how to determine license belonging to product

  • Hi,

    I started using SLM together with woocommerce. As I see it, every product could be activated/used with any guilty license key, because there is no check if the license belongs to the particular product.

    It would be very helpful if slm_check would offer the transaction_id ( which in my case holds the WooCommerse-Product-Id/postid ).

    Or am I missing something?

    https://www.ads-software.com/plugins/software-license-manager/

Viewing 6 replies - 1 through 6 (of 6 total)

  • hmm, I’m somehow disapointed you didn’t get a reply from the plugin’s owner within a month, because I am concerned with a similar issue. Let’s say somebody buys two software products from you. This plugin allows using one license key to activate the other product.

    PS: that’s a great plugin and, with the WooCommerce integration plugin, I’ve been able to do in a single day what I couldn’t do on Shopify (and I left). So kuddos to the developer of this great plugin and don’t get the wrong way my criticism, it tries to be constructive.

    Thread Starter ohfuchs

    (@ohfuchs)

    I fixed it for me by hacking into a plugin file directly. I’ve added the transaction id to the license check response in includes/slm-api-listener.php

    I’ve added the following line to check_api_listener()
    'txn_id' => $retLic->txn_id,

    $args = (array(
    'result' => 'success',
    'message' => 'License key details retrieved.',
    'status' => $retLic->lic_status,
    'max_allowed_domains' => $retLic->max_allowed_domains,
    'email' => $retLic->email,
    'txn_id' => $retLic->txn_id,
    'registered_domains' => $reg_domains,
));

    in my case txn_id stores a woocommerce product id

    FYI, I did some research and here is the possible easy fix:

    – SLM doesn’t know about the specific product a licence key was generated for through an order, because this is actually part of the integration plugin. For WooCommerce (which I use), I asked the other author how to get the product ID associated to a license key: https://www.ads-software.com/support/topic/how-to-check-if-a-license-key-was-issued-for-a-specific-product-by-id

    – once you have this, extend SLM with a new slm_api_listener_slm_activate action (for which I see the plugin’s author already provided a hook). The client API should also add to the HTTP request a product ID (like “&product_id=375”). Our action will reject the request if the license key was not issued for this product_id.

    ha! hi, ohfuchs…

    I had no idea you were posting a comment in the same time!… ??

    I’ll check your solution, thanks!

    Later edit: could you send the full solution, if you don’t mind? I’d also like to extend the plugin using the slm_api_listener_slm_activate action hook (called from activation_api_listener). Thanks

    well, I figured it out, anyway… Full solution, in case anyone else encounters the same problem. In your theme’s functions.php (so this is a very safe extension!), you can add this:

    // check product id on the activation/deactivation of a license key
add_action('slm_api_listener_slm_activate', 'check_license_and_product_on_slm' );
add_action('slm_api_listener_slm_deactivate', 'check_license_and_product_on_slm' );
function check_license_and_product_on_slm() {
   if (isset($_REQUEST['product_id'])) {
      $prod_id = intval(trim(strip_tags($_REQUEST['product_id'])));
      $key = trim(strip_tags($_REQUEST['license_key']));

      global $wpdb;
      $tbl_name = SLM_TBL_LICENSE_KEYS;
      $sql_prep1 = $wpdb->prepare("SELECT * FROM $tbl_name WHERE license_key = %s", $key);
      $retLic = $wpdb->get_row($sql_prep1, OBJECT);

      if ($retLic && $retLic->txn_id != $prod_id) {
         $args = (array('result' => 'error', 'message' => 'Your license key was not issued for this product'));
         SLM_API_Utility::output_api_response($args);
      }
   }
}

    When your client app appends a &product_id= at the end of the query string, a check will be performed and the query fails if the key was actually issued for another product.

    Thread Starter ohfuchs

    (@ohfuchs)

    unfortunatly my code is very messed up, but in a few words what it does:

    1. my WP-Plugin has a hardcoded productkey which will be send to my server together with the licensekey
    2. script on my server converts the productkey to a list of supported woocommerce productids. you could omit this step by sending a product id or list of product ids directly, but I like to obfuscate this a little
    3. the script does a regular license check at my SLM server, which provides the woocommerse product id as txn_id now. then filters the result by checking txn_id against the list of supported ids. if the product is not supported, my server will return an error

    it’s not bullet proof, but hacking into a plugin file is required ( again after updating the plugin )

    I will have a look at your suggestion too ??

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘how to determine license belonging to product’ is closed to new replies.