How to compile a PHP file?

Asked

Viewed 9,606 times

18

Is there any way to transform PHP file into bytecode or something similar, and then execute it natively? I need some files on one system to be pre-compiled because of performance in some cases, and "security" against prying eyes in others.

Searching, I found the files PHAR, but did not find out if they are purely a decompilable package as a .jar, or if they are bytecode.

2 answers

17


TL;DR

A simplistic technique that you can use to protect yourself "from prying eyes" and have a basic (low) type of "security" is obfuscate the code.

Higher security can be achieved with bytecode, however the available tools (which I know) are paid for and require the installation of extensions in PHP, which would not be possible in shared hosting, for example.

Motivation

In particular, several years ago I used a simple obfuscation technique when I developed a CMS (Content Management System) which was installed on websites of various customers, that is to say, lodgings that were in their possession. This was at the time when the PHAR extension was still experimental.

My goal with obfuscation was to prevent any "nephew" (pseudo-webdesigner) who knew how to use FTP client from starting to poke around in the system, trying to copy to another site, etc. In fact, it has already occurred to a curious client, given understood, pry into the source to try to circumvent certain validations. So it was kind of a "security for Dummies".

Implementation Simplista

I knew that the "security" obtained via obfuscation was only against eavesdroppers without programming training, so I used a very simple technique.

First I installed the Phing, a kind of Ant for PHP, so I could automate the obfuscation process.

Then I created a task where, for each file:

  1. Used the method php_strip_whitespace to clear the source code.
  2. Encoded the contents in base 64 and placed it in a String.
  3. The result was placed in a new file in a parallel folder structure, which used a eval to be able to execute the code.

The code looked a lot like this, which I found on SOEN:

<?php
$infile=$_SERVER['argv'][4];
$outfile=$_SERVER['argv'][5];
if (!$infile || !$outfile) {
    die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);

The biggest difference is that originally I didn’t capture the output in a variable or use compression.

Note that this is an extremely simplistic approach. For example, this technique does not take performance into account. In the personal example I mentioned there was no noticeable impact, but if there is volume of access and/or a reasonable amount of files this should be a concern. In addition, it’s easy for a developer to decompile the original code.

"Solutions for the market"

Instead of reinventing the wheel, there are some tools you can use to make obfuscation. In fact, some even store and overshadow the bytecode, which is in line with the part of the question concerning performance.

Note that I have no experience with these tools, since they didn’t even exist when I needed them. However, I suggest you do some tests and check for yourself, trying to reverse the obfuscation, if you are able to do it and with what difficulty. Also, calculate the time difference of a request when using "normal" code and "compiled" or obfuscated code.

POBS

A free code obfuscator that, in addition to obfuscating code in general, changes function and variable names so as to make reading difficult even if reverse engineering is possible.

PHP Protect

A free tool that processes all scripts in a folder. Probably uses a simple obfuscation technique.

Thicket Obfuscator for PHP

Paid tool. Says using a different technique to improve the performance of the oversimplified script.

Ioncube PHP Encoder

Paid tool that makes it possible to store the bytecode, encrypt it, obfuscate it, add an expiration time, restrict use to a MAC Address, etc. It already has a task Call phing IoncubeEncoderTask to process files automatically.

This is one of the most complete tools in the category. However, for the execution of encoded files, it is necessary to install an extension in PHP. So this solution is unviable for Shared hosts.

Zend Guard

Zend’s paid tool (company that develops PHP) that allows you to obfuscate the code and protect the execution of the script in several ways (similar to the one described earlier in Iconcube).

Considerations

No protection guarantees 100% safety. Even the best paid solutions presented above are not 100% safe. The website zendecode.com, for example, claims to instantly decompile Zend Guard and Iconcube code.

Finally, in my opinion, the best protection is not in the code, but in offering services with quality and excellence. After all, for our happiness or unhappiness, there aren’t many good software providers out there and copying their code (unless it contains some sensitive information) won’t give many competitive advantages to potential competitors.

  • 1

    The POBS link is broken, I found it on Github but I don’t know if it’s the same one I referenced. https://github.com/Eccenux/POBS

6

Not, phar is not bytecode, understand what can be done based on need:

Distribuição Facilitada

phar

It is actually a package containing the files, it is not actually compiled or bytecode, it was developed to help the distribution of systems.

Performance

APC

PHP extension that can pre-compile PHP files in cache bytecode, see more in the documentation

HHVM

Opensource project started by Facebook, compiles PHP files at runtime. This is an alternative implementation of PHP for performance

Zephir

Language to define functions and classes php compileable in C, and expose them through extensions to php, basically you write the classes and functions in a similar way to PHP (syntax is a little different) and compile them as an extension, a great example is the framework phalcon which is fully compiled and is installed as an extension to your PHP intalaci

Security

Ioncube and Zendguard

Proprietary tools that encrypt your code to prevent the source from being read directly (they are read only by the engine of the same installed next to your php)

Browser other questions tagged

You are not signed in. Login or sign up in order to post.