I am distributing a PHP created plugin like a Wordpress plugin but I want to implement an API key for it and users would need to enter an API key to unlock it for it to work.
How can that be done? And yes I already know it could be easily bypassed since PHP is not compiled but atleast it will deter some people with no PHP knowledge.
Thanks..
I don't think you understand what an API key is.
An API key is a key that allows you or a script to access and interact with an API or an online service.
What you seem to be describing is some sort of license key, that would prevent a user from operating your script without perhaps payment or registration.
While an API key often does require payment or registration, the two are really not the same thing.
API keys are typically put into place to track the use, and prevent abuse of online services and data.
It appears that in your case you are simply trying to restrict access to your script.
Unless your script has a fundamental dependency on a remote data source, this method will not work because any user with any distant knowledge of PHP will just remove the code that performs the validation.
With PHP, the same applies to a license key. User's will find a way to circumvent it, unless they need it for the script to perform.
The validation must be performed remotely, and there must be some incentive to leave it in-tact (access to remote data being the obvious one).
You can scramble the actual source code with the API key. Encrypt some essential part of the source code (e.g. using libmcrypt), and have the script load and decrypt the source. Of course, somebody finding the relevant routine could then easily dump the source to disk and use that instead, but it won't be as trivial as removing a check.
Its absolutely pointless. As its php you have to send the source code and any user can just remove the license check code and run it.
Besides people don't like messing with license keys unless you software is really, really useful, desirable or essential they will either find a license key free alternative or just not bother with it.
If you don't care about people removing your check then you really only need to add a if statement that validates if the configured license key is valid or not.
I noticed you mentioned your license keys were simply SHA1 hashes. You could easily append an extra 4 characters to the hash, which you could use as checksum.
For instance:
function generate_key()
{
$serial = sha1(uniqid(rand(), true));
$checksum = substr(md5($serial), 0, 4);
return $serial . $checksum;
}
function verify_key($key)
{
$serial = substr($key, 0, 40);
$checksum = substr($key, -4);
return md5($serial, 0, 4) == $checksum;
}
This is a very simple example, but it is simply instructional.
Essentially you would validate whether the license key is valid on the host's server instead of pinging a script on your server.
The drawback of this is that anyone would be able to generate a valid key by opening the source code and finding validate_key.
You could have it call an external script to do the verify_key, but is it really worth the effort? Also, you will be sacrificing page load time to verify the key.
I recall vBulletin having a very easy to crack licensing system, but they had a hidden 1x1 image in a few sections which pinged a script on their domain. Using the logs, they were able to determine which domains were hosting illegal copies of their software and they simply sent a lawyer's letter to the admin.
If you wanted a more robust solution, I would suggest maybe looking into Zend Guard, but you seem not to care about people cracking your software so personally I would just go as simple as possible.
