TL;DR
A simplistic technique that you can use to protect yourself "from prying eyes" and have a basic (low) type of "security" is obfuscate the code.
Higher security can be achieved with bytecode, however the available tools (which I know) are paid for and require the installation of extensions in PHP, which would not be possible in shared hosting, for example.
Motivation
In particular, several years ago I used a simple obfuscation technique when I developed a CMS (Content Management System) which was installed on websites of various customers, that is to say, lodgings that were in their possession. This was at the time when the PHAR extension was still experimental.
My goal with obfuscation was to prevent any "nephew" (pseudo-webdesigner) who knew how to use FTP client from starting to poke around in the system, trying to copy to another site, etc. In fact, it has already occurred to a curious client, given understood, pry into the source to try to circumvent certain validations. So it was kind of a "security for Dummies".
Implementation Simplista
I knew that the "security" obtained via obfuscation was only against eavesdroppers without programming training, so I used a very simple technique.
First I installed the Phing, a kind of Ant for PHP, so I could automate the obfuscation process.
Then I created a task where, for each file:
- Used the method
php_strip_whitespace
to clear the source code.
- Encoded the contents in base 64 and placed it in a String.
- The result was placed in a new file in a parallel folder structure, which used a
eval
to be able to execute the code.
The code looked a lot like this, which I found on SOEN:
<?php
$infile=$_SERVER['argv'][4];
$outfile=$_SERVER['argv'][5];
if (!$infile || !$outfile) {
die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);
The biggest difference is that originally I didn’t capture the output in a variable or use compression.
Note that this is an extremely simplistic approach. For example, this technique does not take performance into account. In the personal example I mentioned there was no noticeable impact, but if there is volume of access and/or a reasonable amount of files this should be a concern. In addition, it’s easy for a developer to decompile the original code.
"Solutions for the market"
Instead of reinventing the wheel, there are some tools you can use to make obfuscation. In fact, some even store and overshadow the bytecode, which is in line with the part of the question concerning performance.
Note that I have no experience with these tools, since they didn’t even exist when I needed them. However, I suggest you do some tests and check for yourself, trying to reverse the obfuscation, if you are able to do it and with what difficulty. Also, calculate the time difference of a request when using "normal" code and "compiled" or obfuscated code.
A free code obfuscator that, in addition to obfuscating code in general, changes function and variable names so as to make reading difficult even if reverse engineering is possible.
A free tool that processes all scripts in a folder. Probably uses a simple obfuscation technique.
Paid tool. Says using a different technique to improve the performance of the oversimplified script.
Paid tool that makes it possible to store the bytecode, encrypt it, obfuscate it, add an expiration time, restrict use to a MAC Address, etc. It already has a task Call phing IoncubeEncoderTask
to process files automatically.
This is one of the most complete tools in the category. However, for the execution of encoded files, it is necessary to install an extension in PHP. So this solution is unviable for Shared hosts.
Zend’s paid tool (company that develops PHP) that allows you to obfuscate the code and protect the execution of the script in several ways (similar to the one described earlier in Iconcube).
Considerations
No protection guarantees 100% safety. Even the best paid solutions presented above are not 100% safe. The website zendecode.com, for example, claims to instantly decompile Zend Guard and Iconcube code.
Finally, in my opinion, the best protection is not in the code, but in offering services with quality and excellence. After all, for our happiness or unhappiness, there aren’t many good software providers out there and copying their code (unless it contains some sensitive information) won’t give many competitive advantages to potential competitors.
The POBS link is broken, I found it on Github but I don’t know if it’s the same one I referenced. https://github.com/Eccenux/POBS
– Renan Cavalieri