[PHP, MySQL - VB6] Secure License System

[Quackster]

Hello! (:

Must have VB6 on your comp

Since all of you know I am a Visual Basic, C#, PHP coder. I have made this little script which allows you to add, remove and edit licenses.

The VB6 reads the website, url path must be hidden also VB6 cannot be decompiled and you can edit the licenses using MySQL database, but make sure you make a config.ini for a user to add their license.

Please excuse my poor PHP :D

index.php

PHP Code:

<?php

mysqlConn();
ConfirmKey($_GET['key'], $_GET['name']);

//---
// Start the functions
//---
function mysqlConn()
{
   $q = mysql_connect("root", "username", "password");
   $q = mysql_select_db("database");
   return $q;
}
function ConfirmKey($key, $name)
{
   $q = mysql_query("SELECT * FROM `keys` WHERE `key`='".$key."'") or die (mysql_error());
   $q = mysql_fetch_array($q);

   if(isset($key) == $q["key"] || isset($name) == $q["name"])
   {
       echo "License is correct!";
   }
   else if(isset($key) != $q["key"] || isset($name) != $q["name"])
   {
       echo "License is incorrect";
   }
   else if($key == "" || $name == "")
   {
       echo "License is incorrect";
   }
   else if(!isset($key) || !isset($name))
   {
       echo "License is incorrect";
   }
   else
   {
       echo "License is incorrect";
   }
}
?>

database

Code:

CREATE TABLE IF NOT EXISTS `keys` (
  `key` varchar(111) NOT NULL,
  `name` varchar(111) NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Download the source and find this...

Code:

Text = Inet1.OpenURL("http://localhost/license/index.php?key=" & LicenseKey & "&name=" & LicenseName) 'Opens the url source

Edit "http://localhost/license/index.php" to the website where you have installed the PHP file.

config.ini

Code:

[license]
name=
key=

[MentaL]

[Emerica]

Nice php script, thanks.

[s-p-n]

There's no excuse for poor code.

Placing $_GET into a mysql query is insecure.

The isset function returns true/false. It's never going to equal the key unless the key is actually the word "true" or "false".

It's very bad PHP code, and makes no sense, fix it.


Edit:

Don't blame these bad practices on poor PHP knowledge, the broad concept of this logic can be used in pretty much all programming languages. (I've explained under this code here.)

Here, I fixed it for you:

PHP Code:

<?php

// Connect to database
mysqlConn();

// If 'key' or 'name' aren't set....
if( !isset( $_GET['key'] ) || !isset( $_GET['name'] ) )
{
    // Set the key and name here:
    $_GET['key'] = '';
    $_GET['name'] = '';
}

// If key/name confirmation is true
if( ConfirmKey($_GET['key'], $_GET['name']) )
{
    // The key must be valid
    echo 'Valid Key!';
} else {
    // The key must be invalid
    echo 'Invalid Key.';
}



//---
// Start the functions
//---
function mysqlConn()
{
    // Connect to MySQL
    $q = mysql_connect("root", "username", "password");
    
    // Select MySQL Database
    mysql_select_db("database", $q);
    
    return $q;
}

function ConfirmKey($key, $name)
{
    // Returns True if key and name are found together in the database,
    // Returns False otherwise.
    
    // Setup the query
    $check_key = sprintf('SELECT COUNT(*) FROM `keys` WHERE `key` = "%s" AND `name` = "%s"', 
        // Set $key and $name to a MySQL Escaped String (more secure)
        mysql_real_escape_string( $key ),
        mysql_real_escape_string( $name )
    );
    
    // Run the query
    $key_query = mysql_query( $check_key ) 
        // If query fails, tell why
        or die ( 'Error ' . mysql_errno() . ' : ' . mysql_error() );
    
    // put the COUNT(*) data inside $key_row
    $key_row = mysql_fetch_row( $key_query );
    
    // Return true if one or more rows are found.
    // $key_row is an array, and COUNT(*) is the 0th (and only, in this case) index
    return $key_row[0] >= 1;
}

It's quicker and easier to check the name & key in MySQL. You don't need to select any data from the database you're not going to use. (You were selecting all (*) rows for a given key). When you're simply checking if something exists in the database (such as a key along-side a name), you can just count the rows selected which contain a matching key and name, as shown above. COUNT(*) will return an integer- the amount of rows that match that query.

For a confirmation function, you should return true on confirmation and false otherwise. In my code, I returned a boolean statement, "$key_row[0] >= 1". if there are 0 rows, it returns false. If MySQL can find one or more rows where the given $key and $name are together, it returns true.


Since it's good practice to separate logic from design, you should put any echoing, printing, and HTML somewhere outside the confirm_key() function.

One last thing, you shouldn't use variables that might be undefined (Ex: $_GET['etc']), one way to fix this is to define them (if they're not defined) before they're used.

I checked if $_GET['key'] or $_GET['name'] was not set. If they aren't, then I set them to an empty string, since they're supposed to be strings. If they were supposed to be integers, I'd set them to 0, etc.

Hope that helps.

[ChrisDaniel]

how dp you use it, can you do it step by step instructions ????

[MoBaTeY]

Hello! (:

Must have VB6 on your comp

Since all of you know I am a Visual Basic, C#, PHP coder. I have made this little script which allows you to add, remove and edit licenses.

The VB6 reads the website, url path must be hidden also VB6 cannot be decompiled and you can edit the licenses using MySQL database, but make sure you make a config.ini for a user to add their license.

Please excuse my poor PHP :D

index.php

PHP Code:

<?php

mysqlConn();
ConfirmKey($_GET['key'], $_GET['name']);

//---
// Start the functions
//---
function mysqlConn()
{
   $q = mysql_connect("root", "username", "password");
   $q = mysql_select_db("database");
   return $q;
}
function ConfirmKey($key, $name)
{
   $q = mysql_query("SELECT * FROM `keys` WHERE `key`='".$key."'") or die (mysql_error());
   $q = mysql_fetch_array($q);

   if(isset($key) == $q["key"] || isset($name) == $q["name"])
   {
       echo "License is correct!";
   }
   else if(isset($key) != $q["key"] || isset($name) != $q["name"])
   {
       echo "License is incorrect";
   }
   else if($key == "" || $name == "")
   {
       echo "License is incorrect";
   }
   else if(!isset($key) || !isset($name))
   {
       echo "License is incorrect";
   }
   else
   {
       echo "License is incorrect";
   }
}
?>

database

Code:

CREATE TABLE IF NOT EXISTS `keys` (
  `key` varchar(111) NOT NULL,
  `name` varchar(111) NOT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Download the source and find this...

Code:

Text = Inet1.OpenURL("http://localhost/license/index.php?key=" & LicenseKey & "&name=" & LicenseName) 'Opens the url source

Edit "http://localhost/license/index.php" to the website where you have installed the PHP file.

config.ini

Code:

[license]
name=
key=

You can try calling it secure on the PHP side, but on the VB side, it is not secure. I can easily use Olly to debug your program and remove the checks.

[skunken1]

and again.... no security use atleast $key = mysql_real_escape_string($_GET['key']); got damit -.-

Nice anyway

[Quackster]

and again.... no security use atleast $key = mysql_real_escape_string($_GET['key']); got damit -.-

Nice anyway

You wouldn't need to remove the injectable code because people wouldn't know the URL idiot.

[Hejula]

You wouldn't need to remove the injectable code because people wouldn't know the URL idiot.

So what about when someone comes wanting to crack your application, so they log where the license is being checked... then they know the URL don't they?

[Kreain]

you wouldn't need to remove the injectable code because people wouldn't know the url idiot.

i lold so fucking hard at this.

[Quackster]

Yes.

True, but I forget to place that. I was doing this for a friend you see and he rushed me.

[TimeBomb]

Yes.

True, but I forget to place that. I was doing this for a friend you see and he rushed me.

First of all, VB6 is extremely outdated and is no longer updated by Microsoft for a reason. If they don't completely remove compatibility for it in Windows 8, then they will almost surely do it for the Windows 8 successor.

Second of all, don't call it "secure" AND release it to the public unless you are 100% certain that it is indeed "secure".