All geek questions in one place

How to implement an API key in PHP software?

I am distributing the created PHP plugin as a Wordpress plugin, but I want to implement an API key for it, and users will need to enter an API key to unlock it for it to work.

How can I do that? And yes, I already know that this can be easily circumvented since PHP is not compiled, but at least it holds back some people who do not speak PHP.

Thanks..

+4
source share
4 answers

I donโ€™t think you understand what an API key is.

An API key is a key that allows you or a script to access and interact with an API or an online service.

What you seem to be describing is a kind of license key that would prevent the user from using your script without the possibility of payment or registration.

While an API key often requires payment or registration, the two are not really the same.

API keys are typically entered to track usage and prevent misuse of online services and data.

It looks like in your case you are just trying to restrict access to the script.

If your script is fundamentally dependent on a remote data source, this method will not work, because any user with any remote PHP knowledge will simply delete the code that performs the check.

With PHP, the same applies to the license key. The user will find a way around it, unless it is needed to execute the script.

Validation must be performed remotely, and there must be some incentive to leave it in tactics (access to remote data is obvious).

+6
source

You can scramble the source code using the API key. Encrypt some important part of the source code (for example, using libmcrypt) and load the script and decrypt the source. Of course, someone finding the appropriate routine can then easily unload the source to disk and use it instead, but it will not be as trivial as deleting the check.

+1
source

If you do not need people deleting your check, you really need to add an if , which checks whether the installed license key is correct or not.

I noticed that you mentioned that your license keys were just SHA1 hashes. You can easily add an additional 4 characters to the hash, which you could use as a checksum.

For instance:

 function generate_key() { $serial = sha1(uniqid(rand(), true)); $checksum = substr(md5($serial), 0, 4); return $serial . $checksum; } function verify_key($key) { $serial = substr($key, 0, 40); $checksum = substr($key, -4); return md5($serial, 0, 4) == $checksum; }

This is a very simple example, but it is just a tutorial.

Essentially, you should check if the license key is valid on the host server, and not ping the script on your server.

The disadvantage of this is that anyone can generate a valid key by opening the source code and finding validate_key .

You could call an external script to do verify_key , but is it really worth the effort? In addition, you will sacrifice page load time to verify the key.

I remember that vBulletin had a very easily cracked licensing system, but they had a 1x1 hidden image in several sections that pinged a script in their domain. Using the magazines, they were able to determine which domains hosted illegal copies of their software, and they simply sent a letter to the administrator with a lawyer.

If you would like to get a more reliable solution, I would suggest that I might look at Zend Guard , but you don't seem to care about people hacking your software so personally I would just go as simple as possible.

0
source

Absolutely pointless. As your php, you need to send the source code, and any user can simply delete the license verification code and run it.

In addition, people do not like to bother with license keys, if you are not really really useful, not needed or not needed, they will either find a license key, or simply do not worry about it.

0
source

Source: https://habr.com/ru/post/1332057/

More articles:


All Articles