Avoid developers to see included plain text code.

Question

I made some classes having a lot of methods documented properly using PHP (something like a library).

Now, what the other developers will do is just require the PHP library I made in their code and use the predefined functions in it.

Is it possible to hide the PHP code (of the library I made) from the other PHP developers (requiring the file) and just show them the function name, parameters and its documentation without showing the code inside it? I'm not talking about obfuscation, which can be reversible, I'm talking about preventing users to actually see any code.

eg.

/**
 * 
 * CREATE A NEW THREAD
 * @param unknown_type $uid User ID of person who is creating the thread
 * @param unknown_type $participant An array having collection of UID of people who are participating in this conversation 
 * @param unknown_type $msgtype Message Type Flags (1-normal, 2-chat, 3-sent as email, 4-profile post, 5-group post, 6-customer support)
 * @param unknown_type $subject Subject of the thread
 * @param unknown_type $tname Thread Name
 * @param unknown_type $tpic Thread Cover Picture (Defaults to "")
 * @param unknown_type $tflag Thread Flag (1-allowed,2-under review,3-blocked) (Defaults to 1)
 * @return string|Ambigous <string, unknown> Thread ID on success, "" on failure
 */
public function createthread($uid,$participant,$msgtype,$subject,$tname,$tpic="",$tflag="1")
{
    $randobj=new uifriend();
    $tid=$randobj->randomstring(30,DB_MESSAGE,MSG_OUTLINE,msgoutline_tid);
    $socialobj=new socialoperations();
    $listid=$socialobj->createlist("threadlist_".$tid, "2",$msgtype,"1",$uid);
    if($socialobj->addtolist($participant, $listid, $uid)!="SUCCESS")
    {
        return "";
    }
    if($listid=="")
    {
        $lasterror="An error occured in creating thread! Unable to Create Lists!";return "";
    }
    $dbobj=new dboperations();
    $res=$dbobj->dbinsert("INSERT INTO ".MSG_OUTLINE." (".msgoutline_tid.",".msgoutline_subject.",".msgoutline_fid.",".msgoutline_participantid.",".msgoutline_msgtype.",".msgoutline_threadpic.",".msgoutline_threadflag.") VALUES
            ('$tid','$subject','$uid',$listid,'$msgtype','$tpic','$tflag')",DB_MESSAGE);
    if($res=="SUCCESS")
    {
        return $tid;
    }
    else
    {
        $lasterror="Unable to create Thread!";return "";
    }
}

The other developers must only be able to see the documentation I wrote above the function with the function name and parameters, but the code must not be accessible to them in any way.

Why I want this: I have a lot of secure code in my PHP file which I don't want to show to the other developers, but still allow them to call the functions and read the returned values.

You can't obscure code that to be included also, because the PHP interpreter would also not be able to read the file's inner text. — , Apr 07 '13 at 13:20
If you allow them to do say `include 'yourfile.php';` you are giving PHP the permission to access that file, otherwise it can't be included. If you give it permission to do that all the developer has to do is `readfile('yourfile.php');` and get the contents of it. — kittycat, Apr 07 '13 at 13:22
isn't there any other way to do this? (without using require/include) — Vignesh T.V., Apr 07 '13 at 13:24
This question is just not a duplicate. At least not of the 2 linked questions, which were about code obfuscation. This is about plainly not showing any code. Anyone with permission to do so, please reopen it. — Francisco Presencia, Apr 07 '13 at 13:40
@vignesh, the answers are closed now and [this comment is too narrow to contain the answer](http://tinyurl.com/bc9ab) but I'll try: An alternative would be to make some sort of API in a separate website. For example, if your developers enter in `apiforweb.org/functionname?v1=5&v2=7` , then you can link that to the function `functionname()` with 2 arguments, `v1` and `v2`, with values `5` and `7` and echo the returned value (which they would fetch). As you can see, this is calling for MUCH trouble, extra developer's time and longer page loads, but it might adjust to what you want. — Francisco Presencia, Apr 07 '13 at 13:46
perfect.. that will do. actually i did this long back but i feared that any person even the user can access the returned value in that case. "; include ('securedir/validateclass.php'); $tagtype=$_GET['tag']; $classname=$_GET['class']; $funcname=$_GET['func']; $params=$_GET['params']; $params_array=array(); $params_array=explode(",",$params); $xmlobj=new $classname; $funcretvalue=call_user_func_array(array($xmlobj, $funcname), $params_array); echo "<".$tagtype.">".$funcretvalue."".$tagtype.">"; ?> — Vignesh T.V., Apr 07 '13 at 13:48
Why don't you add a passkey then? `apiforweb.org/functionname?key=v9w4t223fdh&v1=5&v2=7`. Then only return a value for the developers with a valid key. I'd say make it individual and that the developers are able to change it (not a hash of their name). — Francisco Presencia, Apr 07 '13 at 13:52
@FrankPresenciaFandos The question has been reopened if you'd like to move your comments into an answer :) — Blorgbeard, Apr 07 '13 at 22:08
Okay, done, now you have a new full-size answer with the best I can do. Hope it helps. — Francisco Presencia, Apr 08 '13 at 14:40

score 4 · Answer 1 · edited Apr 08 '13 at 10:19

4

You can't hide your code from other developers if you want to allow them call your functions directly. What you can do is to make a Web Service and give it's documentation to other developers.

