PHP Source Code Protect
I have been using PHP for commercial products now for some time and I have always been concerned with providing code to clients that is not protected from other developers - one thing that we are familiar with compiling/distributing code under C++ or Java. Often code that is included in even the smallest a job to make our life a lot easier and can be the result of hundred of hours of unpaid development.
There are a number of different methods to help disguise and protect our code under PHP and is often overlooked by many web developers. For reasons I am unsure, maybe the same reason that the Internet has failed to develop standards. As we have discussed topics of security on this site I think it is important to discuss ways to secure a commercial application or a standard library that you or your business have developed in PHP.
This scenario could apply to:
- Distribute shareware or trial software written in PHP
- Protect source code from being viewed by other developers or by your hosting provider
- Freelancers working on small/group projects without giving away their entire library of developed code
- Harden the ability for people to analyse ways to exploit/hack your code
Considering licences such as expiring applications or limiting what servers or domains host your files are all possible with the help of a few software packages. You can embed the licensing in each file, or call on a licence file that could be issued (FTP’d) to your server. Also, degrees of how you protect your intellectual property and source code are covered such as compilation, encryption or obfuscation.
In terms of protecting your source code instead of trying to explain the meaning better than wikipedia, I thought I would just include: “Obfuscated code is source code that is (perhaps intentionally) very hard to read and understand.” Typically we can perform obfuscation through replacing local variables, functions and removing formatting and commenting. (It is worth noting that if you are working with creating a reusable package that variable or function obfuscation may not be quite what you are after).
A method of obfuscation could be to create a intermediate compiled code, which often is smaller and more efficient. It also can be a way of protecting our code from reverse engineering. Obfuscation can also be an example of security through obscurity, (which should never be relied on). To further the protection of our code we should consider encryption of our code.
If you have used an MVC implementation you may only consider protecting your Model or maybe your Model and Controller. You may wish to leave your View (Smarty/HTML/etc) as open as you will not want to limit simple visual updates that you may not be available to update for your client. Typically your view is not reusable and does not contain your Intellectual Property – and I imagine may often cause more problems than it is worth, but depends on the scenario.
There are packages that help protect our source code (through compilation, obfuscation and encryption) and most come with friendly GUI to help us achieve protection and handle licensing.
When we protect our code typically it requires server side installation to provide the required functionality (although some can export bundled required files). There are a few that provide the functionality through included source files. Your decision of which package to use will be in some part dictated by the support of your hosting company. I recommend your first step to check what package is available to you. I gave my hosting company and quick call and asked them what methods they support to secure my PHP source code and found that my hosting company supports two popular packages:
Both are available for purchase at around the ~US$250 or ~AUS$380 which really is quite a small investment when you consider the protection it can provide. If you own your own business or freelance you would immediately see that for the small investment you will gain a big return: protection of your intellectual property and future work. You may also find that as part of your professional practice of being a responsible programmer that suggesting the cost be included in a project budget as it can help further strengthen your security.
Default Project Sheets
Select project files
Example of output code from ionCube:
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='/ioncube/ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if((@$__id[1])==':'){$__id=str_replace('','/',substr($__id,2));$__here=str_replace('','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}@dl($__ln);}else{echo('The file '.__FILE__." is corrupted.n");return 0;}if(function_exists('_il_exec')){return _il_exec();}echo('This encoded file cannot be run. Please run the file ioncube-loader-helper.php for more information.');return 0;
?>
0y4hYErdHGVGixqeLj/G9FXUdF4/0fdmCtjjNAv3HcIYGaw0iOU34iT84LwcPV5XJcau0RQgkiNL
AVfBK2FhhSoxdC504USDRPO+lhcm5T6RBUjej+Xz8amc0pUigrTnMMmjcdW3ZewemB0XE5aLmAgT
fbcV0ToCKoCpSbfEpCAgH0tccGSSV3a1×1NC3KkjGLT0Ld/PzHVao/q6Zveq1/vLZ2FFpFK5lH6u
iT+lo8Av02HzMsKNl3zafQuLOTKQoWpGI3sRe9fKyK/pDQa/8FMYHCpwZ7lBKQzL5Ha3h56RS+e3
FbDgAbfY2t1i14GW8J5s6eq94fjhAEbGQ4fHa43LTeUy0qCLdW==
The first section of the code handles how to load the dynamic libraries and checks support for iconCube. The second is the ASCII (you can export out in binary) source code.
