How to protect PHP source code

[ptt]

Hi all,

I have a website on the partner's server.

This website is built on PHP, so they can view all source code.

I want to protect my PHP source.

What should I do? 

[benanamen]

Zend Encoder and IonCube are two of the top options.

 

 

https://www.zend.com/en/products/zend-guard

 

http://www.ioncube.com/

[lush_rainforest]

If you're talking about protecting the actual PHP files from being seen, I don't think it's really possible. However if you're referring to the source codes that are shown on a website when the page is done loading, you can do this using a mixture of random encoders.

 

I think you can also set the permissions on the files if you understand how they work.

[ptt]

Zend Encoder and IonCube are two of the top options.

 

 

https://www.zend.com/en/products/zend-guard

 

http://www.ioncube.com/

They are commercial products.

Do you know other free solution?

Edited October 5, 2015 by ptt

[ptt]

If you're talking about protecting the actual PHP files from being seen, I don't think it's really possible. However if you're referring to the source codes that are shown on a website when the page is done loading, you can do this using a mixture of random encoders.

 

I think you can also set the permissions on the files if you understand how they work.

No, I am talking about the real php files on server.

many guys can access that server, and one of them maybe copy and reuse my php code 

[ginerjm]

You started by saying you needed to let "them" see your code.  Did you mean your php code, or the html code that is produced BY that code and that is then sent to the client? 

 

1 - They can't see php code from  a browser - it just doesn't work that way.

2 - In order to "see" your PHP code, they would have to download it from the server and use an editor on their client.

3 - If you don't want them to be able to do that you could move the php files to another folder and not allow ftp access to that folder so they can't download them.

 

You need to clarify what you want to allow and what you don't.

[QuickOldCar]

No matter what type encoding you try, if someone really wants it they can get it. You would just be making it take more work to get it.

 

If you really want to protect code use something like an API or SaaS, never let them see the code and host it elsewhere.

 

Another method is to include some vital code from another server needed for the full code to work.

[benanamen]

They are commercial products.

Do you know other free solution?

Anything free is just going obfuscate your code which basically means to make it humanly unreadable. It is by no means encoded. It is referred to as "Security Through Obscurity". It will keep the average Joe from knowing your code but is easily circumvented by anyone with a little knowledge.

 

You can get godaddy hosting for a dollar a month. Why would you put your site on your partners server if you are worried about him seeing your source code?

[scootstah]

Use proper licensing, not code obfuscation.

[ginerjm]

And while Godaddy is cheap I've heard that they are not the best people to trust with your server needs.  Certainly not in tech support!  Find a hoster that offers the products you need (php for one, MySQL for another, emails, backups, ftp access) and offers support (while you will be doing the work, sometimes you need them to step in and make adjustments for you or to clean up email/ip problems when they occur) that is responsive.  I've heard that GD doesn't respond very well when asked for this kind of help. 

 

Personal plug here:  123ehost.  Disclaimer: I am not an owner or employee, just a happy customer for several years.  Cost - anywhere from $3 to $20 a month depending upon your needs and demands.

[ptt]

Anything free is just going obfuscate your code which basically means to make it humanly unreadable. It is by no means encoded. It is referred to as "Security Through Obscurity". It will keep the average Joe from knowing your code but is easily circumvented by anyone with a little knowledge.

 

You can get godaddy hosting for a dollar a month. Why would you put your site on your partners server if you are worried about him seeing your source code?

They required me to do that. And It's hard to deny.

[ptt]

No matter what type encoding you try, if someone really wants it they can get it. You would just be making it take more work to get it.

 

If you really want to protect code use something like an API or SaaS, never let them see the code and host it elsewhere.

 

Another method is to include some vital code from another server needed for the full code to work.

I have seen the introductions of Zend Encoder and IonCube .

They are  expensive to me, but I so impress on them.

As i see, it's very hard to decrypt

[scootstah]

As i see, it's very hard to decrypt

It's not. You cannot secure PHP source code, and you'll just slow it down considerably by trying.

 

If you need to prevent people from seeing raw source code, don't use PHP - plain and simple.

[ginerjm]

I may be confused.  You say that you are required to post your source code on your 'partners' server.  Is that your client that you are writing this code for?  Does it have to be posted as you write it or is that just a requirement of the project's completion?  Can you not do your development in a similar environment separate from that server so that you don't show anything until completion and the client is happy and you have been paid?

 

You can never keep the client from seeing your source code once you have turned it over to him.  But at that point, why would you care?  OTOH - if your concern is NOT the client, but the users, putting it outside of the web-accessible tree as I mentioned earlier would be the way to go.  If your client allows users to have ftp access to those areas, it is out of your control and the client is assuming all of the risks in that situation.

 

As I said before - your concern is not clear to me.  Who and 0what is involved needs clarifying.