file_get_contents a bad idea? – PHP

  php

Q(Question):

Hello,

I’m writing a sophisticated e-commerce software suite in PHP. What I want to be able to do is have customers use my software but not have access to the source code of my PHP so they can’t copy it etc… So, I figured I’d use the file_get_contents(); function to get the data I need from my software to display it on their custom store page. I created the following script to do it.


<?php
// eCommPHP Pro Store script v. 1.0 By. Aaron Lambert
// NOTE: LAMBERT SOFTWARE MUST KNOW THE EXACT URL AND NAME OF THIS FILE TO UPDATE
// YOUR RECORDS SO THAT ECOMMPHPPRO WORKS PROPERLY. THE DOMAIN NAME NEEDS TO MATCH
// THE DOMAIN WE HAVE ON FILE OR YOU WILL BE CHARGED A NEW LICENSE FEE.
// IF YOU PERSONALLY MODIFY THIS FILE AND IT DOESN'T MATCH THE FILE WE HAVE ON
// RECORD FOR YOU, THE CODE WILL NOT BE SUPPORTED BY OUR TEAM.
// If you would like customization to your layout, we offer a great layout customization
// package for only $49.99 per layout!
// Set up the company code to match what was given to you by Lambert Software.
// If this is changed, your store will not work!
$companycode = 'bobspancakes';
// *** REQUIRED CODE BY LAMBERT SOFTWARE ***
$ecommfetch = 'http://www.ecommphppro.com/' . $companycode . '/';
// Get the function parameter
if ($_GET["fct"]!='')
{ $function = $_GET["fct"]; }
else
{ $function = 'catalog'; }
// Determine which function we need from eCommPHP Pro
switch ($function)
{
case 'catalog':
$ecommfetch .= 'catalog.php';
break;
case 'viewitem':
$ecommfetch .= 'viewitem.php';
break;
case 'viewcart':
$ecommfetch .= 'cart.php';
break;
case 'addcart':
$ecommfetch .= 'cart.php';
$parameters = 'fct=add';
break;
case 'delcartitem':
$ecommfetch .= 'cart.php';
$parameters = 'fct=delitem';
break;
case 'cancelorder':
$ecommfetch .= 'cart.php';
$parameters = 'fct=co';
break;
}
// Now that we have the function, lets process the parameters passed.
if ($_GET["scat"]!='')
{ $parameters .= '&scat=' . $_GET["scat"]; }
if ($_GET["pg"]!='')
{ $parameters .= '&pg=' . $_GET["pg"]; }
if ($_GET["ppg"]!='')
{ $parameters .= '&ppg=' . $_GET["ppg"]; }
if ($_GET["srt"]!='')
{ $parameters .= '&srt=' . $_GET["srt"]; }
if ($_GET["srch"]!='')
{ $parameters .= '&srch=' . $_GET["srch"]; }
if ($_GET["inum"]!='')
{ $parameters .= '&inum=' . $_GET["inum"]; }
if ($_GET["qty"]!='')
{ $parameters .= '&qty=' . $_GET["qty"]; }
if ($_GET["vimgnum"]!='')
{ $parameters .= '&vimgnum=' . $_GET["vimgnum"]; }
// Now lets make sure the right delimiter is in place for the function
if (substr($parameters, 0, 1)=='&')
{ $parameters = '?' . substr($parameters, 1); }
else
{
if ($parameters!='')
{ $parameters = '?' . $parameters; }
}
// Add the parameters to the fetch URL
$ecommfetch .= $parameters;
// Replace spaces with +
$ecommfetch = str_replace(" ", "+", $ecommfetch);
// Go ahead and fetch the page now.
session_start();
echo $ecommfetch;
echo file_get_contents($ecommfetch);
// *** END OF REQUIRED CODE ***
?>

While doing this, I came across a big show stopper, $_SESSION variables. When I add an item to my shopping cart, it creates a session variable with the new order number. If I use the script above, of course the session variables will not get sent over because file_get_contents(); only gets HTML content, so the SESSION variables I imagine are only being created on my server side and not on the customers web site…

I was then thinking of just redirecting to my cart software on my server, but that negates the idea of having the customers clients log in themselves and have the feature of customers logging in to their store.

I’m extremely confused… How should I approach developing my software so it can’t be stolen?? I put a lot of work into this.

Thanks!

A(Answer):

IMO, you should provide the access to your cart software through an API and forbid access to your code files (but not the API files), e.g. by .htaccess

this may require a programme on the clientÂ’s side to ease API usage (like jQuery does for JavaScript)

A(Answer):

I’m very inexperienced with API’s etc… know of any good resources where I can learn those type of things?

A(Answer):

an API is simply a set of methods, that can be accessed publicly (take the DOM for example)

A(Answer):

Yeah I kinda know how API’s work, I know how they work with visual basic, but I don’t know they work on the web or how to design one, I’m not very smart like that.

A(Answer):

an API is language independent. all you need to know is what the client needs to do by your "hidden" code and provide the hooks to do it.

A(Answer):

Furthermore…

Application Program Interface.

The key word there is "interface". All you have to do is provide some kind of way (any standard way is fine) for external applications to talk to your program.

Dan

LEAVE A COMMENT