Hiding our ASP Code

[Anchorman]

We have a customer that wants us to put our ASP application on their server,
so they can have direct access to the database. However, we don't want to
leave our code wide open for them to copy and/or modify. I have heard that
there are ways to protect our ASP code, but I don't know what they are.
Could someone please list several options for me, and preferably places
where I can do a little more research?

Thanks,
Jesse
www.davinci-mims.com

 

[dlbjr]

A way is to wrap your logic is in a dll or java file when using classic ASP.
I personally would wrap the logic in a Java Class.
Then the logic modules will work on any box including Microsoft.
You just use the Java or dll objects in your asp code.

This keeps the customer from truly seeing any of your logic.

Encoding script code is not the solution.
-dlbjr

Discerning resolutions for the alms

 

[Don Grover]

Put as much plain functions and constants in a vb dll and stuff the dll away
some where
Check for existance of a basic function returns a string to validate dll.
Don

 

[Aaron Bertrand - MVP]

Then the logic modules will work on any box including Microsoft.

Risky assumption, considering all the legal issues with Sun, and the whole
"JVM is included in this build, but not that one" hassle. Never mind that a
Java class is certainly not the least complicated solution to hiding code...

 

[Jeff Cochran]

Risky assumption, considering all the legal issues with Sun, and the whole
"JVM is included in this build, but not that one" hassle. Never mind that a
Java class is certainly not the least complicated solution to hiding code...

Plus, assuming you're using VBScript, a VB DLL isn't that complicated
to create from existing code modules. Though it's possible a Jscript
ASP module might translate easier to Java classes.

Jeff

 

[Matt]

Does it mean we need to rewrite the logic from VBScript to Java? And how ASP code invoke Java classes?

 

[Aaron Bertrand - MVP]

No, you don't *need* to... that was merely one of the suggestions.

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

Does it mean we need to rewrite the logic from VBScript to Java? And how

ASP code invoke Java classes?

 

[dlbjr]

In your case a vb.dll will be the least challenging solution.

You call a java class the same way you call a dll in ASP.
Both must be registered on the server in different ways.

-dlbjr

Discerning resolutions for the alms

 

[Anchorman]

I don't know if this would entail me rewriting my application, but this is
an existing appliation that I've already written in VB Script. I guess I
should have explained that better in my original message. Even if it
doesn't entail me rewriting things, it sounds like there would have to be
significant changes to my system, and would include ISAPI, which is usually
slow, isn't it?

Jesse

 

[Anchorman]

Is converting this thing over to a .DLL of some sort my only option? This
seems like a pretty complicated solution to the problem. I'm thinking this
will include a lot of rewriting, plus, using a .DLL instead of straight ASP
code will cause it to slow down. I've written a few small CGI apps that use
..exe files, and these are very slow. I would assume that a .dll isn't going
to be that much faster. Maybe my assumptions are incorrect.

Jesse

 

[Aaron Bertrand - MVP]

You don't need ISAPI to use a COM object. While I've been slightly better
educated since then (there are a few mis-statements in the article), this is
a pretty comprehensive tutorial that should get you up and running with a
fully functional DLL within the hour:
http://msdn.microsoft.com/library/en-us/dnvb600/html/404track.asp

--
Aaron Bertrand
SQL Server MVP
http://www.aspfaq.com/

 

[Don Grover]

I have not tested execution time of dll to asp script, but we are talking
millsec difference so it should not matter , of course you should test in
your enviroment.

This is a sample what I use to call dll from asp.
'Convert Encrypted password
set objCokeShop=Server.CreateObject("cokeshop1324.cokeshop")
sEncPassword=objCokeShop.Encrypt("CokeShop",lcase(sPassword),0)
set objCokeShop = Nothing

and replaced:
sEncPassword = fncEncrypt(lcase(sPassword),0)

Not a big change to the code.

as far as writing the dll about 20 minutes to copy code and adjust for
change in environment.
to register it Regsvr32 cokeshop1324.dll

Try with one function and see how you go.

Regards
Don Grover

 

[Blair Bonnett]

Actually, I've been led to believe that a DLL is faster, since the code is
already in assembler (and therefore the server doesn't have to 'translate'
it as it would an ASP file). I dunno if this is true - I've done no
testing, haven't even seen the results of any tests - but, as Don says, the
difference would be so small it wouldn't matter.

Blair

 

[Don Grover]

I think it is , but im not willing to get my head shot off !.
Don

 

[Bob Barrows]

Actually, I've been led to believe that a DLL is faster, since the
code is already in assembler (and therefore the server doesn't have
to 'translate' it as it would an ASP file). I dunno if this is true -
I've done no testing, haven't even seen the results of any tests -
but, as Don says, the difference would be so small it wouldn't matter.

There is no need to guess. the tests have been done. Straight ASP code runs
slightly faster than using a dll. Unfortunately, the pages where this test
was documented seem to have been removed from MSDN for some reason, but,
using the wayback machine at www.archive.org, I find this:

http://web.archive.org/web/20010706...rl=/library/en-us/dnnile/html/docu2kbench.asp

Scroll down to Figure 9 (don't use the links at the top of the page - they
are broken - use the scrollbar)

Bob Barrows

 

[Anchorman]

But, what I'm talking about is an entire ASP application that I've already
written and that works. I'm not just talking about a few functions. To my
knowledge we don't have any special functions like your encryption method
below. We want to hide the code from the entire application from the user.

Jesse

 

[John Blessing]

You can obfuscate the code ( search google for "obfuscate asp") or you can
use the scripting encoder (http://www.asp101.com/tips/index.asp?id=116). I
have no experience of either.

IMO, the best solution is to use a dll as others have mentioned, but that
requires hindsight
<g>

--
John Blessing

http://www.LbeHelpdesk.com - Help Desk software priced to suit all
businesses
http://www.free-helpdesk.com - Completely free help desk software !
http://www.lbetoolbox.com - Remove Duplicates from MS Outlook

 

[Aaron Bertrand [MVP]]

or you can use the scripting encoder

FYI, this will only slow a determined person by seconds. See
http://www.klaphek.nl/nr6/scrdec.html

 

[Mark Schupp]

Do a search for ASPLightning. I think it is still available. It converts a
VBScript ASP application into a VB6 DLL (you will need VB6). There are
probably a few other similar tools on the market. There also used to be
something called ASP Code Lock that encrypted ASP code and then decrypted it
at run-time (was an isapi filter IIRC).