Archive: Issues while validating license key online via installer
Issues while validating license key online via installer
HI , Have attached the script ...when i enter the correct key , it still shows Invalid key .
URL :http://pnilyaoverseas.com/pankaj/tes...aa-aaaaa-aaaaa
SO correct key :aaaaa-aaaaa-aaaaa-aaaaa-aaaaa
Regards
Pankaj
correct file
Sorry attached the wrong file , find the correct one.
Thanks
You may wish to check your PHP code. The file that gets downloaded reads 'INVALID', itself.
P.S. you've got a typo.. slient -> silent
Attaching the php too .
But when i try from browser it returns "VALID"
try adding the value that the PHP appears to get ($_GET['test']) to the output, or use one of the PHP debug print statements.. I don't have a PHP server up and running anywhere, but I'm guessing that it's not getting what you think it's getting from the POST command
Here's what you'd want to do:
First of all, good thing you're taking measures to prevent SQL injection. However there's a much easier way to go about it:
I should warn you that simply fetching a URI is a highly un-trustworthy operation. It would be trivial for someone to fuss around with their hosts file and point the installer to a different license server through DNS spoofing. If you hardcode the IP address, that can still be changed by working with the host computer's routing tables. The only way to ensure a secure response is to use a primitive sort of digital signature to ensure that the response came from a trusted server.<?php('HOSTNAME', 'localhost');
define
>define('USERNAME', 'indiamm_test');
>define('PASSWORD', 'test');
>define('DATABASE_NAME', 'indiamm_pankaj');
>define('RESPONSE_KEY', '4PdUAoeGZ9Tq*1bpI***93;Le4P!{MsXUtqzR***93;p!T%++xf2&wbb4ISe7jGoIAQAusMw,j');
>$db = mysql_connect(HOSTNAME, USERNAME, PASSWORD) OR die ('I cannot connect to MySQL.');
if ( !mysql_select_db(DATABASE_NAME) )
{
die('Unable to select database.');
}
>$key = ( isset($_GET***91;'key'***93;) ) ? mysql_real_escape_string($_GET***91;'key'***93;) : '';
if ( empty($key) )
die('INVALID');
>$result = mysql_query("SELECT status FROM key WHERE id = '$key';");
if ( !$result )
{
die('INVALID');
}
>// check if records were returned
>if ( mysql_num_rows($result) > 0 )
{
// this hash will be unique among all installers.
$hash = md5($_GET***91;'test'***93; . RESPONSE_KEY);
echo <<<EOF
>***91;result***93;
status=valid
hash=$hash
>EOF;
}
else
{
echo <<<EOF
>***91;result***93;
status=invalid
hash=
>EOF;
}
@mysql_free_result($result);
>mysql_close($db);
>?>
This is untested code as I'm currently on a Linux system and lack the resources to test, but I believe it should work. Hopefully this will give you an idea of how a server's response can be fully authenticated.'4PdUAoeGZ9Tq*1bpI***93;Le4P!{MsXUtqzR***93;p!T%++xf2&wbb4ISe7jGoIAQAusMw,j'::download_quiet "http://yoursite.com/checklicense.php?key=$0" $1
>Function ValidateLicense
Exch$0
Push$1
Push$2
Push$3
Push$4
GetTempFileName$1
nsisdl
ReadINIStr$2 $1 "result" "status"
StrCpy $4 "invalid"
StrCmp $2 "valid" "" done
; remote server claims the key is valid
; $2 = hash from server - untrusted
ReadINIStr$2 $1 "result" "hash"
; $3 = the correct hash
DCryptDll::MD5Hash "SS" "$0${RESPONSE_KEY}" "--End--"
Pop $3
; make sure DCryptDll didnt error out
StrCmp$3 "OK" "" done
Pop$3
StrCmp$2 $3 "" done
; hash is valid
StrCpy$4 "valid"
done:
Delete $1
Pop$4
Pop$3
Pop$2
Pop$1
Exch$0
FunctionEnd
>