Experience with protecting PHP code

Question

Hello,

I am aware of that there are a number of code obfuscators/licensing programs for PHP. I wanted to know if anyone has actually used these and what their experience has been.

Please note I do not want to know the solutions available. I want to know your experience using one of these solutions. Is it worth investing say 200$ purchasing a code obfuscator etc?

I honestly would prefer something that does not have a loader etc. I know that it increases the chances of cracking, but I only want it to be a detrimental factor for them.

Thank you for your time.

Answer 1

I've used ionCube, and I like it. It runs faster and obfuscates the code reasonably well. It works on Linux and Windows, which covers most server platforms.

The only downside is that, due to the licensing, you aren't allowed to automate the encoding, so I think you aren't supposed to script it into your CVS or SVN post-commit.

Answer 2

My experience has been that it's a bit of a waste of time. People will be able to duplicate your efforts, regardless of having your sourcecode.

It's a false sense of security IMHO

Answer 3

I have also used IonCube. I found the whole process fairly simple. From creating an account on their website, to downloading and installing the software, and buying a license was all quite straight-forward and painless.

Using the application is simple too. You can tell it which files to encode, and you can even have it put a comment header in each encoded file so you can put something like "This file is encoded to protect the copyright. Please contact My Company for questions... etc." A nice things is that it does not have feature bloat- it does what it says plus a few nice-to-have features, with no unnecessary complexity.

The IonCube encoder can also obfuscate non-PHP files like Javascript files for you too. You can tell it to put the encoded files in a new folder by themselves or copy the other non-modified files along with it too, so you are kind of doing a 'build' of the project. I found that it was a great deal and I am able to continue using it without having to pay for a new license unless I want it on another computer or want a new version. So I've only paid once and used it for 3 years now.

A couple drawbacks of encoders in general. 1- you can no longer edit files 'on the server' which while that's a bad thing to do anyway, it prevents you from doing emergency fixes if you don't have access to your computer (like if you are on vacation).

Second, if you modify the project and add new files to be encoded, etc... you must update the IonCube project's settings to include the new files that need to be encoded. I guess I just find the added step a bit annoying- but worth it if you need to protect your code AND give your users FTP access.

You can also use this encoder regardless of which IDE you use, because it is a stand-alone app.

I agree with some other posts that encoding is not a perfect solution and in some ways goes against some people's feelings... but for myself it provides piece of mind.

Answer 4

The SD PHP Obfuscator can obfuscate giant systems of source code, is straightforward to configure for obfuscations, adds zero overhead to the obfuscated code and doesn't require any special loaders or configuration of the target system (the target system runs your software as if it weren't obfuscated).

With small files, the obfuscation is of limited value. But then, we all agree that protecting a small program is a silly idea.

With large systems of files, the cross file name scrambling makes it very hard to reconstruct the source. Don't let people tell you they can easily reverse engineer such applications; ask for them for their specific experience in do such, how big an application (file count) and how long they spent. Conventional code is hard enough to understand, even with comments. Obfuscated code is a lot worse.

Follow on note in response to a comment on the original question: well designed obfuscators (including SD's) don't break your code.