edited Apr 08 '13 at 10:19

Joachim Sauer

302,674
57
556
614

answered Apr 07 '13 at 13:26

fardjad

20,031
6
53
68

1

Actually you can. Tools like ionCube or Zend exists for years – Marcin Orlowski Apr 07 '13 at 13:27
1

@WebnetMobile I'm not talking about obfuscation/encoding, these methods will make it very hard to follow/understand the code but won't hide it. – fardjad Apr 07 '13 at 13:31
@WebnetMobile: but as cryptic said, wont readfile('yourfile.php'); give the contents of the respective PHP file? – Vignesh T.V. Apr 07 '13 at 13:32
1

@vignesh - no, you will get encrypted file that way – Marcin Orlowski Apr 07 '13 at 13:32
3

@WebnetMobile: obfuscation using ioncube and zend can be decrypted: http://dezender.net/ – Vignesh T.V. Apr 07 '13 at 13:40

score 3 · Accepted Answer · edited May 23 '17 at 10:29

Because I had a meta post so this was reopened and another meta post for formatting this question, I'll do my best to properly answer this question. Note that this is only a way of doing this, with its limitations stated at the end of the post.

The API

The remote server

You could create a web API in a different domain and access it from your main domain. I think the best way for explaining how it works is with a practical example. Imagine that your library includes the function 'joinstrings()', which takes 2 arguments. Then you have it in your separated web:

http://apiweb.com/functions.php

<?php
// Your API. I hope the real one is more complex than this (;
function joinstrings($s1, $s2)
  {
  return $s1 . $s2;
  }
// More functions

The remote server access point

This is the public (but key-required) accessible page.

http://apiweb.com/joinstrings/index.php

<?php
// Check if the key is valid and if $v1 and $v2 aren't empty. Else, 'exit;'
include '../validate.php';
// Your API
include '../functions.php';
// The called function
echo joinstrings(urldecode($_GET['v1']), urldecode($_GET['v2']));

The wrapper

Now you can require all your programmers to learn how to use this API. Or, if you prefer to do it right, you'd make a wrapper that makes their life easier. You'd have a class with all the methods that you want to be accessible. You could do this wrapper with functions, but I think it's easier and better with an object and methods:

htpp://web.com/library.php

<?php
class DevelopersLibrary
  {
  private $Url = "http://apiweb.com/";
  // Press your hand against the keyboard. A-Z0-9. Copy it in http://apiweb.com/validate.php
  private $Key = "g139h0854g76dqfdbgng";

  // Accesible method
  public joinstrings($v1, $v2)
    {
    // Encode only the user input. You don't want to encode '?' nor '&'
    if ($Return = file_get_contents($this->Url . 'joinstring'
                                    '?key=' . $this->Key .
                                    '&v1=' . urlencode($v1) .
                                    '&v2=' . urlencode($v2)))
      {
      return $Return;
      }
    }
  }

Developer's code

Finally, what your developers would do:

http://web.com/index.php

<?php
include './library.php';
$Lib = new DevelopersLibrary();
echo $Lib->joinstrings("Are you sure this is better", "than giving your developers access to the code?");

None of the code is tested, so you should expect some some typos.

Limitations

I can think of solutions for most limitations, but not to extend (more) this post I won't write them here. Ask for a solution to a limitation if you need it in the comments and I'll do my best. In normal case use, none of these limitations are THAT important.

Parameters passed. Using this method as described above, you can only pass numbers or strings as function parameters. Check out json_encoding() for passing other types.
Wrong returned values when there are bugs in the API or parameters passed. If there's a bug in the API, the developers cannot fix it and the returned value might be wrong. Now that might seem trivial, but what if they are trying to retrieve the join of 2 strings and retrieve another [wrong] string with the error text in it? Note: consider returning valid XML and then parsing it in your wrapper.
There's only a unique key which is there for preventing random users from using your API, not to be hidden from developers.
Slower speed. I don't think this even needs explanation.
~~Developer's extra work~~. This is solved this with the implementation of the wrapper.
Url length. There's a url length limitation for most browsers of 2000 characters, although I didn't find anything in the PHP manual for file_get_contents(). Read this SO question for more info about GET.
Sure there are more but these are the main ones I could think of.

I hope this long long answer is useful for you or someone.

thank you. i already understood what you said from your comment but this is an elaborate answer and may help others. :-) Just curious.. If code is not hidden, how does big companies like facebook work? is all the code visible to the developer or do they follow some other mechanism? if they do, may be i can switch to that as well. — Vignesh T.V., Apr 11 '13 at 17:06
What do you mean, internal developers or external ones? For the latter, facebook uses the [facebook API](https://developers.facebook.com/docs/reference/api/), for the former I don't actually know. I can only guess that [the separation of concerns](http://en.wikipedia.org/wiki/Separation_of_concerns) and strong specifications ([black box model](http://en.wikipedia.org/wiki/Black_box) in Industrial Engineering) might make teams able to work in small parts of the code and only few to have access to the whole thing. — Francisco Presencia, Apr 12 '13 at 17:07
For example, you can hire a programmer to make a function that gets any kind of html and returns it XSS safe. He will probably ask the maximum size of the HTML and a couple of things more, but then he should be able to provide you with the function you asked for, debugged and ready to be reviewed by you/someone trusted and plugged in your code. — Francisco Presencia, Apr 12 '13 at 17:11
i was actually asking about the internal developers. sorry for not specifying that. so, is everything done using black box model cause integration after development may become difficult. — Vignesh T.V., Apr 15 '13 at 18:43