ionCube Logo
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


 
Post new topic   Reply to topic    ionCube Forum Index -> Programming

PHP exec is disabled

Author Message
ddleigh



Joined: 07 Jun 2007
Posts: 44

PostPosted: Tue Aug 17, 2010 3:26 am    Post subject: PHP exec is disabled Reply with quote

Hi,

I've found that quite a lot of hosters have disabled the PHP exec, system, passthru and shell_exec, quoting security issues as the reason.

Unfortunately, this is preventing me from using your make_license program, which my software relies on to automatically licence itself.

Could you tell me if there is an alternative way to execute make_license from PHP code or whether you have a version of it written in PHP instead or a pre-compiled program?

I've automated the licence generation process into my software, so my customers can use it too. However, I would like to make sure it will work reliably no matter which hosting service they use. Unfortunately, I've found that many hosters nowadays seem to prefer switching all the above commands off on shared servers.

I would really like to make this work and am desperate for any alternative ways to execute your make_license program, so any suggestions are very welcome.

Debbie
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Tue Aug 17, 2010 3:40 am    Post subject: Reply with quote

A good alternative would be not to use make_license in a shared hosting environment, instead use at the very least a VPS (virtual private server).

Course since make_license is a linux binary (in most cases), its not restricted to only be called by php, I've actually setup a python app to generate licenses. But alas you'll find it difficult to do that on a shared hosting provider, you should be using a VPS or higher if you're trying to run a business in that fashion.
_________________
http://ionvz.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2754

PostPosted: Tue Aug 17, 2010 8:31 am    Post subject: Reply with quote

I'd second this. There can be advantages to a shared host in that if they fail, the host will generally know about it and is likely to get it running again soon, but running any kind of business operation is really better on a system where you have complete control over the system installation, and ideally over the power (virtual or physical) so that you can restart the hardware in the event that the machine locks up. We've always used multiple dedicated servers, but a VPS setup that is switched by the host to different hardware in the event of a failure could be a good choice in terms of balancing cost, flexibility and reliability.
_________________
Community Admin
Back to top
View user's profile Send private message
ddleigh



Joined: 07 Jun 2007
Posts: 44

PostPosted: Tue Aug 17, 2010 10:38 am    Post subject: Reply with quote

Hi,

Thank you for your suggestions. I have been talking to my hoster about a vps setup, but that would only solve the problem for me.

What I was ideally hoping for was a solution that would be portable for users of my software as well. As you can imagine, it wouldn't get very many sales, if I said that you could only use my software on a vps hosting account.

I'm sure I'm not the only person that has come across this brick wall problem with hosting companies.

One solution that I thought of was to perhaps release an encoded php script version of make_licence (or some other form that isn't an external program) that wouldn't trigger the security restrictions of the various shared hosting services.

Would this be possible?

Debbie
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Tue Aug 17, 2010 2:16 pm    Post subject: Reply with quote

ddleigh wrote:
Hi,

Thank you for your suggestions. I have been talking to my hoster about a vps setup, but that would only solve the problem for me.


Only you should have a copy of the make_license to begin with.

ddleigh wrote:

What I was ideally hoping for was a solution that would be portable for users of my software as well. As you can imagine, it wouldn't get very many sales, if I said that you could only use my software on a vps hosting account.


I don't see how make_license would make your application any less portable, as it makes a license file which can be distributed with your application for the specified purchaser.

Also the encoded scripts would work even on a shared hosting provider as long as the ioncube loaders are installed, they shouldn't even have your copy of make_license. You should not be distributing make_license.

ddleigh wrote:

I'm sure I'm not the only person that has come across this brick wall problem with hosting companies.


Technically not a problem just makes more sense to need your own environment for trying to run system-level processes.

ddleigh wrote:

One solution that I thought of was to perhaps release an encoded php script version of make_licence (or some other form that isn't an external program) that wouldn't trigger the security restrictions of the various shared hosting services.

Would this be possible?


But doing such (ie: a php version of make_license) would not only be difficult and large in what make_license actually does, but would also decrease the effectiveness of the binary if it was much more easily reverse engineered.[/quote]

Based on what you said bout 'others' using it, I think you're confused about how you should be using the make_license binary, its not supposed to ship with your application instead you're supposed to use it to create license files for your customers automated or otherwise (and due to your error it does sound like you're trying an automated method, but maybe with the wrong approach).
_________________
http://ionvz.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
ddleigh



Joined: 07 Jun 2007
Posts: 44

PostPosted: Tue Aug 17, 2010 11:18 pm    Post subject: Reply with quote

Hi kblessing,

Oh no, the idea is that my customers will buy their own copy of the ioncube encoder and make_license. QESP just provides the wrapper functions to automate the whole license generation process, but obviously the functions have to be proven to work first.

My aim is to have my software capable of working on as many hosting services as possible, which means that it really should be capable of working on a shared hosting service, so that anyone can use it rather than just those that are technically inclined.

Having to call make_license, which is an external program, considering that many hosting services nowadays block the use of the system level commands, prevents my software from being able to work on shared web servers.

That's why I was wondering whether there was a possibility that an alternative version of make_license could be released that could be called without having to use exec or the other system level commands?

Debbie
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Wed Aug 18, 2010 1:57 am    Post subject: Reply with quote

ddleigh wrote:
Hi kblessing,

Oh no, the idea is that my customers will buy their own copy of the ioncube encoder and make_license. QESP just provides the wrapper functions to automate the whole license generation process, but obviously the functions have to be proven to work first.


