is it safe to use online script obfuscation?

Question

I'm thinking of protecting my script to the mass majority of users (non-web dev savvy) and I came across an online service to encode php script. I'm not sure about it though.

Is it safe to encrypt php script? What if the encoded code has something fishy in it?

What do you mean "encode"? Can you provide a link to the service? We have no idea what you're talking about. — Chriszuma, Jul 20 '11 at 15:29
hey sorry. here's the link: http://www.rightscripts.com/phpencode/ — , Jul 20 '11 at 15:31
I think he must be talking about obfuscating or "packing" code. — Chris Baker, Jul 20 '11 at 15:33

score 3 · Accepted Answer · answered Jul 20 '11 at 15:35

3

If you intend to distribute the PHP file then I would suggest that you do not do this. It's only going to irritate those that want to tinker with it.

If for some reason you don't want them tinkering with it, then don't distribute the PHP file.

If you need to distribute the file AND you don't want them tinkering with it, then I would highly suggest you not do this in PHP and instead write the functionality using C as an extension to PHP.

You'll notice that at no point do I suggest you actually go ahead and "encode" the php file. That's not going to buy you anything.

answered Jul 20 '11 at 15:35

NotMe

87,343
27
171
245

It's a WordPress theme so ill need to give out all the php scripts for it to work. What do you mean by "using C as an extension to php"? Whats C? – Jul 20 '11 at 15:38
1

C is an entirely different programming language. While this answer is marginally correct, I disagree that the only option is to learn a completely new language. As I mention in my own answer, there are a number of respected commercial solutions for distributing PHP code that is protected from reverse-engineering. That said, PHP is a language that lends itself to open-source, that is why it has been embraced as an online language. The code and the engine is not inherently made to create a product that is inaccessible to client implementers. – Chris Baker Jul 20 '11 at 15:44
Ah ok. Could you list a few other ways round this problem? I have sensitive data in the script (mysql db connection info) so i really need this to be as secure as possible. Thanks for your time. – Jul 20 '11 at 15:51
@Chris: I mentioned C simply to ratchet up the difficulty involved. Also, there is *nothing* that can "protect" you from reverse-engineering. Make it a little more difficult? yes; protect from? no. I do agree with you that PHP is more for open-source than for distributing paid for, try and protect it, intellectual property. – NotMe Jul 20 '11 at 15:54
1

@Chris Lively (and @nav): The consensus here is that no, the link you gave is not secure, and no, you cannot have absolute protection for your source code. We might have a different approach to mitigating that reality, but any solution any of us provide is a half-measure dealing only with *degrees* of security. To put it simply, this is not as simple of a question as it might appear. :) – Chris Baker Jul 20 '11 at 16:07
okay, Zend Guard it is then. Thanks for all your help guys, much appreciated! – Jul 20 '11 at 16:26

Chris Baker · Answer 2 · 2011-07-20T16:10:19.157

3

If you are looking to obfuscate your server-side PHP, the best bet would be to use a commercial product such as Zend Guard (http://www.zend.com/en/products/guard/). Any home-brew encryption is not secure in the slightest - your code can be easily reverse-engineered with fairly trivial effort. The page you link to does not have any credibility, it is just someone's side project. They have no accountability or stake in protecting your information.

Even these commercial products (Zend Guard, ionCube, phpShield, SourceGuardian) can be decrypted if someone really, really wanted to. No tool or technique in any language can make absolutely secure obfuscation, there is no "unhackable" system. Everything boils down to effort over time.

If it isn't important enough to bother doing it right, then you're probably wasting your time on the issue. Further, if it is absolutely vital that some information or code remain private, you should simply not put it out into the public purview.

[edited for clarity]

edited Jul 20 '11 at 16:10

answered Jul 20 '11 at 15:36

Chris Baker

49,926
12
96
115

Although a good link, it should be mentioned that the keyword here is "easily" with regards to zen guard. Unlike their very misleading marketing statement, you can't actually prevent reverse engineering; however you can make it a bit more difficult. http://forums.zend.com/viewtopic.php?f=57&t=4709 – NotMe Jul 20 '11 at 15:52
@Chris Lively: Chris does say "obfuscate", and the OP does say "non-web savvy users", so this may be sufficient. – Piskvor left the building Jul 20 '11 at 15:53
@Chris Lively: Agreed - I did not mean to give the impression that Zend Guard is doing some magical and impossible thing. Edited answer to clarify this point, because it is very important to understand and I don't think a lot of entry-level tech people grasp the fact that there is no **absolute** security. – Chris Baker Jul 20 '11 at 15:59
+1: ;) We're saying the same thing and I think you probably said it better. – NotMe Jul 20 '11 at 17:56

score 1 · Answer 3 · answered Jul 20 '11 at 15:36

1

Ultimately, you need to trust the encrypting party. If you don't trust them (apparently you don't), then don't give them access to your server (through executing their decryption code/your obfuscated code, possibly with who-knows-what else inside). Simple as that, albeit possibly inconvenient.

answered Jul 20 '11 at 15:36

Piskvor left the building

91,498
46
177
222

hey. I should of explained why i want to protect them. Sorry Its a scrips for a wordpress theme so i will have to give out the script which i don't want the users to play with. – Jul 20 '11 at 15:40
@nav: You should have explained that, yes :) Removed the second paragraph, as it detracted from the main point. This still stands: the code you'll get from that page will have your rights on your server; do you trust that it won't abuse those rights? – Piskvor left the building Jul 20 '11 at 15:42
Thats the thing. I've never used the service before so i don't trust it at all. And the script includes sensitive info such as mysql db connection info so i don't want to take any risks. – Jul 20 '11 at 15:45
1

@nav: Well, if you **don't trust it at all**, and you want to **avoid risk**, should you give it **your sensitive data**? I don't think the issue (and the solution) can get any more obvious than this, even if it's an inconvenient answer. – Piskvor left the building Jul 20 '11 at 15:46
any ideas on how else i could prevent users from playing with it? – Jul 20 '11 at 15:49
1

[What @Chris said](http://stackoverflow.com/questions/6764407/is-it-safe-to-use-online-script-encoding/6764547#6764547), note that is not a free (not even free-as-in-beer) product. See also this question: http://stackoverflow.com/questions/336057/best-solution-to-protect-php-code-without-encryption – Piskvor left the building Jul 20 '11 at 15:52

score 0 · Answer 4 · answered Jul 20 '11 at 15:32

0

php is usually running on the server where the users have no access to the code(neither source nor any other representation) anyways. No reason to obfuscate it there.

Obfuscating php is only useful in the rare cases where you give the php code to clients. For example if you want clients to be able to run their own server but not give them full access to the code.

answered Jul 20 '11 at 15:32

CodesInChaos

106,488
23
218
262

yeah I'm working on a wordpress theme (so i have to give everything out in a .zip with all .php files included). I have php scripts on it that i don't want users to play with. – Jul 20 '11 at 15:35

score 0 · Answer 5 · answered Jul 20 '11 at 15:35

So, it looks like all it does is obfuscate the code so it's not human-readable. The only way this would really be useful is to prevent lazy people who have access to the code from reading it. However, it uses simple functions to encode/decode, so it would be trivially easy for someone to decode it if they have access.

Which brings me to my point... PHP security works by not allowing anyone to have access to the source file. If someone who shouldn't have access gets it, then this "encoding" thing isn't going to do you any good.

score 0 · Answer 6 · answered Aug 15 '11 at 16:12

The OP mentioned an interest in protecting database connection details, and it should be kept in mind that no matter what protection system is used for the code itself, the PHP engine and component libraries being opensource sets some absolute limits on what can be achieved. If MySQL connection details, for example, are hidden in a script then these details could be trivially revealed without going near the PHP scripts themselves simply by running the scripts with a PHP build that had slight modifications to the MySQL library or the associated PHP module wrapper. Even hiding the details in a C module as suggested by Chris L. would afford no extra protection in this case. Good protection can certainly be given to source code with compiled code systems such as ionCube and Zend, but wherever data hits routines in the PHP core then it can be exposed.

Obviously for any online service where you may be sending sensitive details, you should use due diligence and make best efforts to ensure that it has a good pedigree. Apart from anything else, not having a working https URL for the site the OP questioned should immediately warn that it's a no-no, and not just for the lack of connection encryption but showing that they are not offering a service that they consider to be serious.

is it safe to use online script obfuscation?

6 Answers6