tags:

views:

101

answers:

5
+1  Q: 

What PHP code protection tool would you recommend? (encoding/encrypting/obfuscating/etc)

I have a client that is going to start selling a software based on PHP, and he'd like to have some level of piracy protection.

We're going to have a basic licensing code check, but we need the code to not be plain-text so that anyone can't go in and comment it out.

I've found a lot of "encoding/encrypting/obfuscating" tools.

Some are Zend Guard, ionCube, phpShield, etc.

Have you had experience with any of these?
Which one would you recommend?

I'd like to have something that's as easy to use and to integrate into a deployment process as possible.

UPDATE: I know that anything can be broken provided enough time or resources. I don't need the perfect solution, I need something that's going to make a pirate's life hard enough. Also, this is not "mass" software. I justneed to make sure it's at least non-trivial to steal.
That's why i'm asking for experiences with these particular types of tools. I know they're not impossible to break, I just want to hear if you've had any problems or success stories with them.

A: 

I've relied on Source Guardian for years. Nobody can break it from what I can tell because it runs your PHP scripts in a compiled state. Plus, it has a side benefit of actually making your code run faster, with reduced execution times.

Geekster  2010-09-24 14:43:33
It can be broken. And it's not compiled (that's not possible with the Zend engine). Perhaps it's OpCode, but that's quite different from compiled... And for some reason I highly doubt it makes your code run any faster (if anything, I would think slower since it has to do a cryptographic check each execution)...
ircmaxell  2010-09-24 14:51:13
@ircmaxell : citation needed
Geekster  2010-09-24 16:15:46
The information can be found via Google in a few minutes. One place I found offers decoding Source Guardian files for $15 a pop... And if you're going to get citation crazy, why not cite your claims that "nobody can break it", "it runs scripts in a **compiled** state" and "making your code run faster"?
ircmaxell  2010-09-24 16:36:58
@ircmaxell : no need to be a jerk about it man
Geekster  2010-09-24 18:37:34
+5  A: 

Short answer: This can't be done effectively.

Long answer: Whatever protection you put in your code, it can be removed with little difficulty by anyone with some experience in PHP. Additionally, you should let your client know of problems this introduces:

  • Code that's harder and more expensive to maintain;
  • Lost revenue because of customers who can't install extensions;
  • Potential privacy issues if you have code that "phones home";
  • ...

As you should well know, software piracy is a common problem. This is aggravated in PHP because PHP is interpreted and advertising "compiling to bytecode" as a protection measure is misleading. Even when the code is encoded with something like ionCube or Zend Guard, this too can be decoded with some effort.

Your client's best option is to protect their intellectual property by actively pursuing copyright infringers. But even this is not foolproof, as our folks from RIAA and MPAA know very well (or in the PHP world, Jelsoft and IPS).

I know this is not what you wanted to hear, but it's the (painful) truth.

NullUserException  2010-09-24 14:49:13
Great job telling it how it is! But if I had to pick, I would choose Zend Guard. The question is whether it is worth the $600 a year to simply *deter* piracy in this particular application.
bogeymin  2010-09-24 15:02:31
>> Even if the code is encoded with something like ionCube or Zend Guard, this too can be decoded with relative ease. << Could you please expand on that? This is what I'm most interested about. I know anything can be broken with enough effort, but I'm trying to gauge how much effort it takes to break these, exactly. Thanks!
Daniel Magliola  2010-09-24 15:03:35
@bogey Exactly. @Daniel You should ask your client to weigh the benefits of doing this with its costs, which go beyond buying the encoding software
NullUserException  2010-09-24 15:04:34
@Daniel There are many of these services online; they charge you a small price to decode an encoded piece of code. Just Google "decode zend" or "decode ioncube"
NullUserException  2010-09-24 15:07:23
@NullUserException : I'm seeing a lot of these php encoder packages claiming to be bytecode, and you're saying that they are flat out lying. Can you back that up somewhere with a source? Citation needed.
Geekster  2010-09-24 16:16:26
@Geekster I've revised the wording. I'll post something more complete some time later.
NullUserException  2010-09-24 22:14:28
@NullUserException: much obliged. I feel like I may have been ripped off by Source Guardian if what you say is true.
Geekster  2010-09-24 23:12:22
+1  A: 

I'd suggest to sell a service rather than naked code.
I doubt anyone would be really interested in your code. There is plenty of open source code already and some of it with decent support.
While there are much more customers who need not a code itself but service - installation, customization, support. It's much more profitable in my opinion.

And yes, all these attempts to protect your code in vain. And it would make your sales even worse: I would never buy a code I can't customize or control.

Col. Shrapnel  2010-09-24 15:13:22
Actually, that's not a bad idea at all. Sell it as a SAAS, then give them only the integration libraries and code necessary to use your service (so it's useless without your server). +1 (Mainly to cancel the -1)
ircmaxell  2010-09-24 15:29:57
A: 

We're using ionCube for some sites and it works like a charm. Easy to setup, easy to encode (part of) your files and great value for money.

wimvds  2010-09-24 15:14:00
A: 

Do not attempt to sell code based on interpreted or scripting languages with expectations of sales exclusivity for the code alone. It will be decoded, unobf'd/RE'd and used without your consent if it is worth the time/effort/cost to decode and unobf/RE it. You will likely not even know about it when it has happened. At least with compiled languages and a strong license agreement you have some decent protection, both technically and legally, from competitors poaching your code. You still face the issue of non-paying users though and PHP is no exception to that rule either in addition to being very weak to poaching as well.

Encoding PHP with extensions is akin to leaving the keys in the ignition of your unlocked car with a note taped to the steering wheel stating "please do not drive away in this vehicle". Pointless. And a waste of paper.

PHP is free and is nothing more than an open scripting language. Might as well keep it that way by choice lest you be let down when someone else reminds you of it firsthand. Sell "you" and "what you can do with PHP" rather than treating a system of scripts like it is a standalone product that can be sold and marketed because it can't be unless you're dealing with very simple, not-so-resourceful people who are unable to use, or find someone they can pay to make use of, your raw, unencoded PHP in the first place.

Programmers familiar with PHP can and will access anything you've done if they have the encoded .php files locally available to them to run the specific decoder on. This is not new but years old. There are also services that will batch decode PHP for very little ($2/kb) which makes it very difficult for you to hold any script(s) hostage if you're dealing with clients that have so much as the ability to use google. The ones for sale (Zend, ionCube, CodeLock, etc.) are all broken. They sell you the encoding then decodezend.com or some such site sells your client, whom you were trying to keep the script(s) from, the decoding service. Everyone wins as long as they are in the encoding or decoding spectrum of the arrangement. You, however, lose and waste time doing so.

Monetize deployment, config, continual support and updates, etc (SAAS). That is what you really have to focus upon to turn the blood, sweat and tears into profit. Don't put your script on a server outside of your control until the check clears, because once you do, it's really already theirs whether it is encoded or not. PHP is inherently hard to pilfer unless you have access to the .php files and accompanying MySQL config in the first place. Charge for that access.

IMO, if you have successfully protected a PHP script and it hasn't been decoded yet it's likely because you missed the already existing and freely available script/system/tutorial that does the same or very similar things before you began the project. Hence, the whole thing you're trying to protect may not have even needed to have been developed from scratch, let alone does it really need protected. PHP has matured to where it seems everything has already been done at least once, it is thoroughly-documented and is out there for the taking, and can be used at the very least as a base upon which you can build for your specific needs. This beautiful side of PHP that makes it so easy for you to build on others' work is also the ugly side which makes it equally easy for the next guy to do the same with yours.

TL;DR Version: PHP is too open to successfully monetize the code. It was designed to be this way. SAAS. SAAS. SAAS. Also, SAAS.

EvilMidnightCoder  2010-09-27 11:31:44
To be honest, compiled software is no different from interpreted software in this regard. You can crack it in seconds, and I've seen really sinister "packers" cracked too. The question is whether I can bet my life on this never being cracked, it's whether these encoding tools will mean enough of a pain in the ass to deter the most basic form of piracy.
Daniel Magliola  2010-09-27 12:33:25
SAAS would be lovely, but it's 100% not an option here, because of the business model of the people we're selling this to. I did find useful the reference to these decoding services. They prove that this protection scheme IS worthless after all. Guess i'll have to trust on "the rest of the stuff" (updates, support, etc) to be worth it.
Daniel Magliola  2010-09-27 12:35:07
Definitely agree that compiled software is trivial to crack with the know how. It is usually going to be be more difficult to do so than copying PHP though. You can sign .dlls. Activation and phone-home systems may at least help you know when it's happened. With PHP, the only way to know that someone "borrowed" your code is to outright find it being used/sold without your consent.
EvilMidnightCoder  2010-09-27 21:12:20
I wish you the best in your endeavor, Daniel. If you do happen upon a method of protecting PHP, short of hoarding the code until you've been paid for it, I'd love to hear about it. Seems my own worst enemy in this regard tends to be the client's sysadmin who you would turn the polished project over to. They often think nothing of taking the entire system including my sales pitches verbatim and trying to sell it, or worse, releasing a commercially viable piece of work as open source.
EvilMidnightCoder  2010-09-27 21:36:22

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases