PHP Obfuscation

[driveflexfuel]

I am looking for some advice on protecting my code. I know there are php obfuscators out there, but are they really worth my time. What are your thoughts on protecting my code.

[Scoochi2]

PHP already has all the obfuscation you need.
When it runs, PHP code is invisible, and will only output whatever you choose to output. Usually, a PHP page will look like it contains plain HTML, although it could be a picture or anything else you choose to make.

The only exception is when you are sending your PHP files in a non supported format (such as being saved .txt) or when uploaded to a server without PHP installed. Generally, the only time you will send such is when you are sharing your code, in which case obfuscation would be pointless.


Overall, obfuscation for PHP is quite a lot of hindrance, and no plus points.

[misson]

What do you want to protect your code from?

[diabolo]

I might be going off topic and sorry if I hi-jack your thread. When I was reading this, it made me remember of something.

Well actually I remember reading somewhere that if you are on a shared server and it has SSH. That other users can read your files? can anyone clarify if its true or not?

[zapzack]

it depends on if they have permission to read your files.. usually they do not..

[garrettroyce]

My 2 cents on obfuscation:

1. Obfuscating code is very easily undone. It's trivial at best for an experienced programmer to reverse engineer your code. It is just a matter of time.

For example:

Code:

function abc($x) { // this function prints out array $x
    foreach ($x as $y) {
        echo "<td>$y</td>\n";
    }
}

becomes

Code:

function _a234aa235b($_2342q2245143){foreach($_2342q2245143 as $_asde323fassdf){echo"<td>$_asde323fassdf</td>";}}

It doesn't take much imagination to figure out what is happening here, especially since builtin functions and key words don't change.


2. Encrypting your code cannot be undone. But, the only users who can run your code will be those that are on servers supporting the encryption (see ioncube or zend encryption).

For example the same php code from before might become:

Code:

aksjdtp24qipwahsdasdfj3h2g0wha0sdognjfiodfjh0aweht[eawpsdgasdjfahbn093h23

Without the right software, nothing can read that.


Either solution is not very beneficial to you or your users.

As far as someone reading your code by typing in the URL, it's 99% impossible unless:
1. You have an error in your code.
2. You use the function to display your code.
3. You edit your .htaccess to disassociate the .php extension with php
4. Someone hacks into your FTP, webdisk, or CPanel
5. Someone finds an exploit in your code and manages to execute 1-4

[misson]

Well actually I remember reading somewhere that if you are on a shared server and it has SSH. That other users can read your files? can anyone clarify if its true or not?

You should have started a new thread for this.

Read up on Unix file permissions. By default, files have global read access (google "umask" for more info), which gives any process read access. A user doesn't need shell access to read your globally readable files; zhe can write a script which will run as the user that can access such files.

To prevent most users from reading a file, remove global read access. To protect all files below a given directory, remove the global execute permission from the directory. You may or may not want to remove group read access. Any of these changes will cause problems for system processes than need to access the files. The web server for a site on a multi-site host (such as x10) generally runs under your user account, so removing global read won't cause problems for it.