18
Is there any way to transform PHP file into bytecode or something similar, and then execute it natively? I need some files on one system to be pre-compiled because of performance in some cases, and "security" against prying eyes in others.
Searching, I found the files PHAR, but did not find out if they are purely a decompilable package as a .jar, or if they are bytecode.
17
A simplistic technique that you can use to protect yourself "from prying eyes" and have a basic (low) type of "security" is obfuscate the code.
Higher security can be achieved with bytecode, however the available tools (which I know) are paid for and require the installation of extensions in PHP, which would not be possible in shared hosting, for example.
In particular, several years ago I used a simple obfuscation technique when I developed a CMS (Content Management System) which was installed on websites of various customers, that is to say, lodgings that were in their possession. This was at the time when the PHAR extension was still experimental.
My goal with obfuscation was to prevent any "nephew" (pseudo-webdesigner) who knew how to use FTP client from starting to poke around in the system, trying to copy to another site, etc. In fact, it has already occurred to a curious client, given understood, pry into the source to try to circumvent certain validations. So it was kind of a "security for Dummies".
I knew that the "security" obtained via obfuscation was only against eavesdroppers without programming training, so I used a very simple technique.
First I installed the Phing, a kind of Ant for PHP, so I could automate the obfuscation process.
Then I created a task where, for each file:
php_strip_whitespace to clear the source code.eval to be able to execute the code.The code looked a lot like this, which I found on SOEN:
<?php
$infile=$_SERVER['argv'][4];
$outfile=$_SERVER['argv'][5];
if (!$infile || !$outfile) {
die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);
The biggest difference is that originally I didn’t capture the output in a variable or use compression.
Note that this is an extremely simplistic approach. For example, this technique does not take performance into account. In the personal example I mentioned there was no noticeable impact, but if there is volume of access and/or a reasonable amount of files this should be a concern. In addition, it’s easy for a developer to decompile the original code.
Instead of reinventing the wheel, there are some tools you can use to make obfuscation. In fact, some even store and overshadow the bytecode, which is in line with the part of the question concerning performance.
Note that I have no experience with these tools, since they didn’t even exist when I needed them. However, I suggest you do some tests and check for yourself, trying to reverse the obfuscation, if you are able to do it and with what difficulty. Also, calculate the time difference of a request when using "normal" code and "compiled" or obfuscated code.
A free code obfuscator that, in addition to obfuscating code in general, changes function and variable names so as to make reading difficult even if reverse engineering is possible.
A free tool that processes all scripts in a folder. Probably uses a simple obfuscation technique.
Paid tool. Says using a different technique to improve the performance of the oversimplified script.
Paid tool that makes it possible to store the bytecode, encrypt it, obfuscate it, add an expiration time, restrict use to a MAC Address, etc. It already has a task Call phing IoncubeEncoderTask to process files automatically.
This is one of the most complete tools in the category. However, for the execution of encoded files, it is necessary to install an extension in PHP. So this solution is unviable for Shared hosts.
Zend’s paid tool (company that develops PHP) that allows you to obfuscate the code and protect the execution of the script in several ways (similar to the one described earlier in Iconcube).
No protection guarantees 100% safety. Even the best paid solutions presented above are not 100% safe. The website zendecode.com, for example, claims to instantly decompile Zend Guard and Iconcube code.
Finally, in my opinion, the best protection is not in the code, but in offering services with quality and excellence. After all, for our happiness or unhappiness, there aren’t many good software providers out there and copying their code (unless it contains some sensitive information) won’t give many competitive advantages to potential competitors.
6
Not, phar is not bytecode, understand what can be done based on need:
It is actually a package containing the files, it is not actually compiled or bytecode, it was developed to help the distribution of systems.
PHP extension that can pre-compile PHP files in cache bytecode, see more in the documentation
Opensource project started by Facebook, compiles PHP files at runtime. This is an alternative implementation of PHP for performance
Language to define functions and classes php compileable in C, and expose them through extensions to php, basically you write the classes and functions in a similar way to PHP (syntax is a little different) and compile them as an extension, a great example is the framework phalcon which is fully compiled and is installed as an extension to your PHP intalaci
Proprietary tools that encrypt your code to prevent the source from being read directly (they are read only by the engine of the same installed next to your php)
Browser other questions tagged php bytecode
You are not signed in. Login or sign up in order to post.
The POBS link is broken, I found it on Github but I don’t know if it’s the same one I referenced. https://github.com/Eccenux/POBS
– Renan Cavalieri