Since I started selling PHP scripts from my site I have had three copies of one or other of my scripts stolen. I know this because right from when I first started selling the scripts I have had code in place to at least track when a copy of one of the scripts I have for sale has been downloaded.

The first occasion when I had a script stolen was before I implemented the IPN script that automatically emails the purchased script to the buyer after Paypal clears their payment. Back then I had a link from the page that you get to after making the purchase that allowed the buyer to download the script. In this particular instance the thief simply looked up the destination page in the source code of the page that linked to Paypal and went there directly without actually going via Paypal. Paypal has since introduced a way to encrypt the form to prevent this from being able to be done. What this thief didn’t know was that the page with the download link was set up to email me whenever a copy of the script was downloaded and since the download was actually done by emailing the script to the buyer, the thief had to give me their email address in order to steal the script. Due to the time that they picked to steal my form2mail advanced script I was able to watch them install the script on their site and soon after they finished installing the script I used their new contact form to contact them to advise them that I knew they had stolen the script and would take further action if it was not removed immediately. Since their site was actually part of a school web site competition it would have been very easy for me to advise the competition organiser if they hadn’t complied and removed the script. I am still not sure why they stole my advanced script since the free version would have been quite adequate for what they needed.

After that I increased the security of my script sales by creating an IPN script that attaches into the back end of Paypal’s payment process. This allowed me to email the purchased script directly to the buyer from the Paypal payment process itself so that someone bypassing the purchase section of the process would not be able to find a page with a link to the script.

The second occasion on which one of my scripts was stolen was ironically enough someone who decided to steal my IPN script which emails an electronic purchase directly to the buyer. They did so by using one of the only two ways that the security in the script that they were stealing could be bypassed. What they did was to make the purchase using their credit card and then after receiving the script they then put in a chargeback request with their bank ssaying that the purchase was not authorised by them. Despite the fact that I had proof that the purchased product had actually been delivered I was not able to provide Paypal with anything that would convince the bank that the purchase had in fact been authorised and delivered. At that time I could see no way to prevent such thefts and so I just put up the price of all my scripts to cover the cost of such incidents and moved on.

The third occasion of one of my scripts being stolen happened a couple of weeks ago. On this occasion the purchaser made the purchase of my form2mail script directly from their Paypal account, received the email with the script attached, clicked on the link in the email that requests a resend of the email (presumably in case I had updated the script in the few minutes since their payment was processed), and then raised a claim with Paypal that their payment had not been authorised. The first I knew of any of this was a few hours later when I checked my emails to find four emails regarding that purchase - the first was the regular one from Paypal confirming the purchase, the second was a copy of the email sent to the buyer with the script attached (which I use where a buyer for some reason is not able to access the original email sent to them so that I can resend it to them), the third was the copy of the second email send due to their clicking on the link at the bottom of the email (which can only have been sent as a result of their clicking that link) and the fourth was an email from Paypal advising me of the dispute and telling me not to send the product to the buyer which Paypal had already delivered to the buyer for me by triggering the sending of the second email.

After numerous emails to Paypal explaining all this to them and getting replies back that indicated that at least some of their staff did not actually read my emails properly reply stated the exact opposite of what I had told them, I finally got a response from Paypal regarding their policy on the sale of electronic goods delivered over the internet. I can’t find the appropriate clause in their terms and conditions of use but it must be buried in there somewhere since a link to that page was included with part of the explanation to me. Apparently in the case of people purchasing electronic goods via Paypal, Paypal will almost always find in favour of the purchaser if the purchaser disputes the purchase. It appears that the proof I had that the buyer had intended to make the purchase and was then trying to steal what they had bought by claiming that the payment was not authorised was insufficient to convince Paypal. In other words, using an IPN script doesn’t completely prevent people from stealing your product since they can always make the purchase and then raise a dispute with Paypal in order to get Paypal to return their money. You need additional evidence to be able to prove to Paypal that the purchase was intended.

As there is little that I can do about Paypal’s policy on this I have implemented a couple of changes to the way that the purchase process for my scripts and the scripts themselves work in order to minimise the posssibility of theft of my scripts in the future. The first of these changes is that my IPN script no longer immediately emails the purchased script to the buyer when Paypal complete the Payment. Instead an email is sent to the buyer asking them to confirm that they intended to purchase my script. That email contains two links.

The first link confirms the purchase and sends two emails - the first addressed to me from the buyer stating that they intended to make the purchase and the second being the email that was previously sent automatically that has their purchased product attached. I don’t know how much good this extra email from the purchaser will do in helping resolve disputes with Paypal but hopefully it will act to discourage would be thieves to know that they have to provide additional evidence of their intention to make the purchase.

The second link provides for if someone’s Paypal account is compromised and the requested purchase really is unauthorised (which it may have been in the second instance I mentioned above since Paypal refused to check for me whether the buyer had actually linked the IPN script that they received into their Paypal account). Clicking this second link sends me an email advising me that the purchase was unathorised so that I can then refund their money before they receive a copy of the script.

Performing these additional checks before emailing the purchase requires updating information in a database and I have incorporated an option to get my IPN script to work that way for anyone who buys a copy of the database extensions to my IPN script.

The other change is to all of the scripts I am selling. Each of the scripts requires one or more values to be updated in a configuration file of some sort in order to get it to work on a specific site (this includes security options that help prevent the script being misused and to help reduce any spam). I have now modified each of the scripts so that the serial number that I issue with each script purchased now needs to also be entered into that configuration file. The script now performs some validation on that serial number at selected spots within the script. To use the script a valid serial number will now need to be entered into the configuration file for each script in order for the script to function correctly. This should hopefully reduce the likelyhood of the stolen scripts being used since the only serial number available for a thief to use will be the one that I know was issued to that particular person and will therefore make it much easier to prove that their site is using a stolen copy of the script.

Hopefully these additional security measures will be of benefit to legitimate purchasers as well as to me in that it will help reduce the likelyhood of my scripts being stolen (and hence allow me to keep the price down) as well as making it easier to track down and take action against anyone who does steal one of the scripts.

Tags: bank, bank ssaying, paypal, PHP, php script, school web site competition, script on their site, theft