5

I have an application based in php and mysql which is to be hosted on localhost at their organisation for some of my clients and on a web server for others. My concern is how can i protect and secure my code on localhost? i simply do not want any person with even a little programming knowledge to be able to look at my application code. The fact that the code will be on localhost in the www/public_html folder on one of the organisation's machines acting as a local server is what is driving me paranoid about my code being stolen.

Can anyone suggest some techniques to achieve this? Password protection? or other best practices?

And i would request the community members not to immediately close this question deeming it to be ambiguous or out of context. I badly need some expert suggestions on this.

coder101
  • 1,601
  • 2
  • 21
  • 41
  • possible duplicate of [How to protect my source code when deployed?](http://stackoverflow.com/questions/9826672/how-to-protect-my-source-code-when-deployed) – Prisoner Jan 03 '13 at 17:54
  • if you want your code protected, then don't use php. it's pretty much impossible to stop a determined person from stealing it. of course, that's true of stuff written in any language. don't go for "tech" means to protect your code. use legal means. "steal my code, and I get to feed you and your dinky little organizations into a wood chipper". – Marc B Jan 03 '13 at 17:54
  • @MarcB - your suggestion seems more appropriate since there is very less that i can do in this situation by technological means. – coder101 Jan 03 '13 at 18:05

4 Answers4

4

I went through the very same problem than you. I know, it's a design flaw in your project. You just shouldn't be "installing" your software in clients' computers if you designed it to be accessible online.

But sometimes we just have to. We had this amazing webapp, kind of expensive and with not many clients. Whenever a new client insisted that "it needs to run even if the internet's down", my boss sold it anyway and we were told to just configure the client's pc to run as both server and client. Whoever did the project should have considered this possibility and should have chosen some technology that could create an executable instead of plain text code.

We chose to use Zend Guard to secure our code. It pre-compiles your code for you, but it only works with PHP. Your xml/txt/ini/css/js files will still be readable. We had some xml configuration files that we wanted to obfuscate, but couldn't.

There are some other software that also do that, just search for PHP Code Obfuscator

They are not free (kinda expensive you're developing it on your own), but shouldn't be expensive for your company.

Just have in mind that what you are doing is just a workaround. This is not completely safe, nor is recommended. PHP is meant to be used in a server, not in your client's machine.

Pedro Cordeiro
  • 2,085
  • 1
  • 20
  • 41
1

localhost is always the machine you are currently on. I see very little you can do to protect files stored there. Any sort of protection may cripple the correct functioning of the PC and the application you're making.

PHP is supposed to run on a server, your source code is automatically protected.

Expert suggestion: you're doing it wrong.

Halcyon
  • 57,230
  • 10
  • 89
  • 128
  • Some of my clients do not have a web server so i have to deploy my application on a local computer at their organisation. So you're saying that there is nothing i can do about securing my source code and that it is open to anyone who can access that very computer. – coder101 Jan 03 '13 at 17:54
  • I personally don't know of any way to protect the files in a way that you describe. This is because _normally_ you don't have this problem. – Halcyon Jan 03 '13 at 17:59
  • what does one do in this kind of situation of deploying an application on a local machine? what would you have done? – coder101 Jan 03 '13 at 18:08
  • I haven't. I'm running out of ways to say _"PHP is a server-side scripting language"_. – Halcyon Jan 03 '13 at 18:09
  • I was suggested a while back by someone to try and convert my php code into bytecode. – coder101 Jan 03 '13 at 18:13
  • i understand what you are trying to say but some of my deployments needs to be on a local machine where the client cannot have a web server deployed. so it runs on the local machine only acting as server. – coder101 Jan 03 '13 at 18:16
0

Look at some code encryption/obfuscation software like Zend Guard. They are paid, though.

janenz00
  • 3,315
  • 5
  • 28
  • 37
0

"look at my application code" and "my code being stolen" are two different things.

Since php is a scripting language, the code needs to be in the server that is going to run it, the fact that is localhost is irrelevant. If you want to protect your code from being "looked at" you can:

  • obfuscate it. But is only a matter of time if someone is really interested.
  • encrypt it. You can request a password when you start the server to decrypt, but this is going to require big changes and affect performance.

However, if someone wants to steal it, and don't care how it looks like because it doesn't intend to modify it, maybe to save licences costs, then they just need to copy paste the code, no matter how obfuscated or encrypted it is, and make it run. Anti-copy techniques are out of the scope of the question, I guess.

palako
  • 3,342
  • 2
  • 23
  • 33
  • what i actually have to do is that i need to set up a linux machine at the organisation with apache, mysql and php and then that very machine is accessed by any computer on the LAN network of the organisation. Am i do it wrong? what does one do when there is no web server or server per se available. – coder101 Jan 03 '13 at 18:20
  • i have to put my app folder in the /var/www/ and is accessed by the url; localhost/application_name using any browser. Is this a bad way of doing it? the whole code is in the file system and there are chances of it being compromised. Please suggest. – coder101 Jan 03 '13 at 18:24
  • your two comments are contradictory. The first states that you are going to have ONE instance of the software in a server that will be accessed by everyone via their browsers. This has nothing to do with localhost, and I don't understand when you say there's no web server or server available. That's what apache is. – palako Jan 03 '13 at 18:40