Well for starters if you are creating some kind of 'wrapper' to work with the make_license you'll need least a VPS or higher. And yes if your customers are buying the encoder and wish to use make_license they tool are advised to have a VPS or higher.

ddleigh wrote:

My aim is to have my software capable of working on as many hosting services as possible, which means that it really should be capable of working on a shared hosting service, so that anyone can use it rather than just those that are technically inclined.


Due to the nature of make_license and the purpose at hand it wouldn't be advised to attempt this on shared hosting, even if the provider turned on php_exec the shared environment isn't exactly considered secure when it comes to being able to execute shell commands.

ddleigh wrote:

Having to call make_license, which is an external program, considering that many hosting services nowadays block the use of the system level commands, prevents my software from being able to work on shared web servers.


I can't speak for the Ioncube staff, but the software was designed to be used by developers and software providers. As such they are not only going to have the technical expertise to run their own server or VPS, but could also afford to do so if for nothing other than a sound investment.

ddleigh wrote:

That's why I was wondering whether there was a possibility that an alternative version of make_license could be released that could be called without having to use exec or the other system level commands?

Debbie


There are other 'functions' in PHP depending on the version besides exec such as passthru() which may or may not work.

This is how I use it:

Quote:

//$expire contains the expiration limit if required otherwise blank
$command = "make_license ".$expire." --passphrase MYPASSPHRASEHERE --header-line '<?php' --header-line 'exit(0);' --header-line '?>' --properties "regname='".$name."',txn='".$code[0]."'" --allowed-server ".str_replace("'", "", escapeshellarg($domain)).",".str_replace("'", "",escapeshellarg("www.".$domain));
passthru($command,$output);


Since the script remotely calls the php file with the values, it's expecting a direct response from make_license (passthru echos back the actual output).

But like I said it may or may not work for you, especially since shared hosts are very strict about binary files in use, and also I doubt the ioncube team wants their make_license binary in a format that could be more easily reverse engineered since you'd have to plug into the php file somehow as a class or otherwise.

An alternative if I may, if your customers will be using publically accessible servers for the product would be to create a wrapper on your own VPS or server, that the customer's script could 'phone home' the details to generate, and receive back a license file data, for example:

Quote:


//$txn containing your customers transaction or account # (optionally can accept a passkey or other data to be passed)
//This is just simply a mock up of how my kblinker app verifies and retreives a license and could possibly
//retrofitted to your solution for customers who cannot run the make_license binary

function verify($txn, $usr, $pwd)
{
$domain = $_SERVER["SERVER_NAME"];

$target = "https://www.yourdomain.com/verify.php";
$code = encode_data_to_be_sent(serialize(array($txn, $domain,whatever-else-here)));

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$target);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"e=".$code);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_BINARYTRANSFER, 1);

//alternatively if you protect your verify script behind HTTP Auth you can give
//customers their own login to the script which can be passed
if(!empty($usr) && !empty($pwd))
curl_setopt($ch,CURLOPT_USERPWD,$usr . ":" . $pwd);

//And if your script is on a SSL port below will help
if(preg_match("/^(https)/",$url) > 0)
curl_setopt($ch,CURLOPT_SSL_VERIFYPEER,false);

$data = curl_exec($ch);
curl_close($ch);

$found = stripos($data, "LICENSE FILE DATA");

if($found === false)
return false;
else
{
//You can either save their license as a license file like I do
//Or you can return it for whatever they need to use it for.
$file = fopen("key.php", "w");
fwrite($file, $data);
fclose ($file);

return true;
}
}


Basically I'm not sure if Ioncube says its against their license or not, but the above could be modified for your purpose for customers using the wrapper but do not have a VPS or higher. The obvious issue of course is your customers would have to transmit their own customer's license information and possibly passkey of their own software to you (thus why an SSL port is highly recommended) in order to generate back a license key for their customer.

PS: I own and operate ionvz.com which is both a shared and VPS provider, however my VPSes start at 34.99/month, there are however providers starting at only 11/month such as photonvps.com and some even 5/month, however I'll just say this : you get what you pay for.
_________________
http://ionvz.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2754

PostPosted: Wed Aug 18, 2010 12:39 pm    Post subject: Reply with quote

Quote:
you get what you pay for.


I sometimes paraphrase and flip this around to say that you don't get what you don't pay for, and should be kept in mind. While in general it's good to keep expenses in check, for a viable business, a few hundred $ difference a year in hosting is not going to be significant in the big scheme of things, but can make an important difference in terms of features and business benefits.
_________________
Community Admin
Back to top
View user's profile Send private message
kblessing



Joined: 31 May 2009
Posts: 241
Location: Grand Rapids, Mi

PostPosted: Wed Aug 18, 2010 3:46 pm    Post subject: Reply with quote

nick wrote:
Quote:
you get what you pay for.


I sometimes paraphrase and flip this around to say that you don't get what you don't pay for, and should be kept in mind. While in general it's good to keep expenses in check, for a viable business, a few hundred $ difference a year in hosting is not going to be significant in the big scheme of things, but can make an important difference in terms of features and business benefits.


Laughing Well I was placing emphasis on the cheap end of the scale, ie: a host who gives you 1GB VPS at 5/month versus paying 30 or more which sounds more likely not be oversold. But yes I do agree that in *some* cases paying more doesn't always give you more.
_________________
http://ionvz.com
Back to top
View user's profile Send private message AIM Address Yahoo Messenger MSN Messenger
liaison
ionCube Support


Joined: 16 Dec 2004
Posts: 2754

PostPosted: Thu Aug 19, 2010 1:38 pm    Post subject: Reply with quote

Right, my point was the same (the double inversion of the logic in the popular phrase keeps the outcome the same).
_________________
Community Admin
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    ionCube Forum Index -> Programming All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum