Howto: Web Serial Authentication

[dwayne12]

Ok heres my code i used to make an install that validates a serial number and name and whatever else you wanna add, and then it emails you the details such as mac address, time and date activated and the copy that their windows is registered too. You don' have too go to those extremes but the option is their if you want it.

SUF7 Code Place this on your activation screen with 2 text fields with the variables of UserName and UserSerial. This code is for the next button:

Code:

-- Gets the username and serial from the text fields named UserName
-- And UserSerial.
sUsername = SessionVar.Expand("%UserName%");
sPassword = SessionVar.Expand("%UserSerial%");

-- Setup the data to be sent. (No md5 though)
sCheckScriptURL = "http://www.domain.com/authenticate.php";
tValuesToPass = {reguser = sUsername, regserial = sPassword};
nSubmitMethod = SUBMITWEB_POST;
nTimeout = 20;
nPort = 80;
tAuthData = nil;
tProxyData = nil;

-- Just some simple stuff to set up
strProductName = SessionVar.Expand("%ProductName%");
-- Email address you want to receive the details on
strEmailTo = "dwayne121@bigpond.com";
-- Location of the mail script to send the details out.
strURL = "http://www.domain.com/mail.php";

-- System Variable Values About The User Passed For The Email
userinfo = System.GetUserInfo();
regowner = userinfo.RegOwner;
netdetails = System.GetLANInfo();
nicaddress = netdetails.NIC;
regorganization = userinfo.RegOrganization;
driveserial = Drive.GetInformation(_SourceDrive).SerialNumber;
time = System.GetTime(TIME_FMT_AMPM);
current_time = System.GetTime(1);
date = System.GetDate(DATE_FMT_EUROPE);
current_date = System.GetDate(2);
emailaddress = "strEmailTo";

-- Prepare the message to be sent
local strMessage = "";
strMessage = strMessage.."Product: "..strProductName.."\r\n";
strMessage = strMessage.."Name: "..SessionVar.Expand("%UserName%").."\r\n";
strMessage = strMessage.."Serial: "..SessionVar.Expand("%UserSerial%").."\r\n";
strMessage = strMessage.."Info: "..regowner.."\r\n";
strMessage = strMessage.."Mac Address: "..nicaddress.."\r\n";
strMessage = strMessage.."Reg Organization: "..regorganization.."\r\n";
strMessage = strMessage.."Drive Serial: "..driveserial.."\r\n";
strMessage = strMessage.."Registration Time: "..current_time.."\r\n";
strMessage = strMessage.."Registration Date: "..current_date;



local strSubject = "Registration for "..strProductName;
local strFrom = emailaddress;
local strTo = strEmailTo;

-- Create the message data to be sent to the mail.php script:
local tblValues = {MailTo=strTo,MailFrom=strFrom,MailSubject=strSubject,MailMessage=strMessage};
local nLastError = Application.GetLastError();

-- Show a dialog box while the persons details are being checked
StatusDlg.Show();
StatusDlg.ShowProgressMeter(false);
StatusDlg.SetTitle("Validating");
StatusDlg.SetStatusText("Please wait while your details are being checked with the server...");
--  Presto Send to the web and hide the activation dialog box
sResult = HTTP.Submit(sCheckScriptURL, tValuesToPass, nSubmitMethod, nTimeout, nPort, tAuthData, tProxyData);
local strResult = HTTP.Submit(strURL,tblValues,SUBMITWEB_POST);
StatusDlg.Hide();



-- The details were correct. (the installer received a value of one)
if sResult == "1" then
	-- The username and password was right
	Screen.Next();
else
	-- Those details provided were wrong. Or no longer in the database.
	Dialog.Message("ERROR", "Those details are invalid. Or they have been removed from the server", MB_OK, MB_ICONSTOP);
end

Heres the code for the php script validating the details:

PHP Code:

<?

