PHP Source Code Protection Techniques
The PHP application in the client's server needs 2 kinds of protection:
- Prevent reading and modifying the application's source code
- Prevent redistribution of the entire application
The first measure to make the source code more difficult to read is the "minification". Removing the comments, white space and line breaks significantly reduces readability. However, it is not a problem to write a small script to reformat minified code to make it readable. The mnemonic identifier names are still informative enough to understand the code with some effort.
Another measure that may help here is obfuscation. Renaming the identifiers with random names makes the source code very hard to understand, alter or use.
The minified and obfuscated source code can still be copied and installed in any other server. So, the application must be locked to the client's site to prevent redistribution. There are several options for the locking the source code using: server IP address, site domain name, a specific URL, hardware (MAC) address. The application must include necessary functionality to verify the lock criteria before performing any actions.
PHP Source Code Protection Solutions
Basically there are 3 types of PHP code protection solutions: minifiers, obfuscators, and encoders.
Minifiers
Minifiers remove parts of the source code text that are not necessary. There are minifiers that take advantage of the PHP tokenizer to parse the source code into token values. The source code is rebuilt stripping the comments and whitespace.
The minified source code often needs further scrambling which can be performed either by encoding or obfuscation. The simplest encoding method is to use the
base64_encode() and
eval() functions to the minified source code or to use some encryption.
It is easy for any competent PHP programmer to decode a minified PHP script to view the original source code.
Obfuscators
An obfuscator turns regular PHP source code into an equivalent version that is harder to understand.
The most reliable way to build a lightweight obfuscator is to parse the source code lexically, replace the identifiers with meaningless names, and then rebuild the PHP source code. That must be done across all source code files including also the templates. Therefore many online tools are not suitable for this purpose because they process only individual scripts.
Encoders
Encoders compile PHP source code into Zend opcodes and store the result in files that replace the original PHP source files.
Some commercial encoders are very good but may require a loader extensions to load and execute the encoded PHP code. They often use encryption algorithms with secret keys to make it harder to extract the original Zend opcodes from the encoded PHP file.
Different Loader versions are supplied depending on the Web server but the customers may not want to (or cannot) install them.
Some encoders may provide optional locking features. The locking code is built in the encoded source and the check is made during the execution.