如何在 PHP 软件上实现 API 密钥?
我正在分发一个 PHP 创建的插件,例如 Wordpress 插件,但我想为其实现 API 密钥,用户需要输入 API 密钥来解锁它才能工作。
那怎么办呢?是的,我已经知道它可以很容易地绕过,因为 PHP 没有编译,但至少它会阻止一些没有 PHP 知识的人。
谢谢..
I am distributing a PHP created plugin like a Wordpress plugin but I want to implement an API key for it and users would need to enter an API key to unlock it for it to work.
How can that be done? And yes I already know it could be easily bypassed since PHP is not compiled but atleast it will deter some people with no PHP knowledge.
Thanks..
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
如果您不关心人们删除您的检查,那么您实际上只需要添加一个
if语句来验证配置的许可证密钥是否有效。我注意到您提到您的许可证密钥只是 SHA1 哈希值。您可以轻松地在散列中附加额外的 4 个字符,将其用作校验和。
例如:
这是一个非常简单的例子,但它只是指导性的。
本质上,您将验证许可证密钥在主机服务器上是否有效,而不是对服务器上的脚本执行 ping 操作。
这样做的缺点是任何人都可以通过打开源代码并找到
validate_key来生成有效密钥。您可以让它调用外部脚本来执行
verify_key,但这真的值得吗?此外,您将牺牲页面加载时间来验证密钥。我记得 vBulletin 有一个非常容易破解的许可系统,但他们在几个部分中有一个隐藏的 1x1 图像,可以在其域上 ping 一个脚本。使用日志,他们能够确定哪些域托管其软件的非法副本,并且他们只需向管理员发送一封律师信即可。
如果您想要一个更强大的解决方案,我建议您查看 Zend Guard,但是您似乎并不关心人们破解您的软件,因此就我个人而言,我会尽可能简单。
If you don't care about people removing your check then you really only need to add a
ifstatement that validates if the configured license key is valid or not.I noticed you mentioned your license keys were simply SHA1 hashes. You could easily append an extra 4 characters to the hash, which you could use as checksum.
For instance:
This is a very simple example, but it is simply instructional.
Essentially you would validate whether the license key is valid on the host's server instead of pinging a script on your server.
The drawback of this is that anyone would be able to generate a valid key by opening the source code and finding
validate_key.You could have it call an external script to do the
verify_key, but is it really worth the effort? Also, you will be sacrificing page load time to verify the key.I recall vBulletin having a very easy to crack licensing system, but they had a hidden 1x1 image in a few sections which pinged a script on their domain. Using the logs, they were able to determine which domains were hosting illegal copies of their software and they simply sent a lawyer's letter to the admin.
If you wanted a more robust solution, I would suggest maybe looking into Zend Guard, but you seem not to care about people cracking your software so personally I would just go as simple as possible.
我认为您不明白 API 密钥是什么。
API 密钥是允许您或脚本访问 API 或在线服务并与之交互的密钥。
您似乎描述的是某种许可证密钥,它会阻止用户在没有付款或注册的情况下操作您的脚本。
虽然 API 密钥通常确实需要付款或注册,但这两者实际上不是一回事。
API 密钥通常用于跟踪使用情况并防止滥用在线服务和数据。
在您的情况下,您似乎只是想限制对脚本的访问。
除非您的脚本对远程数据源具有基本依赖性,否则此方法将不起作用,因为任何对 PHP 具有一定了解的用户都将删除执行验证的代码。
对于 PHP,这同样适用于许可证密钥。用户会找到一种方法来规避它,除非他们需要它来执行脚本。
验证必须远程执行,并且必须有某种激励措施使其保持完整(访问远程数据是显而易见的)。
I don't think you understand what an API key is.
An API key is a key that allows you or a script to access and interact with an API or an online service.
What you seem to be describing is some sort of license key, that would prevent a user from operating your script without perhaps payment or registration.
While an API key often does require payment or registration, the two are really not the same thing.
API keys are typically put into place to track the use, and prevent abuse of online services and data.
It appears that in your case you are simply trying to restrict access to your script.
Unless your script has a fundamental dependency on a remote data source, this method will not work because any user with any distant knowledge of PHP will just remove the code that performs the validation.
With PHP, the same applies to a license key. User's will find a way to circumvent it, unless they need it for the script to perform.
The validation must be performed remotely, and there must be some incentive to leave it in-tact (access to remote data being the obvious one).
您可以使用 API 密钥来扰乱实际的源代码。加密源代码的一些重要部分(例如使用libmcrypt),并让脚本加载和解密源代码。当然,找到相关例程的人可以轻松地将源代码转储到磁盘并使用它,但这不会像删除检查那么简单。
You can scramble the actual source code with the API key. Encrypt some essential part of the source code (e.g. using libmcrypt), and have the script load and decrypt the source. Of course, somebody finding the relevant routine could then easily dump the source to disk and use that instead, but it won't be as trivial as removing a check.
这绝对毫无意义。由于它的 php 你必须发送源代码,任何用户都可以删除许可证检查代码并运行它。
此外,人们不喜欢弄乱许可证密钥,除非您的软件真的非常有用、理想或必需,否则他们要么会找到免费的许可证密钥替代品,要么根本不去理会它。
Its absolutely pointless. As its php you have to send the source code and any user can just remove the license check code and run it.
Besides people don't like messing with license keys unless you software is really, really useful, desirable or essential they will either find a license key free alternative or just not bother with it.