0

I'm trying to implement an as simple as possible licensing system in a installable web-app that I'm building (user downloads and uploads to their server). After learning that sessions can't be set cross-domain (which was my first choice), I've now thought about including an external file on my server, containing a function called validate() which validates whether or not the license exists in my database.

Flow of events: User inputs license key on his site -> License key posted to the file /validate.php which includes a file from my server -> Server checks to see if license key is included in database -> If yes, sets a session on users domain and redirects to admin section -> If no, redirects back to login page, with an error message.

Here's my code (theoretical - may have issues):

validate.php

include("http://www.example.com/function.php");
validate($_POST['license']);

function.php

include("db_conn.php");

function validate($license)(
$conn = mysql_connect($db_host, $db_user, $db_pass); mysql_select_db($db_name);

$license = mysql_real_escape_string($license);

$query = "SELECT FROM licenses WHERE license = '$license'";
$result = mysql_query($query);

if(mysql_num_rows($result) == 1) {
    mysql_close($conn);
    session_set_cookie_params(60*60*24*30,"/","." . $_SERVER['SERVER_NAME']);
    session_start();
    $_SESSION['license_valid'] == "YES";
    header("Location:" . $_SERVER['SERVER_NAME'] . "/admin");
} else {
    mysql_close($conn);
    header("Location" . $_SERVER['SERVER_NAME'] . "/login/?error=1");
}
);

The problem is, I'm not sure how the server will handle the function validate() for example, will the session be set on my server, or the user's server? Will it use my $_SERVER['SERVER_NAME'] or the user's? Will it look to include db_conn.php from my server, or the user's?

Improve this question
2
  • you want to include from the file system other wise you get the php parsed file when including via http Commented Sep 12, 2011 at 2:58
  • @Dagon: Could you be a bit more specific? Do you mean that something like this wouldn't work when externally included? Commented Sep 12, 2011 at 2:59

1 Answer 1

Reset to default
1

Your projected flow:
User inputs license key on his site (happens on his server)
License key posted to the file /validate.php ... (happens on his server)
...which includes a file from my server (which doesn't work)

Your actual flow will be:
User inputs license key on his site (happens on his server)
License key posted to the file yoursite.com/validate.php ... (happens on his server)
... which runs a script on your server.

Your server checks to see if license key is included in the database.

If yes, sets a session on your server for that user, and redirects to admin section on your server.
If no, redirects to login page on your server, with an error message.

The correct way to set it up is to have a file on your server that takes a URL parameter of the license key, checks to see if it's valid, then outputs something to indicate whether it is or not.

validate.php (on your server)

<?php
session_start();

$key = $_POST['license_key'];
// Please clean this variable, obvious SQL injection, blah blah

include('function.php'); // From your server, contains the validate() function
if (validate($key))
{
    // Log them in on your server
    $_SESSION['license_key'] = $key;
}
else
{
    // Say error and show the login form from your server
}

Now someone on another server can set the action on their <form> to http://yourserver.com/validate.php and your server will take over from there.

When you include a script, all the variables in the included script will run as if they were inline, inside the including script.

Essentially, just imagine all that code is inside validate.php, and it will run as if it were.

There is a gotcha to watch out for here - if function.php is in a different directory to validate.php, the include inside validate.php which asks for db_conn.php will fail - you'll need to change this page to match the path from the including file.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Ah, so I guess I should change the database connection detail include to include("http://www.example.com/db_conn.php");. Are there any potential security issues doing this? (These are credentials for my database).
It won't work. If you access it as an absolute path (http...) it will parse the PHP, then send the output of the script to the include function - and that'll be empty. You have to use a relative path instead (eg path/from/here/to/db_conn.php or /path/from/root/to/db_conn.php). I'd recommend a path from the root, then it doesn't matter which file includes it, it will always look from a known place, to a known place, on a known path, so will always work (unless you change a folder name, obviously).
In your answer, before the break it looks as though you're saying that it'll use the user's server (where validate.php is), and after the break as though it'll use mine?
@Pixelatron - it'll be the server that does the 'include'. your question was ambiguous as to what was where. Also, including a db connection script from another server doesn't magically give you access to the database itself.
@Joe. You're answer was my third option, believe it or not :). Ultimately the idea is that a session gets set for a user on his server IF a license is valid. I was kind of thinking that if I have a file containing something like, pastebin.com/ThFSq6EG, that it might be easier for the user to simply post "valid", and activate their own session. Guess I'll have to find a decent PHP obfuscation service. Thanks for your help and clearing up what's what :)!
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.