obfuscation

[callumacrae]

Whats the best way to obfuscate a PHP file?

~Callum

[lemon-tree]

There is no simple way to do it without either using a convoluted calling method or by using a PHP compiler, however compiling generally needs full access to the server as the compiled PHP may either be an Apache mod file or a fully individual executable. Plus the compiled code will not be very distributable as it is built for a particular server OS etc. If there was any good way of doing it, you'd be seeing it in use by all the forum makers etc as they want to protect their code (Excluding the open source ones).
If you fancy a challenge, try compiling and installing HipHop (Used and built by FaceBook) and then use it to build your code. It will create a full individual server executable that can then be run through the command line much like Apache etc but is completely specified to match your codebase.

[bdistler]

I use "PHP Obfuscator"

from http://www.raizlabs.com/software/phpobfuscator/

The software is free and you can use it in commercial projects

No special server side libraries or server components
but only for winXP and up

For big projects ($$$$) I use "Zend Guard"
from http://www.zend.com/en/products/guard/

[bhupendra2895]

It means that if some bug in apache causes php files to display their contents, then user will not be able to see anything?I didin't knew about this.This thing work in shared hosting or requires some server setup (VPS/Dedicated hosting).

[callumacrae]

I've been researching a bit, it looks like most of the ways are rubbish. For example:

Code:

$hash="\md\5h\as\h0";@eval("encrypted code");

I've seen quite a few do that, simple changing eval() to echo() will echo the PHP code; not very secure

I'll look into Zend Guard, but doesn't that require some software on the server?

~Callum

[callumacrae]

Oh also @bhupendra:

Obfuscation means that the code isn't editable or viewable. If you're selling code, the customer will not be able to edit the code, so if they need an edit they will come back to you.

Yes, it also stop bugs in Apache becoming massive security errors, too

~Callum

[bdistler]

I've been researching a bit, it looks like most of the ways are rubbish. For example:

Code:

$hash="\md\5h\as\h0";@eval("encrypted code");

I've seen quite a few do that, simple changing eval() to echo() will echo the PHP code; not very secure

I'll look into Zend Guard, but doesn't that require some software on the server?

~Callum

"Zend Guard" == yes -- AND $$$
"PHP Obfuscator" == no -- NO $$$

Obfuscator will also help you when someone gets inside the server
and gets your code.

[fretwizz]

"Zend Guard" == yes -- AND $$$
"PHP Obfuscator" == no -- NO $$$

Obfuscator will also help you when someone gets inside the server
and gets your code.

How does it help once someone gets your code?

[bdistler]

How does it help once someone gets your code?

If someone gets into you site via FTP they can get you script add a 'bug'
of some type to run a script and put both your script and theirs back on your site
- this is the "Big" thing

I had this on my site at 1and1.com hosting

If they can not edit you scrip (can not read it) they can not add the "Bug"

If they just take your scripts they can not read them to make a edit
so they can use them

[callumacrae]

I thought Zend Guard was free? :/

~Callum