PHP Classes
PHP Classes
elePHPant
Icontem

How to Protect PHP Source Code Free, Open Source and Commercial Solutions - Source Code Protection Software Obfuscator, Encoding to Encrypt and Secure Applications Code - PHP Application Packer package blog

Recommend this page to a friend!
  All package blogs All package blogs   PHP Application Packer PHP Application Packer   Blog PHP Application Packer package blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Protect PHP So...  
  Post a comment Post a comment   See comments See comments (7)   Trackbacks (0)  

Author:

Updated on: 2017-07-27

Posted on:

Package: PHP Application Packer

Many PHP developers need to protect their source code when they distribute it to customers, to minimize the chances of their work being altered or copied without their permissions.

Read this article to learn about PHP source code protection solutions in general, and how PackApp package can help protecting your PHP source code.




Contents

PHP Source Code Encryption

How to Protect PHP Code Techniques

PHP Source Code Protection Solutions

Free PHP Encoder Open Source

Commercial PHP Encoders List

PHP Encoder Features

PHP Encoder Advanced Support Details

Other PHP Encoder Features

Where to Find Free PHP Source Code Encoders?

Where to Find the Price and Buy Commercial PHP Scripts Encoders?

PHP Obfuscator PackApp.php

Download the PHP Code Obfuscator package 

PHP Source Code Encryption

PHP developers are often faced with the problem of protection of their intellectual property after delivering their PHP software products to the customer. A EULA (End User License Agreement) or a proprietary license provides legal protection, but will not actually prevent unauthorized use of copies of the software product.

Compiling or encoding of the source code into some binary format would eliminate the problem but it imposes requirements regarding software that needs to run the compiled code in the customer server.

Using of the SaaS model could be another solution but it requires the vendor server support to be available 24/7.

When the product is to be installed in the client's server, usually it provides a standard environment like LAMP based stack. This article discusses how to protect a PHP application in this case.

PHP Source Code Protection Techniques

The PHP application in the client's server needs 2 kinds of protection:

  1. Prevent reading and modifying the application's source code
  2. Prevent redistribution of the entire application

The first measure to make the source code more difficult to read is the "minification". Removing the comments, white space and line breaks significantly reduces readability. However, it is not a problem to write a small script to reformat minified code to make it readable. The mnemonic identifier names are still informative enough to understand the code with some effort.

Another measure that may help here is obfuscation. Renaming the identifiers with random names makes the source code very hard to understand, alter or use.

The minified and obfuscated source code can still be copied and installed in any other server. So, the application must be locked to the client's site to prevent redistribution. There are several options for the locking the source code using: server IP address, site domain name, a specific URL, hardware (MAC) address. The application must include necessary functionality to verify the lock criteria before performing any actions.

PHP Source Code Protection Solutions

Basically there are 3 types of PHP code protection solutions: minifiers, obfuscators, and encoders.

Minifiers

Minifiers remove parts of the source code text that are not necessary. There are minifiers that take advantage of the PHP tokenizer to parse the source code into token values. The source code is rebuilt stripping the comments and whitespace.

The minified source code often needs further scrambling which can be performed either by encoding or obfuscation. The simplest encoding method is to use the base64_encode() and eval() functions to the minified source code or to use some encryption.

It is easy for any competent PHP programmer to decode a minified PHP script to view the original source code.

Obfuscators

An obfuscator turns regular PHP source code into an equivalent version that is harder to understand.

The most reliable way to build a lightweight obfuscator is to parse the source code lexically, replace the identifiers with meaningless names, and then rebuild the PHP source code. That must be done across all source code files including also the templates. Therefore many online tools are not suitable for this purpose because they process only individual scripts.

Encoders

Encoders compile PHP source code into Zend opcodes and store the result in files that replace the original PHP source files.

Some commercial encoders are very good but may require a loader extensions to load and execute the encoded PHP code. They often use encryption algorithms with secret keys to make it harder to extract the original Zend opcodes from the encoded PHP file.

Different Loader versions are supplied depending on the Web server but the customers may not want to (or cannot) install them.

Some encoders may provide optional locking features. The locking code is built in the encoded source and the check is made during the execution.

Free PHP Encoder Open Source

Some developers are looking for free Open Source PHP encoder solutions. However part of the protection that PHP encoders provide comes from the fact that the encryption keys and encoding algorithms PHP encoders use is proprietary.

Providing an Open Source PHP encoder solution would defeat the purpose of protecting PHP source code because it would make it easy to create decoders.

That is why there are no free or Open Source PHP encoder solutions.

Commercial PHP Encoders List

ionCube Encoder

Developed by: ionCube

NuCoder

Developed by: NuSphere

SourceGuardian

Developed by: SourceGuardian

PHTML Encoder

Developed by: RSSoftLab

Zend Guard

Developed by: Zend

 VersionRelease DateLicensePlatformMin PHPMax PHP
SourceGuardian11.1 CommercialWindows, Linux, MacOS X4.3.47.1
ionCube Encoder9.0  Windows, OS X, Linux, FreeBSD4.1.05.6
Zend Guard7.0 CommercialLinux, Windows, Mac OS X4.25.6
NuCoder3.1 CommercialWindows4.35.3
PHTML Encoder6.4 CommercialWindows, Linux, FreeBSD, Solaris, Mac OS X4.25.6.3

PHP Encoder Features

 GUICommand LineLock to IP, domains, Mac AddressesLock to specific datesEncode non-PHP filesObfuscation
SourceGuardianYesYesYesYesYesNo
ionCube EncoderYesYesYesYesYesYes
Zend GuardYesYesYesYesNoYes
NuCoderYesYesNoNoNoYes
PHTML EncoderYesYesYesNoNoYes

PHP Encoder Advanced Support Details

Some PHP encoders have certain features that may provide better encoded code protection support. Below follows an explanation of each of these features.

