKX//PXFNYUFJOEnPMMDhdJEnalGSJjGNBTby4FOVCUo9
0SZcuUIXc96uS4QAuLaeW4jn2FWOkOb2s10GPHR4ydfvtQExLl+2IaVFUXBHuX9+/METXSP5wC/x
eMe7IKYetxbLPo79NvlV6G33C4zcm2yZDHPv0DmccTO4tRjOT4lwPzABIeVbgsWUZXqQwlJ+noHD
JkjYkWtDV6RkccAIdJxA/RrkwzyMSATC6ZQUXMf/nhieUZkHEpdum0MgPh/6jS7xn/za4yytpzlJ
W7Wptl+Ku8XxHQo5iBDB/09SymojfAGGCeTaJVqpILcGLCr3ciEXTV6puwsfDwc0VfcukxPrDvl6

Pretty well encoded eh?

Hi Relic245,

1) Would you mind elaborate a bit how to run the above encoded script? I suppose you need to first decode the script, and run it with the standard PHP-GTK2 interpreter.

2) Since the decoder and PHP-GTK2 are two different pieces of software and not integrated, isn't it possible that people just decode it and get the unencoded file (since PHP-GTK can only understand the unencoded format)?

Regards,
/kksou