// Returns '1' if details received are correct, or '0' if the details were incorrect

// Set the table of users
// Add some entries to the table "Username"=>"Serial"
// You must complete all entrie with a comma, except the last table entry(or it won't work)
$user_table = array(
    "Test"=>"6771-1863-0916-62376",
    "John"=>"6439-6712-0452-34419",
    "Mr Smith"=>"0367-9465-9762-61028",
    "Gary??"=>"4235-9686-7813-91870",
    "NEVER"=>"9861-2206-4899-55662"
);

// Was data posted to the script?
if ($_POST)
{
    // Search through the table
    foreach($user_table as $username=>$serial)
    {
        // Check if the details received via the installer are correct
        if (($_POST['reguser'] == ("$username")) AND ($_POST['regserial'] == ("$serial")))
        {
            // The Details Were Correct And Authenticated, Then Send the result to the installer.
            echo '1';
            exit;
        }
    }
// The details supplied were not correct.Return the value of 0 to tell the installer to not let the install continue without the proper details
echo '0';
exit;
}

else
{
    // The script wasn't sent any post data by the installer. Or it was loaded through a web browser etc.
    echo "No Registration data found. h4x0r";
}

?>

Mail.php this is the file that will email the details of the user to your email address specified.

PHP Code:

<?php

// Send the details received from the users system to yuor email address you specified

$MessageNoSlashes = stripslashes($MailMessage);
$SubjectNoSlashes = stripslashes($MailSubject);

mail(    "$MailTo",
        "$SubjectNoSlashes",
        "$MessageNoSlashes",
        "From: $MailFrom\r\n"
        ."Reply-To: $MailFrom\r\n");
?>

[Adam]

Nice example!!

Adam Kapilik

[Intrigued]

Looking good. When I get some time I'll have to give this a go.

Thanks for sharing.

[Tek]

Good example!

I would like to see something like this that uses some database backend like MySQL to check the table of serial numbers, and can update it when it is activated so that it can't be used again. Managing a PHP file with serial numbers is not very convenient in my opinion if you have a large number of customers and/or products.

If anyone has some code to do this already, I would love to see it. If not, if someone wants to try and tackle this, please come forward!

[dwayne12]

I'll give it a shot i'm pretty handy with php actually. Ok here is what i was thinking of tell me if this is too your liking i'll code it and stuff and then share it with everyone.

A Php script that connects to a mysql database which in turn checks a serial and username sent from the installer using md5 encryption of course. Then it goes one step further and maybe locks that serial to the harddrive serial number or something like that? Maybe if someone has programming knowledge they could make a plugin of some sort that maybe allows hardware id's to be generated in the same way microsoft does with windows XP.

Also if it's a business solution for companys why not add an admin backend to the php/mysql system as well? Allowing you to add and remove of serials and usernames as well as stats and other stuff. I think it would be great and i'm gonna give it a go i'll keep you's informed as I attempt to try this. I'll freely share it with you if I am successful.

[Tek]

That sounds pretty good to me and is basically what I was thinking. If you want to go ahead and try this, I would be mroe than willing to test this out for you.

Let me know how you progress with this and if you need any help. I'll try to do what I can! Thanks!

[dwayne12]

Well the mysql part is the simple bit. But now i've started on the admin panel for adding serials etc and reporting stats. It's coming along ok but I probably won't have anything for a week or so. I have yet to make it mark a serial as used once it has been inputted. But I don't see major hurdle from this being a reality.

[reed]

Wow very nice script.. but Im with "Tek" how I want it.
So im very interested too with a system like you told us "dwayne12". a webb login admin system is just great to add or delete or even ban users
maybe a system that auto add users from there purchase or maybe that is something up to every person.. we all use different online shop systems etc.. but maybe some system that auto take a serial number from the database to the new user.. and then that serial is only for that user and no one else.

looking forward to see this project! Let us know how it goes!