Unfortunately for some reason my hosting company didn’t support Zend’s product. Zend provides a Zend Guard which is more expensive but operates on the popular free Zend Optimiser server side which generally most hosting companies will have or won’t be bothered installing, although mine did.
Both of the other products provide an easy way to generate a licence file which allows you to customise the restrictions for individual end-users without having to resupply the compiled protected source code again. You can simply FTP or generate and email the new licence file. This is particularly good for converting Trial software into full working versions, or from a development version to a full version for production.
Some standard options for licensing in ionCube
Example of licence file contents:
------ LICENSE FILE DATA ------- TY24U9294dRrU8XBUkuaZ9ITVuwcMAZc 9bBtv0mZcsLrK6E5LnHJMN9glODwfHF3 pSv9XCuR9JGhpfyXvYOXe3cjsMD6qzGr 2mnQcvm6zftypTDRLf+TdlCTjxWJKbVd 4eFgH6+cfvR8QqAIO8EQ3XCwZ/S+o7r/ mnGKru11PbFrsJvZ0oDPPZZgLH0OIHZL edk4/AKKg2KMztID9oWoW9D4jmd3nGaN kjgWaXeTU7yGN+ojRf/vOM984m4Fjmuu eoGHlkbGLIR7Ot5lF3== ------------------------------–
Before you choose which package suits your requirements better, you will want to view over the feature checklist and download and play with a trial version (and test on your deployment server). I found it particularly difficult to find the differences between the two.
In the end? I chose ionCube as it came across to me as more established product and supported all the good features I expect from an encoding package. Also general comments from forums appear to be fairly positive and it runs on ionCubes own code optimiser.
After installation of the trial versions both come with easy to use Wizards and Licence Generators. You typically need to create your project and select your source file. Within a few minutes you can easily identify all the advanced functionality and have working encoded source files.
Advanced steps allow you to customise dynamic variables that are included in your licence. You can also even consider ways to write the licensing into your source code, but this will not be enforced by the your packages parser (e.g. By ionCube etc), but that way you can start to extend the functionality of your licensing past the standard; and even use Digital Signatures to ensure non-tampering of your source (and underlying licensing system). That way you are not relying on an individual encoders licensing and you may be able to encode using different encoders if you meet a project that needs to run on a different choice of encoder.
After setting up my first encode with ionCube I timed the originals versus the encoded. A simple API consisting of around 30 classes and about 100KB of code. A simple include of the class file saw an immediate 50% increase in speed of the include. (From around .03 seconds to around .015 seconds).
Also it may be worth mentioning that if you have a lot of classes it may be easier to concatenate all the files into one single distributable file. To do this you can create a simple concatenate/compress class that gets the file contents of each of your PHP class files and places them into a single temp file. You can then invoke PHP CLI to compress your classes. This removes white-space (new lines, tabs etc) and commenting. The end result is raw PHP. Note: Be sure to remove any “include” statements that call on included source code as it may cause errors.
// Consider security if variable contain user input $execute = "php -w " . $incFile . " > " . $destFile; exec($execute);
Testing this in the past it is a quick way of including your files. Including individually can result in large delays (depending on how many class-path directories need to be scanned to locate the files to include). One thing you will have to consider then is whether you concatenate all classes or just base classes, then use further includes to pull in required functionality, as part of your API may not be required. You can use simple profiling techniques to identify times taken to load.
Further to developing your commercial API you may consider using an documentation generator like phpDoc. Depending on how you setup your commenting and phpDoc, you can indicate which parts functions and files are documented publicly. Ensure to analyse how your API will be used, and protect functions that are not to be invoked. Further to this topic you will need to research ways of writing a commercial API that conceals unnecessary functionality and I.P.
Here are the some useful resources that will help you protect your source code:
