4

Is it possible to protect PHP code without using a compiled module (.so/.dll)?

What software can help with this?

Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
monkey_boys
  • 7,108
  • 22
  • 58
  • 82
  • What do you want to protect it from? More details please ... – selfawaresoup Jul 03 '10 at 16:32
  • I imagine he wants to sell code and doesn't want to allow the purchaser copy any code they buy. – Tom Gullen Jul 03 '10 at 16:33
  • 4
    possible duplicate of [Code obfuscator for php?](http://stackoverflow.com/questions/232736/code-obfuscator-for-php) – Mike B Jul 03 '10 at 16:34
  • @Techpriester: My crystall orb says "from clients opening the .php and running away with the precious source code" ... but that's its opinion; hopefully the OP will fill in more details. – Piskvor left the building Jul 03 '10 at 16:35
  • I guess so, too. But I want to know it exactly. – selfawaresoup Jul 03 '10 at 16:37
  • @Mike, you can do more with PHP than obfuscate it since the interpreter will read Zend's own encryption. – Mark Elliot Jul 03 '10 at 16:38
  • 1
    I voted to close this as a duplicate even though the notice below says closed as not a real question. – Bill Karwin Jul 03 '10 at 17:02
  • @Karwin: If you insist on closing this, why don't have a "closed as duplicate" billboard? In spite of your comment above, the "Closed At" billboard below is the one people will read, and that's really misleading. – Ira Baxter Jul 03 '10 at 17:04
  • 1
    @Bill Karwin: I'd say most of the close votes accumulated during rev.1 of the question, when it indeed warranted "NRQ". – Piskvor left the building Jul 03 '10 at 17:07
  • @Bill Karwin: Piskvor's remark explains how the original question might have been hard to interpret easily (although Piskvor sorted it out to everbody's benefit). As currently expressed, the question seems perfectly well formed and easily understood by pretty much everybody in the PHP world. – Ira Baxter Jul 03 '10 at 17:13

4 Answers4

2

There's a lot of tools to do this. Type "protect PHP" into Google.

Some encrypt your source code. This is a bad scheme; the very machinery needed to decrypt the code gets shipped with it. (There are even tools to decrypt all the known PHP encryptor products if you look hard enough.).

Some obfuscate your code, that is, make it difficult to read and understand the source code. If you code has any scale (e.g., dozens of PHP scripts working together), this can be very effective. These don't require any changes to the receiving PHP server system.

A few compile your code to PHP byte code schemes. These certainly make it hard to see the source text, but generally require the receiving system to accept pre-compiled code. The problem here is that you may have to convince the recipient to install special modules, and most PHP server sites aren't interested in changing thier configuration just for you.

I'm a obfuscator product provider, so you might not trust my opinion.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
  • Obfuscation can work pretty well, but some products just hash everything, like var names, and you could end up with a much bigger file size. I've also once seen a product like this, when you could easily reverse the 'encryption' – Thom Wiggers Jul 03 '10 at 16:48
  • Scrambling identifier names (from I1 to bz8902340892342) may make the obfuscated text larger, but has no material impact on deliverability or performance of the resulting code. Good obfuscators (well, er, ours) actually generate short scrambled names. They're just as effective. And if you have more than just 10 lines of obfuscated code (typical applications are 10-1000 pages), "easily reversing" the name encoding isn't easy. – Ira Baxter Jul 03 '10 at 16:53
  • 4
    From what I've seen, many PHP *programmers* have a built-in obfuscator anyway ;o) – Piskvor left the building Jul 03 '10 at 17:10
  • @Piskvor: So you have additional protection by hiring PHP programmers :-} I suspect the OP has already achieved that level of protection. – Ira Baxter Jul 03 '10 at 17:15
  • 1
    @Piskvor: From what I've seen, this property isn't unique to PHP programmers. – Ira Baxter Jul 03 '10 at 17:26
2

If you're serious then it has to be Zend Guard : http://www.zend.com/en/products/guard/

zaf
  • 22,776
  • 12
  • 65
  • 95
1

If you mean protect it from people being able to see the source, then its a simple matter of keeping someone out of your actual server. Whenever someone requests a PHP page it is parsed by the server and the person would get the output and not the actual PHP source.

  • 1
    "a simple matter": unless, of course, you license your code to clients who run it on their own servers. – Piskvor left the building Jul 03 '10 at 16:36
  • ... following up Piskvor's comment: the usual goal of obfuscation is to enable other people ("customers") to run your application, without them being able to modify/enchance/change your application. – Ira Baxter Jul 03 '10 at 16:56
1

You could distribute it obfuscated:

http://www.raizlabs.com/software/phpobfuscator/

However this doesn't fully protect your code, it's security through obscurity. Apart from that, I know of no way to protect your code other than run it as a paid service as supposed to distribution.

Tom Gullen
  • 61,249
  • 84
  • 283
  • 456