Php code encryption open source

Contents

PHP Source Code Encryption

How to Protect PHP Code Techniques

PHP Source Code Protection Solutions

Free PHP Encoder Open Source

Commercial PHP Encoders List

PHP Encoder Features

PHP Encoder Advanced Support Details

Other PHP Encoder Features

Where to Find Free PHP Source Code Encoders?

Where to Find the Price and Buy Commercial PHP Scripts Encoders?

PHP Obfuscator PackApp.php

Download the PHP Code Obfuscator package 

Php code encryption open source

PHP Source Code Encryption

PHP developers are often faced with the problem of protection of their intellectual property after delivering their PHP software products to the customer. A EULA (End User License Agreement) or a proprietary license provides legal protection, but will not actually prevent unauthorized use of copies of the software product.

Compiling or encoding of the source code into some binary format would eliminate the problem but it imposes requirements regarding software that needs to run the compiled code in the customer server.

Using of the SaaS model could be another solution but it requires the vendor server support to be available 24/7.

When the product is to be installed in the client's server, usually it provides a standard environment like LAMP based stack. This article discusses how to protect a PHP application in this case.

PHP Source Code Protection Techniques

The PHP application in the client's server needs 2 kinds of protection:

  1. Prevent reading and modifying the application's source code
  2. Prevent redistribution of the entire application

The first measure to make the source code more difficult to read is the "minification". Removing the comments, white space and line breaks significantly reduces readability. However, it is not a problem to write a small script to reformat minified code to make it readable. The mnemonic identifier names are still informative enough to understand the code with some effort.

Another measure that may help here is obfuscation. Renaming the identifiers with random names makes the source code very hard to understand, alter or use.

The minified and obfuscated source code can still be copied and installed in any other server. So, the application must be locked to the client's site to prevent redistribution. There are several options for the locking the source code using: server IP address, site domain name, a specific URL, hardware (MAC) address. The application must include necessary functionality to verify the lock criteria before performing any actions.

PHP Source Code Protection Solutions

Basically there are 3 types of PHP code protection solutions: minifiers, obfuscators, and encoders.

Minifiers

Minifiers remove parts of the source code text that are not necessary. There are minifiers that take advantage of the PHP tokenizer to parse the source code into token values. The source code is rebuilt stripping the comments and whitespace.

The minified source code often needs further scrambling which can be performed either by encoding or obfuscation. The simplest encoding method is to use the base64_encode() and eval() functions to the minified source code or to use some encryption.

It is easy for any competent PHP programmer to decode a minified PHP script to view the original source code.

Obfuscators

An obfuscator turns regular PHP source code into an equivalent version that is harder to understand.

The most reliable way to build a lightweight obfuscator is to parse the source code lexically, replace the identifiers with meaningless names, and then rebuild the PHP source code. That must be done across all source code files including also the templates. Therefore many online tools are not suitable for this purpose because they process only individual scripts.

Encoders

Encoders compile PHP source code into Zend opcodes and store the result in files that replace the original PHP source files.

Some commercial encoders are very good but may require a loader extensions to load and execute the encoded PHP code. They often use encryption algorithms with secret keys to make it harder to extract the original Zend opcodes from the encoded PHP file.

Different Loader versions are supplied depending on the Web server but the customers may not want to (or cannot) install them.

Some encoders may provide optional locking features. The locking code is built in the encoded source and the check is made during the execution.

Free PHP Encoder Open Source

Some developers are looking for free Open Source PHP encoder solutions. However part of the protection that PHP encoders provide comes from the fact that the encryption keys and encoding algorithms PHP encoders use is proprietary.

Providing an Open Source PHP encoder solution would defeat the purpose of protecting PHP source code because it would make it easy to create decoders.

That is why there are no free or Open Source PHP encoder solutions.

Commercial PHP Encoders List

SourceGuardian

Developed by: SourceGuardian

PHTML Encoder

Developed by: RSSoftLab

Zend Guard

Developed by: Zend

  Version Release Date License Platform Min PHP Max PHP
SourceGuardian 11.1   Commercial Windows, Linux, MacOS X 4.3.4 7.1
ionCube Encoder 9.0     Windows, OS X, Linux, FreeBSD 4.1.0 5.6
Zend Guard 7.0   Commercial Linux, Windows, Mac OS X 4.2 5.6
NuCoder 3.1   Commercial Windows 4.3 5.3
PHTML Encoder 6.4   Commercial Windows, Linux, FreeBSD, Solaris, Mac OS X 4.2 5.6.3

PHP Encoder Features

  GUI Command Line Lock to IP, domains, Mac Addresses Lock to specific dates Encode non-PHP files Obfuscation
SourceGuardian Yes Yes Yes Yes Yes No
ionCube Encoder Yes Yes Yes Yes Yes Yes
Zend Guard Yes Yes Yes Yes No Yes
NuCoder Yes Yes No No No Yes
PHTML Encoder Yes Yes Yes No No Yes

PHP Encoder Advanced Support Details

Some PHP encoders have certain features that may provide better encoded code protection support. Below follows an explanation of each of these features.

  Max PHP source language Max PHP runtime language Files can run on newer PHP versions Algorithmic (dynamic) keys Runtime API Tools for assisting with Loader install License properties
SourceGuardian 7.1 7.1 No No Yes Yes Yes
ionCube Encoder 5.6 7.0 Yes Yes Yes Yes Yes
Zend Guard 5.6 5.6 No No No No No
NuCoder 5.3 5.3 ? No No Yes No
PHTML Encoder 5.4 5.6 ? No No Yes no

Max PHP source language - Highest version of PHP source code that is supported for encoding

Max PHP runtime language - Highest version of PHP source code that is supported for executing the encoded code. 

Files can run on newer PHP - Encoded PHP files can be executed on newer PHP versions

Algorithmic (dynamic) keys - A stronger method for encrypting code as no decryption key is stored anywhere.

Runtime API - Vendor specific PHP functions for operations such as querying license and encoded file information.

Tools for assisting with Loader install - Does the product provide tools to help installing the Loader extension to make encoded files be executed on the server.

License properties - License specific key/value data which is accessible via the runtime API.

Other PHP Encoder Features

Some PHP encoders have features that are not yet listed here for side by side comparison. Eventually those features will be added later on a future edition of this article.

Therefore PHP encoder producers were invited to describe some of the most important features of their PHP encoders that they consider important for the PHP developers.

ionCube Encoder

ionCube Encoder not only has all the expected encoding and licensing features but also compatibility of encoded files on future PHP versions and unique security such as Dynamic KeysDynamic Keys allow code to be encrypted with no decryption key being stored making the theft of code next to impossible.

SourceGuardian

SourceGuardian supports advanced bytecode protection, encryption with a custom key, advanced encryption with locking to IP/domain/MAC address, locking to a license file, setting expiry date, optional remote time servers check, advanced error handling.

Where to Find Free PHP Source Code Encoders?

All known PHP encoders are commercial but most of them have free trial versions that you can try for a period of time.

ionCube Encoder

NuCoder (14 days trial)

PHTML Encoder

SourceGuardian (14 days trial)

Zend Guard (14 days trial)

Where to Find the Price and Buy Commercial PHP Scripts Encoders?

Each of the available commercial PHP encoders can be purchased in the respective vendor sites.

PHP Obfuscator PackApp.php

The PHP Application Packer package fills the gap between simple obfuscators and ultimate tools. For this package packing means minifying, obfuscation, compressing with ZIP.

PackApp.php packs the project files: minifies the source (HTML, CSS, JavaScript, JSON, PHP, XML), obfuscates the code (JavaScript, PHP) and compresses the resulting files. The source code can be either a single file or a folder which may have sub-folders. The result is either a packed file or a folder with the packed files. The ZIP archives are handled also: folder-to-zip, zip-to-folder, zip-to-zip.

You can try the single-file demo here.

Main features and benefits:

  • Packs an entire project at once
  • Suitable for back-end and front-end projects
  • Processes different source types and embedding
  • Minification and obfuscation are separated
  • Lightweight and compatible as it is written in PHP
  • No system extensions and encoding is required

A Web based user interface is supplied to control the packing process with several options.

Php code encryption open source

The PackApp can be called also from PHP script as explained in this description page.

The PackApp installation includes the registration which ties the package to the customer's web-directory. That could be a pattern for your own locking solution.

Php code encryption open source

The package's source code itself is minified and obfuscated - try to undo it! You can obtain the full version of the PackApp from here.

Download the PHP Code Obfuscator package

So just as a lock won't prevent others from breaking into your house obfuscation won't prevent others from using your code, it will just make it harder for them. The goal of the PackApp package is to make reverse engineering rather expensive to attempt to do that.

Sometimes it's enough to minify only, sometimes obfuscation is required to achieve necessary protection, or locking must be applied. The choice depends on particular application and business model.

Using any free solution is often not satisfactory. If it seems too much to pay a few tens of dollars for the utility, then probably that source code does not need the protection at all.

If you are looking for all-in-one protection, then you should be ready to pay 10 times more (maybe every year) and your client should be ready to install web-server extensions. In most cases an intermediate solution like PackApp is suitable for many independent software vendors.

You can download the PackApp package as a ZIP archive or install it using the PHP composer tool with instructions on the download page.

If you liked this article or you have questions about protecting your PHP source code using PackApp, post a comment here.

Can PHP code be encrypted?

PHP Encryption and PHP Obfuscation Solution Features With Zend Guard, developers can encode their PHP script at any time during the development process, protecting PHP code prior to distribution or publishing.

How can I protect my PHP source code for free?

The only way to really protect your php-applications from other, is to not share the source code. If you post you code somewhere online, or send it to you customers by some medium, other people than you have access to the code. You could add an unique watermark to every single copy of your code.

What is encryption in PHP?

PHP encryption is important to the privacy and safety of your data. In practical terms, PHP encryption uses algorithms (sometimes called hashing algorithms) to translate the “clear” data into encrypted text that requires very specific decryption processes to “decode” the data back to the clean version.

How do I decode a PHP file?

'1XA0E06tDu3v6B6UpuAli16LtnXxz0h0E1dLdRZSpQYRzsZLlndLr9LUzBLypmv' . eval function will execute the decoded PHP code. So you can try to replace eval(ivq($zkahl, $viici)); with echo(ivq($zkahl, $viici)); and check the output.