Hello, folks at Dani Web I'm a new to Dani Web and I hope to be helpful to a lot of people, but first I want to ask something.

You see I have a huge problem, it begins with a desktop app I'm currently coding written in C# for a client who wants to sell this project, and of course he wants to protect his product against piracy, so I came up with a large number of solutions with php and internet-based validation via php scripts, but (here comes the problem) the only way to know that someone has indeed purchased the product is a follow up email, written in a pane like the one I'm writing this post, so my only way out is create a script that will take the users e-mail as a parameter, like

www.somesite.com/validate.php?user=someone@somewhere.com

now the catch is that one can easily hack the url and put a different email, username or wathever.

So, the question is Can anyone think in a safe way of validating a purchase with the given situation? I swear that if someone provides the right answer I'll spend 48 hours answering topics @DaniWeb

Thank you so much for your suggestions.

For every user we create a hash (MD5 or any other), store it in the database, and send it to the recipient.
Then we just check the given hash in the link with existing one in the database.

match an md5 code, not a name {as above}
the validation code and name has to

  • exist in the database
  • match
  • come from the same $_server['remote_addr'] as the original registration, stored in the database
  • be received within a certain time of the registration

and

  • include a remote update script that checks for correct users and disables features on a given schedule, http://www.daniweb.com/forums/post785006-2.html
    1. if the update script is not run
    2. if the update script is run from 2 ip
    3. if the md5 exists and name doesnt wipe tha datafiles

i'm sure there are other ideas beyond these
some of them less/more nasty

Thank you guys, I think I'll explain myself better.

I do not manage the usernames or sales, or nothing, my client set up a e-junkie account and paid for it, so e-junkie will send a "follow" email written by my client, and of course I he cannot add anything but HTML on that email :( that's why the link has that format, I'm searching a way to know if the visit to the validation site came from an specific email inbox or something.

Thanks again for the replays.