I’m building an application that’s self-hosted, and I’d like to have some form of licensing to minimize fraudulent downloads/distribution.

Of course, I’m well aware that being self-hosted someone could simply rip out all license features from the source-code, but the con’s of using a compiler like Zend Guard or ionCube far outweigh the pro’s in my opinion – nonetheless I’d like to have some basic form of license security.

What I originally had in mind to do was: user logs in with license on app -> app posts license to my server -> server sends a response via a HTTP GET request -> app evaluates response, and if license is valid sets a value in a session variable (A), if invalid returns to login screen with an error.

The problem with this is, the evaluation of response/session setting is readily available in a application file, so if the user knows a little PHP and checks in on that source code, they’ll realize all they’ll need to do is set a session themselves with a particular $_SESSION['_valid_license'] value, and they’ll be good to go.

What I was considering doing to make it a little less easy was (if possible) to post PHP back as a response, and then have the application file execute it, for example:

My original code:

$response = $_GET['response'];

if($response == "fjdkuf9") {
start_session();
$_SESSION['_valid_license'] = "YES";
header("Location:" . $rp . "/admin/");
} else {
header("Location:" . $rp . "/login/?err=1");
}

My new concept:

$response = $_POST['response'];
str_replace("\", "", $response);

With the following being posted as response:

start_session();
\$_SESSION[\'_valid_license\'] = \"YES\";
header(\"Location:\" . \$rp . \"/admin/\");

Would that execute $response as actual PHP code after str_replace()? If possible, this would be great, as it would mean evaluation would be done on my server rather than within the self-hosted app itself.