...

View Full Version : Hiding PHP Code



webguy08
01-06-2010, 10:09 PM
Hi all,

I'm just wondering. If I wrote something in PHP and sold it to someone, but didn't want them to have access to the actual code, but still allow them to use it, is there any way of doing this?

Fou-Lu
01-06-2010, 10:24 PM
No, you can always trace through source code since its interpreted. Even Obfuscated code can be traced - the better you know PHP the less meaningful you're variables need to be, so this actually becomes somewhat easy to do.

An alternative is to compile C code into a PHP extension. If you know C its not that bad, though the lack of documentation provided by the zend team does make it pretty hard to figure out how to make it all work (still trying to figure out how PHP5 handles its objects so I can create my own for extensions).

tomws
01-06-2010, 10:25 PM
No and yes. No, by default. But yes, if encrypted/encoded. Google for "encrypted PHP", I think.

webguy08
01-06-2010, 11:08 PM
So am I correct in thinking that one would need to write an encryption program in say Java, call this program in the website, and then program would then decrypt the code and allow it to be read by the website?

oracleguy
01-06-2010, 11:13 PM
So am I correct in thinking that one would need to write an encryption program in say Java, call this program in the website, and then program would then decrypt the code and allow it to be read by the website?

At that point you are better off doing what Fou-Lu said and just put your proprietary code in an extension.

Why do you not want them to have access to the source?

webguy08
01-06-2010, 11:43 PM
At that point you are better off doing what Fou-Lu said and just put your proprietary code in an extension.

Why do you not want them to have access to the source?

I'm just wondering in case I ever come to need to do so :p.

What do you (or even Fou-Lu) mean by putting the code in an extension?

Fou-Lu
01-07-2010, 01:26 AM
I'm just wondering in case I ever come to need to do so :p.

What do you (or even Fou-Lu) mean by putting the code in an extension?

You don't write PHP code, rather you write an extension for it in C and compile it into so or dll files. PHP itself is completely written in C. Here is an example of what you have for declaring a PHP function:


ZEND_FUNCTION(strcmp)
{
zval **s1, **s2;

if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &s1, &s2) == FAILURE) {
ZEND_WRONG_PARAM_COUNT();
}
convert_to_string_ex(s1);
convert_to_string_ex(s2);
RETURN_LONG(zend_binary_zval_strcmp(*s1, *s2));
}


This is what is run when you execute the php code strcmp($s1, $s2);

webguy08
01-07-2010, 01:48 AM
So just to clarify whether I understand because this is new to me :D.
1. Write code in C. Can it be C++ or C#?
2. Export the C code as .dll. Is dll the only option?
3. Write a PHP file which calls methods in the C file.

Sorry if I'm not getting this lol.

Fou-Lu
01-07-2010, 02:28 AM
C only.
.so and .dll I believe are the only two types you can import. One for *nix and one for windows. You can create executables, but I believe that will lock them to cli only, so you would then need to call it as an external program.
Correct. You can embed it in C as much as you want. You're entire php page could be executeMyCustomExtensionThatDoesEverything(); if you wanted it to be.

oracleguy
01-07-2010, 03:05 AM
Curiosity isn't a bad thing. But really you don't hardly ever see it done because there really isn't much of a need. A good example is the forum software we use here, vBulletin, it isn't free and it is done in PHP. Just because you happen to have the source code isn't a free pass to copy it as much as you want if the license forbids it.

Even if you put your proprietary code in a C extension, doesn't mean someone couldn't run a disassembler on it and get the code back out of it, fyi. To do so is much more complicated but it is possible.

Fou-Lu
01-07-2010, 03:36 AM
Curiosity isn't a bad thing. But really you don't hardly ever see it done because there really isn't much of a need. A good example is the forum software we use here, vBulletin, it isn't free and it is done in PHP. Just because you happen to have the source code isn't a free pass to copy it as much as you want if the license forbids it.

Even if you put your proprietary code in a C extension, doesn't mean someone couldn't run a disassembler on it and get the code back out of it, fyi. To do so is much more complicated but it is possible.

This is true. The extensions are really more for what the name implies; to extend PHP code by introducing functionality that is not native within it. Encryption is the better solution, but you would need to ensure that the technology exists on the installed server in order to perform the decryption. This will also substantially reduce the speed of you're code execution as well.

webguy08
01-07-2010, 03:47 AM
If you were to create a decryption program to decrypt PHP what language would you choose? I tend to lean towards Java because I know it so well, but that would require the server have JVM installed on it I assume. A language that doesn't need something else installed is preferable.

oracleguy
01-07-2010, 05:05 AM
If you were to create a decryption program to decrypt PHP what language would you choose? I tend to lean towards Java because I know it so well, but that would require the server have JVM installed on it I assume. A language that doesn't need something else installed is preferable.

Well the decryption would have to be integrated into the PHP engine which is all done in C I believe. But really doing so could potentially really limit the adoption of your program since custom software would be have to be installed on the server. At that point you might as well just write your own program that implements CGI and install that since that would give you really the ultimate flexibility.

AFAIK most of the PHP "encryption" stuff you see on the web works like the JavaScript "encryption" where it is just obfuscating the code.

Rebbu
01-07-2010, 10:05 AM
Protecting source code is really hard to do. Best bet, run a license. The majority of commercial scripts do this. It saves time to implement some sort of obfuscating method, and provides you legal grounds.

No rational person would buy your script (and therefore accept your T&C, and license agreement), and then perform such an act that could incur fines/legal proceedings against them unless the benefit of the act they committed outweighs the cost of the fines/legal proceedings.

And if you make your license agreement extremely costly, for example "Breaking any of these conditions will incur a fine of at least $50,000 USD" or similiar (I aint a lawyer so you'd probably need to research the exact wording), it is highly doubtful that someone will break the agreement.

I've spent a lot of time trying to obfuscate code, as well as being paid a lot to do so. The time, effort and cost isn't worth it in my opinion. Best to invest your money in a law book or something.

Regards,
Rebbu

JAY6390
01-07-2010, 01:37 PM
You can do a cheap nasty trick of encoding it with base64 and then using eval like you'll find in many wordpress themes, however these are very easy to decrypt. It's possible for you to use zend, ioncube etc to do a proper encrypt on them and this makes them far less likely to be decrypted, although as it's said above, nothing is fully hack proof. There are means and ways around all encryptions. Java is not a method to do this. The extension idea is pretty clever, however you have to then give your client the extension, and they have to have it installed by the web host. Most shared hosts will laugh at you for this, so they would need their own dedicated server realistically, and unless you're selling something that will make them megabucks, I can't see this being viable though...

PappaJohn
01-07-2010, 01:58 PM
"Breaking any of these conditions will incur a fine of at least $50,000 USD"
At least in the US, this is a completely meaningless and unenforceable clause. While you could sue for "damages", the amount of any award is determined by the courts. The product developer has no right to impose a 'fine'.

webguy08
01-08-2010, 05:56 PM
You don't need to get a license do you? You're automatically protected by copyright, isn't that enough?

What do software companies do to protect themselves?



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum