How to Encrypt PHP Source or Compile It So Others Can't See It? and How

Can I encrypt PHP source or compile it so others can't see it? and how?

You can buy Zend Guard to encode your PHP sources, and then use the Zend Optimizer to run it. There is an opensource/free PHP compiler project as well (bcompiler, and also take a look to this) but I never used it because at the time I needed it the project was still incomplete.

Encrypting PHP source code

If your server is configured properly, it is virtually impossible for someone to view code. Once a user requests the php file, it is executed on your server and the response text is sent.

If you are able to see the source with a web browser, that means your server isn't configured correctly.

File access permitted

It is called Obfuscate PHP code.
I put together the following list a ways back - don't know if they are all current, or how many are now free, but you should find something useful here:

About:

Wikipedia article: PHP Accelerator
Comparison of APC, Zend, xCache, & the Zend Framework
Software:

PHP's APC (PECL page)
RoadSend
Turck-mmcache
eAccelerator
PHP-Accelerator
SourceGuardian
NuSphere Nu-coder
Gridinsoft
IonCube SA-Encoder.php
Another thread on SO that adds a few more (check it out):

Can I encrypt PHP source or compile it so others can't see it? and how?

Zend Guard
BCompiler (PECL page)
PHC

Best solution to protect PHP code without encryption

Obfuscating things can only inconvenience your legitimate, law-abiding customers, while the people who would would rip you off are not your target paying customers anyway. (edited out other thoughts about obfuscation)

Another suggestion for protecting your software: create a business model in which the code is an incomplete part of the value of your offering. For example, sell product licenses along with access to some data you manage on your site, or license the product on a subscription model or with customer support.

Designing a EULA is a legal matter, not a coding matter. You can start by reading some EULA text for products and websites you use. You might find some interesting details!

Creating a proprietary license is is highly flexible, and probably a subject beyond the intended scope of StackOverflow, since it's not strictly about coding.

Some parts of a EULA that come to mind:

• Limiting your liability if the product has bugs or causes damage.
• Spelling out how the customer can use their licensed software, for how long, on how many machines, with or without redistribution rights, etc.
• Giving you rights to audit their site, so you can enforce the licenses.
• What happens if they violate the EULA, e.g. they lose their privilege to use your software.

You should consult a legal professional to prepare a commercial EULA.

edit: If this project can't justify the expense of a lawyer, check out these resources:

• "EULA advice" on joelonsoftware
• "How to Write an End User License Agreement"

Can anyone get access to my PHP source code?

With a correctly configured web server, the PHP code isn't visible to your website visitors. For the PHP code to be accessible by people who visit your website, the server would have to be configured to display it as text instead of processing it as PHP code.

So, in other words, if you visit your website and you see a HTML page and not PHP code, your server is working correctly and no one can get to the PHP code.

PHP Source Encryption - Effectiveness and Disadvantages

Encryption (or encoder) schemes try to hide your code as an encrypted file. Obviously, the code has to be decrypted at execution time, which adds useless overhead.
Some of these also insist that the host system install special routines, which the hosters intensely dislike, because they don't want to set up special configurations just for you. But the bad part is that they contain the seeds of their own undoing: to run on the target host, they must contain the decryption software. So if you use one, you deliver the very decryptor necessary to get at your code. Its only a matter of locating it; once found, your code is completely decryptable and exposed. These simply aren't safe.

Obfuscation schemes scramble the names of identifiers, remove comments and formatting. But the obfuscated code runs exactly like the original, with no overhead and no special runtime support needed. Obfuscators depend on the inherent difficulty in understanding programs in general. Programs are hard enough to understand when they are well designed, names are well chosen, and there are good comments in the code. We all hope our programs are well designed, but if the names are bad and the comments are gone, they're pretty hard to understand. Examine your own experience with other people's code.

People will say, "but anybody can inspect obfuscated code and understand it". That's true if you have a tiny application. If your application has any scale (tens of pages of code) it is extremely hard to understand what it is doing when all the variable names are scrambled. The bigger your code, the better obfuscation is at protecting it.

If you want to see examples of what one PHP obfuscator does, see our Thicket PHP Obfuscator.

How to protect my source code when deployed?

You are right, you can use Zend Encoder, Ion Cube or something like Source Guardian to encrypt your source code.

Its not really needed unless you are giving away your code and dont want people to steal it though.

What is it about your server that you think its insecure?

---

Related Topics