PHP Encryption

At one time or another, a software developer is faced with a potential troublesome issue. When all the programming is done, and it's time to distribute the actual program, the question arises: How do I protect my intellectual property from being misused, changed and sold by a potential user of my program? Of course there are copyrights, but not all users might be aware or care about it.

Usually this is not a problem when using ordinary executable files. The customer would have a hard time opening up the file in code debugger, figuring out assembler code and modifying the content. This process is called reverse engineering, and for some people this is an art.

The problem is a bit trickier when programming in an open format such as ASP, PHP or any type of scripting. The program is easily readable and sometimes ingenious and potential lucrative algorithms could fall into the wrong hands.

unencrypted PHP script, clearly visible and easy to modify

But there is a solution. This article is focused on how to protect your PHP scripts using obfuscation techniques that makes the program unreadable for humans - but still fully functional for a computer.

encrypted PHP script, hard to read and nearly impossible to modify

There are several open-source tools that solves this problem for you. Open Source means that anyone can view modify and contribute to a program in development. The main benefit for a lone programmer is that it's completely free of charge and can be used to solve this PHP encryption issue.

There is one thing that separates all of these programs. Type One is the programs that needs to have additional software installed on the hosting server in order for it to run. This means that the administrator (most often not you) will have to modify something on the server where the encrypted files will be executed. In turn, this means an additional layer of time consuming stuff when distributing your software. Sometimes this is okay, but most often not.

Type Two is the programs that doesn't need to have additional software installed on the server. PHP Obfuscator falls into this category. Theoretically it is possible to have a higher level of security (and sometimes performance) when using Type One encrypters. In practice, noone will ever put that much effort into trying to reverse engineer your scripts. This is why we chose PHP Obfuscator for this How-To part.

Here are two of the main Open Source PHP encryption tools:

• Turck MMCache is an open source software package with many included features, such as PHP accelerator, optimizer, encoder and dynamic content cache. One drawback is that in order to use all these functions you need to have additional software installed on the running server. It is fully compatible with Zend Optimizer, but not recommended.
  
  
• RaizLabs PHP Obfuscator (POBS) is the software package focused on in this arcicle. It does not need additional server PHP modules installed in order to run. It's easy to install and easy to use. The main feature is the actual PHP encryption, with many configuration options.

RaizLabs PHP obfuscator application encodes and obfuscates PHP code to make the output difficult to reverse engineer. The application requires no pre-modifications to your code and no additional components on your server. This product allows for encoding of functions, variables and the removal of whitespace. The application is provided for free. Compatible with Windows XP and higher.

Why Obfuscation?

PHP Obfuscation allows you to scramble your PHP code. Obfuscation allows you to provide normal PHP files that have been encoded making the source code difficult to reverse engineer. Unlike some other solutions PHP Obfuscator does not require special server side libraries or server components to work properly. This allows you to target a broad range of servers that support PHP. This may be useful for commercial products looking to secure their source code.

What does Obfuscated code look like?

Here is a sample of what obfuscated code looks like...
function FC7321B391B6EF18F0711B835402E91D1($RE91192A00FF990477EE414AD5D708F08) { global $db_prefix; global $R695CD54D1F9CB31C11C71AF5EF74FDDB; $R9E9F3EDB7A84E99A0567F313F4EAC1BA = $RE91192A00FF990477EE414AD5D708F08; $R37A721F3B04CA577A7730084048F2BE3 = array_keys($R695CD54D1F9CB31C11C71AF5EF74FDDB); foreach($R37A721F3B04CA577A7730084048F2BE3 as $R90E8291866BD6CB7ED5089CE7E833D11) { $R9E9F3EDB7A84E99A0567F313F4EAC1BA = str_replace($R90E8291866BD6CB7ED5089CE7E833D11, $db_prefix . $R90E8291866BD6CB7ED5089CE7E833D11 , $R9E9F3EDB7A84E99A0567F313F4EAC1BA); } return $R9E9F3EDB7A84E99A0567F313F4EAC1BA;}.