 Max PHP source languageMax PHP runtime languageFiles can run on newer PHP versionsAlgorithmic (dynamic) keysRuntime APITools for assisting with Loader installLicense properties
SourceGuardian7.17.1NoNoYesYesYes
ionCube Encoder5.67.0YesYesYesYesYes
Zend Guard5.65.6NoNoNoNoNo
NuCoder5.35.3?NoNoYesNo
PHTML Encoder5.45.6?NoNoYesno

Max PHP source language - Highest version of PHP source code that is supported for encoding

Max PHP runtime language - Highest version of PHP source code that is supported for executing the encoded code. 

Files can run on newer PHP - Encoded PHP files can be executed on newer PHP versions

Algorithmic (dynamic) keys - A stronger method for encrypting code as no decryption key is stored anywhere.

Runtime API - Vendor specific PHP functions for operations such as querying license and encoded file information.

Tools for assisting with Loader install - Does the product provide tools to help installing the Loader extension to make encoded files be executed on the server.

License properties - License specific key/value data which is accessible via the runtime API.

Other PHP Encoder Features

Some PHP encoders have features that are not yet listed here for side by side comparison. Eventually those features will be added later on a future edition of this article.

Therefore PHP encoder producers were invited to describe some of the most important features of their PHP encoders that they consider important for the PHP developers.

ionCube Encoder

ionCube Encoder not only has all the expected encoding and licensing features but also compatibility of encoded files on future PHP versions and unique security such as Dynamic KeysDynamic Keys allow code to be encrypted with no decryption key being stored making the theft of code next to impossible.

SourceGuardian

SourceGuardian supports advanced bytecode protection, encryption with a custom key, advanced encryption with locking to IP/domain/MAC address, locking to a license file, setting expiry date, optional remote time servers check, advanced error handling.

Where to Find Free PHP Source Code Encoders?

All known PHP encoders are commercial but most of them have free trial versions that you can try for a period of time.

ionCube Encoder

NuCoder (14 days trial)

PHTML Encoder

SourceGuardian (14 days trial)

Zend Guard (14 days trial)

Where to Find the Price and Buy Commercial PHP Scripts Encoders?

Each of the available commercial PHP encoders can be purchased in the respective vendor sites.

PHP Obfuscator PackApp.php

The PHP Application Packer package fills the gap between simple obfuscators and ultimate tools. For this package packing means minifying, obfuscation, compressing with ZIP.

PackApp.php packs the project files: minifies the source (HTML, CSS, JavaScript, JSON, PHP, XML), obfuscates the code (JavaScript, PHP) and compresses the resulting files. The source code can be either a single file or a folder which may have sub-folders. The result is either a packed file or a folder with the packed files. The ZIP archives are handled also: folder-to-zip, zip-to-folder, zip-to-zip.

You can try the single-file demo here.

Main features and benefits:

  • Packs an entire project at once
  • Suitable for back-end and front-end projects
  • Processes different source types and embedding
  • Minification and obfuscation are separated
  • Lightweight and compatible as it is written in PHP
  • No system extensions and encoding is required

A Web based user interface is supplied to control the packing process with several options.

PackApp GUI

The PackApp can be called also from PHP script as explained in this description page.

The PackApp installation includes the registration which ties the package to the customer's web-directory. That could be a pattern for your own locking solution.

PackApp Install

The package's source code itself is minified and obfuscated - try to undo it! You can obtain the full version of the PackApp from here.

Download the PHP Code Obfuscator package

So just as a lock won't prevent others from breaking into your house obfuscation won't prevent others from using your code, it will just make it harder for them. The goal of the PackApp package is to make reverse engineering rather expensive to attempt to do that.

Sometimes it's enough to minify only, sometimes obfuscation is required to achieve necessary protection, or locking must be applied. The choice depends on particular application and business model.

Using any free solution is often not satisfactory. If it seems too much to pay a few tens of dollars for the utility, then probably that source code does not need the protection at all.

If you are looking for all-in-one protection, then you should be ready to pay 10 times more (maybe every year) and your client should be ready to install web-server extensions. In most cases an intermediate solution like PackApp is suitable for many independent software vendors.

You can download the PackApp package as a ZIP archive or install it using the PHP composer tool with instructions on the download page.

If you liked this article or you have questions about protecting your PHP source code using PackApp, post a comment here.




You need to be a registered user or login to post a comment

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

4. Great Article - Jojo Bentu (2017-07-20 16:03)
A good informative article... - 0 replies
Read the whole comment and replies

3. great for locking your code from web hosting service providers - Wamala Phillip (2016-03-03 11:25)
great for locking your code from web hosting service providers... - 0 replies
Read the whole comment and replies

2. problems with variable variables - Csongor Halmai (2016-03-03 01:45)
problems with variable variables... - 2 replies
Read the whole comment and replies

1. Very nice package - Ezra Obiwale (2016-03-02 13:20)
Good work.... - 1 reply
Read the whole comment and replies



  Post a comment Post a comment   See comments See comments (7)   Trackbacks (0)  
  All package blogs All package blogs   PHP Application Packer PHP Application Packer   Blog PHP Application Packer package blog   RSS 1.0 feed RSS 2.0 feed   Blog How to Protect PHP So...