I am in a situation where I need to protect some intellectual property in a PHP script. The recommended solution is to use a code obfuscator (or compiler) to encode the script. Currently the landscape leaves much to be desired in this area as far as PHP is concerned. The industry standard seems to be Zend Guard (http://www.zend.com/products/zend_guard) which is created by Zend – the guys who make PHP – but this has a couple of down sides:
- It costs $1000 US.
- The web server must be equipped with the Zend Optimizer extension in order to run encoded scripts. AFAIK this extension needs to be compiled statically into PHP. This would drastically reduce the portability of my scripts.
The biggest open-source compiler is bcompiler (http://php.net/bcompiler), a PECL extension. Code that is compiled using this extension can be run with the assistance of the bcompiler extension. Since bcompiler is a dynamic extension (i.e. it can be loaded at run time) it is theoretically much easier for users to install it (for my script). Not a perfect solution, but I was willing to accept this hassle in order to ensure the protection of my intellectual property.
In the past I have had nothing but bad experiences with PECL. The extensions never install like they are supposed to. If you make it past the compilation errors and actually get it installed, it is usually an ordeal to turn it on, and can be even more difficult to get it working properly. These problems are usually related to incompatibilities with versions of gcc, automake, libtool, etc.., and a few hours (or sometimes days) reading through the PECL bugtracker can usually get these problems solved, but, … you get the point.
Unfortunately my experience with bcompiler was no better. I tried installing it on my laptop running OS X 10.4 and PHP 4.3 (and also PHP 5), but couldn’t get past make. It gave an undescriptive error "Make failed". A little bit of googling revealed that bcompiler may be incompatible with GCC 4.x – a bug report suggested I downgrade to version 3.x. Frankly, I don’t feel like installing an older version of GCC just to get bcompiler to install.
No problem, I don’t need it to run on my lap top. I have a web host running red hat linux. Surly it will compile on there. In fact it did compile. After about 45 minutes of tinkering with the php.ini file and the bcompiler.so file, I was even able to compile a simple php script into bytecode with the help of bencoder (http://bbs.giga.net.tw/bencoder.php) a script created by Shen Cheng-Da to harness the power of bcompiler. The only problem is that the compiled code doesn’t work properly. I can include the compiled script into another script, but cannot call any methods from it – and the script gives a Segmentation Fault on exit without any explanation.
I’ve looked far and wide for a solution to this one. PECL bug tracker is full of reports of segmentation faults but the solutions don’t appear to transfer easily to this context.
Conclusion: bcompiler is not ready for primetime yet. Please someone correct me if I’m wrong on this point.
On to another commercial compiler: Source Guardian. This is perhaps the most promising of the bunch. It takes an approach similar to bcompiler in that scripts encoded with this product can be run on any server using a dynamic php extension. The difference is that this is much more polished and feature rich, and the dynamic php extension is distributed as a binary, so the user doesn’t have to mess around with make and gcc.
I downloaded a 30 trial version of this software and tried to encode one of my scripts. I am still in the process of trying to get this to work, … I’ll let you all know how it goes.
Hi Steve,
Is there a reason you avoided the other 2 big players? I am not affiliated with them in any way. I work on closed source PHP and have used ioncube encoder with great success.
The compiler is great, compatible and works.
The free alternative is eAccelerator (formerly Turck MMcache) which is open and free.
Check them out…
Tri Bui
Hi,
A very good optimizer/encoder is eaccelerator (a turk-mmcache fork) : http://www.eaccelerator.net.
Regards.
I checked out ioncube and eaccelerator and they both look pretty promising. Interesting that I did not run across them in my earlier searches. From the documentation, ioncube appears to be just as easy to use as code guardian. