tags:

views:

6328

answers:

14
+8  Q: 

Code obfuscator for php?

Hey! Has anybody used a good obfuscator for PHP?, I've tried some but they dont work for very big projects. They can't handle variables that are included in one file and used in another, for instance.

Or do you have any other tricks for stopping the spread of your great code? :)

A: 

Why would you need an obfuscator for code that lives on your own server? (Not that there is any point to an obfuscator in any other circumstance).

Marcin  2008-10-24 07:27:49
A: 

Unless you're selling the code to others, why would you need to obfuscate it? It's not visible to the outside world unless you show them.

Bob Somers  2008-10-24 07:28:49
In my own experience, I require to obfuscate code for security reasons. If for some reason someone gets into the server, it would take a little bit more in order to know what the code do. BTW It wasn't me who gave you -1.
lepe  2010-05-26 06:19:17
Security through obscurity and all that. ;)
Bob Somers  2010-05-27 07:09:15
+7  A: 

The best I've seen is Zend Guard.

CMS  2008-10-24 07:30:55
The SD PHP Obfuscator is just as good, and costs about 1/5th.
Ira Baxter  2009-09-04 04:15:35
A: 

Hello and good day for everyone

You can try PHP Obfuscator from Raizlabs and you can get in on http://www.raizlabs.com/software/phpobfuscator/

the keys ? Encode and obfuscate PHP code, functions and variables

Exclude particular variables, functions or files from obfuscation and encoding

Process large projects with command line tools and project files

Open source and 100% free

Thats all. With no more.... bye bye

yeradis  2008-10-24 07:33:06
In the Perl world, most obfuscators are easily defeated by perltidy. PHP's tidy can probably do the same. Looking at what that obfuscator does, it's just an annoyance.
Schwern  2008-10-24 07:43:17
That obfuscator doesn't work for classes! It doesn't remove the comments when it sees classes, just adds a line at the top saying the file has been obfuscated (when it hasn't)
AntonioCS  2009-06-04 09:22:03
+26  A: 

People will offer you obfuscators, but no amount of obfuscation can prevent someone from getting at your code. None. If your computer can run it, or in the case of movies and music if it can play it, the user can get at it. Even compiling it to machine code just makes the job a little more difficult. If you use an obfuscator, you are just fooling yourself. Worse, you're also disallowing your users from fixing bugs or making modifications.

Music and movie companies haven't quite come to terms with this yet, they still spend millions on DRM.

In interpreted languages like PHP and Perl it's trivial. Perl used to have lots of code obfuscators, then we realized you can trivially decompile them.

perl -MO=Deparse some_program

My advice? Write a license and get a lawyer. The only other option is to not give out the code and instead run a hosted service.

See also the perlfaq entry on the subject.

Schwern  2008-10-24 07:36:50
I mostly agree with you, but the OP asked for a product recommendation, not a lecture on the merits of open source.
Eli  2008-12-02 22:50:31
Has nothing to do with Open Source, which is about mashing up the code not just being able to see it. The reality is that any code or data which runs on a user's machine is ultimately transparent no matter how you compile or obfuscate or encrypt it, full stop. The OP needs to understand that.
Schwern  2008-12-07 05:50:33
A: 

Thanks for the answers.

We are a small company so we don't have a server, but maybe thats worth looking at soon, it should solve the problem.

Yeah I don't like to obfuscate and sell the code either. I guess it isn't a real problem if you have a license.

I tried the raizlabs, was not satisfied. Guess I've made a framework that they cant handle.

 2008-10-24 07:46:56
Use a Virtual Private Server instead of shared hosting; it's marginally more, but costs a lot less than co-location.
Nathan Strong  2008-10-25 17:04:09
Please use answers to answer, and comments to comment; their purpose is different. Thank you.
Piskvor  2010-07-03 16:39:25
A: 

I think the main player in this area is ionCube, which is also first (paid) results in Google: http://www.ioncube.com/sa_encoder.php

demianturner  2008-10-24 08:37:12
+10  A: 

Write bad code, then it comes pre-obfuscated ;)

Lewis  2008-10-24 11:51:50
Or just switch to Perl ;-)
Ferruccio  2008-10-24 11:56:59
Good. Language independent obfuscation.
Ciwee  2009-10-22 16:06:04
A: 

I would like to echo Schwern's comment about not being able to fix bugs and make modifications. If you're planning on selling/supporting your software, the obfuscation will just make your life hell as you'll be really limited in any sort of debugging you can do on a live server.

JamShady  2008-10-26 01:11:34
Obfuscation does not mean you can't fix bugs or make modifications. If you stupidly obfuscate the source code, throw the original away, and insist on maintaining the obfuscated result, yes, you won't be able to do anything. Good obfuscators insist you retain your code *and* the mapping to the obufscated result; you can debug/modify your original code, ship obfuscated patches to your customers, and even diagnose his problems by using the map to convert obfuscated complaints back into readable ones. He doesn't have the map, which makes this safe. You can maintain/enhance/support just fine.
Ira Baxter  2010-07-03 16:50:30
A: 

free ones at: http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php

quite good.

 2008-12-02 22:34:46
A: 

Try this one: http://www.pipsomania.com/best_php_obfuscator.do

Recently I wrote it in Java to obfuscate my PHP projects, because I didnt find any good and compatible ready written on the net, I decided to put it online as saas, so everyone use it free. It does not change variable names between different scripts for maximum compatibility, but is obfuscating them very good, with random logic, every instruction too. Strings... everything. I believe its much better then this buggy codeeclipse, that is by the way written in PHP and very slow :)

PatlaDJ  2010-03-26 21:42:01
+2  A: 

See the SD Thicket PHP Obfuscator for an obfuscator that works just fine with arbitrarily large sets of pages.

Yes, it obfuscates identifiers identically across pages; if it didn't do that, the result wouldn't work.

Ira Baxter  2010-05-07 02:38:40
A: 

Obfuscation is only adding another layer of potential bugs and security vulnerabilities to your program. Please don't do it.

The kind of people who write obfuscation software usually seem very sketchy and non-skilled anyways...

If your code is "great", crackers will go through great lengths to spread it, regardless of weather or not it is obfuscated. If nobody knows/cares about your code, they probably wont, either.

Longpoke  2010-05-07 02:59:38
Nonskilled? Based on what evidence? I write them. Check my bio before you go making sweeping generalizations. http://www.semanticdesigns.com/Company/People/idbaxter
Ira Baxter  2010-05-11 00:29:14
@Ira: My statement still holds. Most obfuscated code can be broken within minutes. I specifically meant, _most_ people who do it are unskilled, not _all_. First thing that came to mind was Ioncube, and surely enough, it had a vulnerability published: http://osvdb.org/show/osvdb/41708. Then again you could probably partially blame that on PHP's obscure security requirements.
Longpoke  2010-05-11 02:16:10
@Longpoke: OK, you are suggesting that people don't use bad products, or those designed by non-skilled people. Hard to disagree with this.
Ira Baxter  2010-07-03 16:47:18
A: 

Nothing will be perfect. If you just want something to stop non-programmers then here's a little script I wrote you can use:

<?php
$infile=$_SERVER['argv'][1];
$outfile=$_SERVER['argv'][2];
if (!$infile || !$outfile) {
    die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);
John  2010-09-23 18:20:54

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases