TL;DRA simplistic technique that you can use to protect yourself "against curious looks" and have a basic type (low) of "security" is ♪ Ofusing ♪ the code. It is possible to obtain higher safety with overuscators bytecode, however the available tools (which I know) are paid and require the installation of extensions in PHP, which would not be possible in shared hosting, for example.MotivationParticularly, for several years I used a simple technique of overuscation when I developed a CMS (Content Management System) own that was installed on websites of several clients, i.e., lodgings that were in power of them. This was when the PHAR extension was still experimental.My goal with the offuscation was to prevent any (pseudo-webdesigner) "joint" who knew how to use FTP client from starting to spin on the system, trying to copy to another site, etc. In fact, it has already occurred from a curious client, given the understanding, snooping the source to try to circumvent certain validations. So it was a kind of "security" ♪ For dams ♪".Implementation SimplisticI knew that the "security" obtained via overuscation was only against whiskers without programming training, so I used a very simple technique.First I installed http://www.phing.info/ , a kind of Ant for PHP, so that I could automate the process of obfuscation.Then I created one task where, for each file:He used the method http://www.php.net/manual/en/function.php-strip-whitespace.php to clear the source code.It codified content on base 64 and put it on a String.The result was placed in a new file in a parallel folder structure, which used a eval to manage the code.The code was very similar to this one, which I found in https://stackoverflow.com/questions/232736/code-obfuscator-for-php :<?php
$infile=$_SERVER['argv'][4];
$outfile=$_SERVER['argv'][5];
if (!$infile || !$outfile) {
die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);
The biggest difference is that originally I did not capture the output in a variable or used compression.Note that this is an extremely simplistic approach. For example, this technique does not take into account performance. In the personal example I quoted there was no noticeable impact, but if there is volume of accesses and/or a reasonable amount of files this should be a concern. In addition, it is easy for a developer to decompose the original code."market" solutionsInstead of reinventing the wheel, there are some tools that you can use to make the offuscation. In fact, some come to store and overshine the bytecode, what goes against the part of the question regarding performance.Note that I have no experience with these tools, since they didn't even exist when I needed it. However, I suggest you do some tests and check for yourself, trying to reverse the overuscation, if you are able to do it and with what difficulty. In addition, calculate the difference in the time of a request when using a "normal" code and a "compiled" or overused code. https://github.com/Eccenux/POBS A free-code offender who, in addition to overshadowing the code in general, changes role names and variables so as to make reading difficult even if reverse engineering is done. http://www.phpprotect.info/obfuscation.php A free tool that processes all scripts in a folder. It probably uses a simple technique of obfuscation. http://www.semanticdesigns.com/Products/Obfuscators/PHPObfuscator.jsp?Home=PHPTools Paid tool. It says using a different technique to improve the performance of the offended script. http://www.ioncube.com/php_encoder.php Paid tool that allows you to store bytecode, encrypt it, overshine it, add an expiration time, restrict use to a MAC Address, etc. She already has one task Phing called http://www.phing.info/docs/stable/hlhtml/index.html#IoncubeEncoderTask to process the files automatically.This is one of the most complete tools in the category. However, for the execution of the encoded files, it is necessary to install an extension in PHP. Therefore this solution is inviable to shared hosts. http://www.zend.com/en/products/guard/ Zend's paid tool (company that develops PHP) that allows you to overuse the code and protect the script execution in a variety of ways (similar to the one previously described in IconCube).ConsiderationsNo protection guarantees 100% safety. Even the best paid solutions presented above are not 100% safe. The website http://zendecode.com/ , for example, claims to instantly decompile code from Zend Guard and IconCube.Anyway, in my opinion, the best protection is not in the code, but in offering services with quality and excellence. After all, for our happiness or unhappiness, there are not many good software providers out there and copying your code (unless this contains some sensitive information) will not give many competitive advantages to possible competitors.