/reed

[dwayne12]

Hey,

Sorry about my long absence from the forums. I had quite a few pc problems to sort out as well as not being home much lately. I lost a bit of code for the system I was working on but nothing too major. I've had a hectic work schedule lately as well as trying to balance a website I've started on http://www.techittytech.com which is just currently a forum. This will probably take me longer than expected, but it will be complete and reed that idea you suggested is actually a very good idea.

It would make the system for user friendly and easier for the clients so they don't get impatient. With a little help of some php minded people we could make it tie in with universal shopping cart systems and online stores. And with that in mind I'll run from the top again about what it'll will do basically. Saves everyone a read from the first post.

A PHP script that ties in with a MySqL user database. When the user runs the install they enter a code that was generated maybe after their purchase through whatever means online shop, paypal, credit card. Cause after the online purchase, maybe a script that adds a username, password, order number and serial number to the database. The order number will of course be tied to the username as well as the serial. Now basically what will happen is a serial can only be used once, but one can be obtained through an online form which validates your order number and maybe a couple of other details that someone wouldn't wanna have circulated across the net. An administration backend will be able to control every aspect of the system. Remove a user, Blacklist a serial, Blacklist an Email Address, Add a user, ip banning(maybe), as well as various stats.

I'm not sure if I left anything out in that I kinda typed it a bit fast as I'm quite busy working on my site as well as 2 other projects for bands. Let me know if thats what you pretty much want and if not, rewrite it to how you want it.

[wasim21k]

Thanks m8,
Its brilliant code, just one very quick question,
authenticate.php I think any one can access this file from my web site, is there any way that I can encrypt it or any idea?
And if you say that no one can monitor well using some network monitor software I can do this so it mean any one can do this.
I think to protect it is they only way to encrypt all information or I have no idea,
do you?

and about mysql idea is very very good and i think its best way to protect every thing and manage user and serials but i never seen any reply after this it would be great if you can post this project.
thanks for help.
and your site dwayne12 is still not working


phpBB : Critical Error

Could not connect to the database

[pramodpendyala]

Hi Guys,

Code developed bye dawyne is awesome, but i dont see any post after this, Now here is what i can do for this forum, i have complete PHP source ready developed for admin control pannel to view or delete users and serial no:. But all i need is some modifications to the authenticate.php. That would be great if some one could help me in on this.

Cheers

[dwayne12]

Hey everyone this project isn't lost and I have made the whole system I've just gotta tweak the authenticate.php file to make it secure etc. The package is called SauthSQl and it has an admin interface with add, delete, edit, add serial, browse the database features plus a few others. It's fairly secure and it's open source as well so any add ons to it would be great I think this project has great potential shortly I will release the code with the authenticate.php completed it's 90% done and a few changes will be made to the code give or take a week or so.

Sorry about my long absence but I've been extremely busy with work etc but I have still been working on this project.

Dwayne.

[dwayne12]

Quote:

Originally Posted by wasim21k

Thanks m8,
Its brilliant code, just one very quick question,
authenticate.php I think any one can access this file from my web site, is there any way that I can encrypt it or any idea?
And if you say that no one can monitor well using some network monitor software I can do this so it mean any one can do this.
I think to protect it is they only way to encrypt all information or I have no idea,
do you?

and about mysql idea is very very good and i think its best way to protect every thing and manage user and serials but i never seen any reply after this it would be great if you can post this project.
thanks for help.
and your site dwayne12 is still not working


phpBB : Critical Error

Could not connect to the database

Yes to stop information being sniffed or w/e just use MD5 encryption which I didn't add to that example but it's quite easy to do. The project is basically done all the coding is done just fixing up the gui a bit.

[Tek]

That's great news dwayne12! I am looking forward to trying it out!

I appreciate your efforts with this project.

[dwayne12]

No worries. I was planning on setting up like a beta test actually just to make sure the project will function properly when it's done.

Maybe do a small scale beta test online where you can maybe report problems and suggest ideas which sounds like a viable option.

Nearly done...