views:

6328

answers:

14

Hey! Has anybody used a good obfuscator for PHP?, I've tried some but they dont work for very big projects. They can't handle variables that are included in one file and used in another, for instance.

Or do you have any other tricks for stopping the spread of your great code? :)

A: 

Why would you need an obfuscator for code that lives on your own server? (Not that there is any point to an obfuscator in any other circumstance).

Marcin
A: 

Unless you're selling the code to others, why would you need to obfuscate it? It's not visible to the outside world unless you show them.

Bob Somers
In my own experience, I require to obfuscate code for security reasons. If for some reason someone gets into the server, it would take a little bit more in order to know what the code do. BTW It wasn't me who gave you -1.
lepe
Security through obscurity and all that. ;)
Bob Somers
+7  A: 

The best I've seen is Zend Guard.

CMS
The SD PHP Obfuscator is just as good, and costs about 1/5th.
Ira Baxter
A: 

Hello and good day for everyone

You can try PHP Obfuscator from Raizlabs and you can get in on http://www.raizlabs.com/software/phpobfuscator/

the keys ? Encode and obfuscate PHP code, functions and variables

Exclude particular variables, functions or files from obfuscation and encoding

Process large projects with command line tools and project files

Open source and 100% free

Thats all. With no more.... bye bye

yeradis
In the Perl world, most obfuscators are easily defeated by perltidy. PHP's tidy can probably do the same. Looking at what that obfuscator does, it's just an annoyance.
Schwern
That obfuscator doesn't work for classes! It doesn't remove the comments when it sees classes, just adds a line at the top saying the file has been obfuscated (when it hasn't)
AntonioCS
+26  A: 

People will offer you obfuscators, but no amount of obfuscation can prevent someone from getting at your code. None. If your computer can run it, or in the case of movies and music if it can play it, the user can get at it. Even compiling it to machine code just makes the job a little more difficult. If you use an obfuscator, you are just fooling yourself. Worse, you're also disallowing your users from fixing bugs or making modifications.

Music and movie companies haven't quite come to terms with this yet, they still spend millions on DRM.

In interpreted languages like PHP and Perl it's trivial. Perl used to have lots of code obfuscators, then we realized you can trivially decompile them.

perl -MO=Deparse some_program

My advice? Write a license and get a lawyer. The only other option is to not give out the code and instead run a hosted service.

See also the perlfaq entry on the subject.

Schwern
I mostly agree with you, but the OP asked for a product recommendation, not a lecture on the merits of open source.
Eli
Has nothing to do with Open Source, which is about mashing up the code not just being able to see it. The reality is that any code or data which runs on a user's machine is ultimately transparent no matter how you compile or obfuscate or encrypt it, full stop. The OP needs to understand that.
Schwern
A: 

Thanks for the answers.

We are a small company so we don't have a server, but maybe thats worth looking at soon, it should solve the problem.

Yeah I don't like to obfuscate and sell the code either. I guess it isn't a real problem if you have a license.

I tried the raizlabs, was not satisfied. Guess I've made a framework that they cant handle.

Use a Virtual Private Server instead of shared hosting; it's marginally more, but costs a lot less than co-location.
Nathan Strong
Please use answers to answer, and comments to comment; their purpose is different. Thank you.
Piskvor
A: 

I think the main player in this area is ionCube, which is also first (paid) results in Google: http://www.ioncube.com/sa_encoder.php

demianturner
+10  A: 

Write bad code, then it comes pre-obfuscated ;)

Lewis
Or just switch to Perl ;-)
Ferruccio
Good. Language independent obfuscation.
Ciwee
A: 

I would like to echo Schwern's comment about not being able to fix bugs and make modifications. If you're planning on selling/supporting your software, the obfuscation will just make your life hell as you'll be really limited in any sort of debugging you can do on a live server.

JamShady
Obfuscation does not mean you can't fix bugs or make modifications. If you stupidly obfuscate the source code, throw the original away, and insist on maintaining the obfuscated result, yes, you won't be able to do anything. Good obfuscators insist you retain your code *and* the mapping to the obufscated result; you can debug/modify your original code, ship obfuscated patches to your customers, and even diagnose his problems by using the map to convert obfuscated complaints back into readable ones. He doesn't have the map, which makes this safe. You can maintain/enhance/support just fine.
Ira Baxter
A: 

free ones at: http://www.voormedia.com/en/tools/html-obfuscate-scrambler.php

quite good.

A: 

Try this one: http://www.pipsomania.com/best_php_obfuscator.do

Recently I wrote it in Java to obfuscate my PHP projects, because I didnt find any good and compatible ready written on the net, I decided to put it online as saas, so everyone use it free. It does not change variable names between different scripts for maximum compatibility, but is obfuscating them very good, with random logic, every instruction too. Strings... everything. I believe its much better then this buggy codeeclipse, that is by the way written in PHP and very slow :)

PatlaDJ
+2  A: 

See the SD Thicket PHP Obfuscator for an obfuscator that works just fine with arbitrarily large sets of pages.

Yes, it obfuscates identifiers identically across pages; if it didn't do that, the result wouldn't work.

Ira Baxter
A: 

Obfuscation is only adding another layer of potential bugs and security vulnerabilities to your program. Please don't do it.

The kind of people who write obfuscation software usually seem very sketchy and non-skilled anyways...

If your code is "great", crackers will go through great lengths to spread it, regardless of weather or not it is obfuscated. If nobody knows/cares about your code, they probably wont, either.

Longpoke
Nonskilled? Based on what evidence? I write them. Check my bio before you go making sweeping generalizations. http://www.semanticdesigns.com/Company/People/idbaxter
Ira Baxter
@Ira: My statement still holds. Most obfuscated code can be broken within minutes. I specifically meant, _most_ people who do it are unskilled, not _all_. First thing that came to mind was Ioncube, and surely enough, it had a vulnerability published: http://osvdb.org/show/osvdb/41708. Then again you could probably partially blame that on PHP's obscure security requirements.
Longpoke
@Longpoke: OK, you are suggesting that people don't use bad products, or those designed by non-skilled people. Hard to disagree with this.
Ira Baxter
A: 

Nothing will be perfect. If you just want something to stop non-programmers then here's a little script I wrote you can use:

<?php
$infile=$_SERVER['argv'][1];
$outfile=$_SERVER['argv'][2];
if (!$infile || !$outfile) {
    die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);
John