Encrypting PHP source code.

K!LL!@N

Has anyone encrypted PHP source code?
If so what programs have you used?

I know there's an overhead in running off of encrypted source, but i'm not too worried about that.
Keeping the source safe would be more important.

So can anyone recommend anything?

Cheers,

Killian

fatlog

why exactly do you need to encode your source?
are you distributing the actual source to end-users?

i think you are looking for something lie the Zend Encoder and its related products. You can have a look at this here...

http://www.zend.com/store/products/zend-encoder.php

it is expensive however. you may be able to find something similar on freeware.

K!LL!@N

Yes, we'll be distributing the source to clients but want to maintain our control of the source.
We don't want the client to be able to alter or reuse the source without our permission.

Zend Encoder seems pretty expensive.

Not, that we're not willing to spend money on something worthwhile.

I've been trying out Source Guardian and ionCube PHP encoder.

Haven't found any freeware programs that do anything more than obfuscate the code, which is not what we want.

Killian

highonsnow

I'm looking for some sort of solution myself.

Although you know there is one way of preventing your clients from modifying your source code, and that's by means of generating an md5 of each file's size, and include it in every pages header.. evaluate the page or die.

I know they can alter that but if you can encrypt that small few lines of code using an encoder, they can see the source, but not alter it.

That's one kind of solution.

You could use an obfuscator too..

rsynnott

Alternatively, you can go into the Application Service Provider business (this also works for GNU-y stuff)

K!LL!@N

I think we've decided to go with IonCube.
The Zend encoder is ridiculously overpriced, for our needs anyway.
The $900 is for a 1-year licence, it's over $2500 for a perpetual licence.

We need to encode the source because certain clients will actually have the source and will run it themselves on their own servers.

Killian

The Corinthian

I wonder what the effects on server load will be with the extra process of decryption running?

rsynnott

The Corinthian wrote:

I wonder what the effects on server load will be with the extra process of decryption running?

Zend Encoder works by compiling the code into an intermediate binary, somewhat similar to those used by Java and .NET. Modern PHP interpreters speak this binary, and in fact, I think, convert files to it as part of running them. As such, there should be no or negligable performance hit, and possibly even a minor performance rise. I gather IonCube is similar.

If you use an obfuscator, all bets are off, but then using an obfuscator is a very silly thing to do anyway.

K!LL!@N

Yes, IonCube works in a similar way.
There shouldn't be any performance hit.

Killian

highonsnow

I found a really cost effective solution to the task. It's called sourcecop.com and at a cost of $10, I definately did not go wrong.

IonCube and Zend are far too over-rated and commercial. If you want a good solution without breaking the bank, check this out. It's a simple basic program but take a look at what it produces. I notice no speed issues.

K!LL!@N

I did find source cop, but something seemed dodgy about it.
It seemed to be a rip off of ioncube.

Killian

Syth

K!LL!@N wrote:

Yes, we'll be distributing the source to clients but want to maintain our control of the source.
We don't want the client to be able to alter or reuse the source without our permission.

You can plane the code under a copyright licence that forbids the creation of derivative work and forbids copying. That's a legal solution, not a technical one.

Though if you giving a copy to the clients, what's to stop them reusing it? You'd need some kind of server side thing (your server) to control use of the code.

aphex™

Phtml Coder Pro lets you use a password. Dunno if it works differently to source cop.

K!LL!@N

Syth wrote:

You can plane the code under a copyright licence that forbids the creation of derivative work and forbids copying. That's a legal solution, not a technical one.

Though if you giving a copy to the clients, what's to stop them reusing it? You'd need some kind of server side thing (your server) to control use of the code.

The copyright notice wouldn't make a difference.

Obviously the client will be able to reuse the code for the purpose originally intended, that's fine. They've paid for that.
What we don't want them doing is chopping up the source and using whatever they like from within it.
If it's encoded they can use for it's original purpose but they won't be able to take parts of the source for their own use.

Killian

rsynnott

highonsnow wrote:

I found a really cost effective solution to the task. It's called sourcecop.com and at a cost of $10, I definately did not go wrong.

IonCube and Zend are far too over-rated and commercial. If you want a good solution without breaking the bank, check this out. It's a simple basic program but take a look at what it produces. I notice no speed issues.

That's obfusication and it's moderately trivial to break.

corblimey

K!LL!@N wrote:

What we don't want them doing is chopping up the source and using whatever they like from within it.
If it's encoded they can use for it's original purpose but they won't be able to take parts of the source for their own use.

Just as a matter of interest, why not? I've developed a lot of php sites and as far as I'm concerned, once you pay for it, it's yours to do with what you will. You screw it up too much, pay me to fix it.

Any clients I've worked with have always had contracts dictating who owns what at the end of the project. They pay well to gain full control of the source, and I make sure that they know that I might be reusing their code for other projects. Everyone's a winner. I'm surprised your clients haven't already claimed ownership of the code.

K!LL!@N

corblimey wrote:

Just as a matter of interest, why not? I've developed a lot of php sites and as far as I'm concerned, once you pay for it, it's yours to do with what you will. You screw it up too much, pay me to fix it.

Any clients I've worked with have always had contracts dictating who owns what at the end of the project. They pay well to gain full control of the source, and I make sure that they know that I might be reusing their code for other projects. Everyone's a winner. I'm surprised your clients haven't already claimed ownership of the code.

Because they're paying to use the code, not the code itself.

Killian

TimTim

Hmm you don't happen to work for vBulletin then?

Why don't you look at how they do it. Personally, I'm not exactly sure but this is how I think it goes

You have a license key, when you set it up to goes to the vBulletin server and auths you.

How to do that in PHP? No idea, but its just an idea really.

rsynnott

corblimey wrote:

Just as a matter of interest, why not? I've developed a lot of php sites and as far as I'm concerned, once you pay for it, it's yours to do with what you will. You screw it up too much, pay me to fix it.

Any clients I've worked with have always had contracts dictating who owns what at the end of the project. They pay well to gain full control of the source, and I make sure that they know that I might be reusing their code for other projects. Everyone's a winner. I'm surprised your clients haven't already claimed ownership of the code.

The could sell the code on. That would be unpleasant. If the code contained propietary processes, that would be even worse. If you're not doing anything too interesting (if it's just a CMS or some manner of DB frontend or something) then this prob'ly isn't a big deal.

corblimey

Ah, that might be it. I never do anything interesting in php .

Red Alert

you could do a vbulletin job which involves storing the sensitive code inside the database. that way it would take a lot of work to get it out, modify it and put it back in. why can't the client chop out the bits it wants anyway? i'm coding a system at the moment to remove the music management from itunes and do it independently whilst updating my XML file - no harm to apple is it?