Geek Answers Handbook

PHP source encryption - efficiency and disadvantages

I have the PHP source code that I host in the XYZ hosting company. I use PHP encryption software, such as Zend Guard or ionCube, to protect the source from being viewed by anyone (sysadmin or a hacker that breaks into the system administrator).

  • How easy / difficult is it for someone who has full access to the system (for example, sysadmin or a hacker who crack sysadmin) to decrypt the source code? I do not know how encryption software works, but I assume that they use some kind of key that should remain on the server and therefore available to the system administrator or hacker. If you are technically knowledgeable about practical methods, feel free to offer explanations in your answer.

  • Is the use of such an encryption source used on the site? If someone has first-hand experience or he knows someone who has first-hand experience;)

I am interested in the technical aspects of this, how effective is encryption .. and its drawbacks, from those who have used them or have considered their use.

Thank you (all helpful answers / comments voted)

Edit: The answers still seem to ignore what I'm trying to understand. I am trying to understand the effectiveness of encryption. I really don't have a code that needs protection from the bad guys, it was just an example, so advice like open source or hiring a lawyer doesn't really affect my technical curiosity. A + to everyone who gets the point

+6
security php encryption obfuscation
source share
6 answers

Encryption schemes (or encoders) try to hide your code as an encrypted file. Obviously, the code must be decrypted at runtime, which adds extra overhead. Some of them also insist that the host system sets up special procedures that hosters strongly dislike, because they do not want to configure special configurations just for you. But the bad part is that they contain the seeds of their own destruction: to run on the target host, they must contain decryption software. Therefore, if you use one, you deliver the most decoder needed to get the code. The only thing to find; after detection, your code is fully decrypted and displayed. They are simply not safe.

Obfuscation schemes scramble identifier names, delete comments and formatting. But the confusing code works exactly like the original, without any overhead, and no special support at run time is required. Obfuscators depend on the inherent difficulty in understanding programs in general. Programs are complex enough to understand when they are well designed, the names are well chosen, and there are good comments in the code. We all hope that our programs are well designed, but if the names are bad and the comments are gone, they are pretty hard to understand. Learn your own experience with other people's code.

People will say: "But someone can check the confusing code and understand it." This is true if you have a tiny application. If your application has any scale (tens of pages of code), it is very difficult to understand what it does when all variable names are scrambled. The larger your code, the better obfuscation protects it.

If you want to see examples of what a single PHP obfuscator does, see our Thicket PHP Obfuscator .

+7
source share

Neither Zend Guard nor ionCube use encryption, but in the mathematical sense, to protect your code. What they do, other than the obfuscation already described by the other answers, is coding.

This is a process that is usually performed using the PHP interpreter every time you access your script - your PHP script is compiled into a bytecode format, which is then executed. Which encoders, such as Zend Guard and ionCube, are essentially an equivalent process, only once, and then only the โ€œcompiledโ€ bytecode becomes available / uploaded to the server.

This means that actually re-creating the same code that you once wrote is completely impossible. What is not impossible, and this also applies to obfuscation, is reverse engineering the compiled or obfuscated code to find out what it does.

To summarize, I would say that these products protect your code very well - as opposed to protecting your logic.

+7
source share

Why do you need to encrypt the source code? If you are doing this as protection against potential hackers, then please believe me when I say that if they really want to decrypt your source code, they will do it. This is possible with ionCube, the last time I checked.

In terms of performance, I find that Zend is a bit slower than ionCube because it does not require additional files. But, as I said, do not rely on encryption for anything.

+2
source share

If it can be executed, it can be decompiled. Stick to your legal team for access to rights, not for encryption. Better yet, open source your project: P

EDIT: "Encryption" also significantly increases the execution time!

+1
source share

The only thing you can do against the hosting company is to have a good license and a lawyer

0
source share

As far as I know, PHP encoders do not actually encode your PHP code. They just change the names of the variables and add unnecessary garbage code, so it's VERY hard to understand what the code does. The problem is that they cannot hide the password (whether it is a hard administrator password or database connection data).

Thus, they do not guarantee that your code will be safe, it is simply very difficult for them to understand it.

-one
source share

More articles:


All Articles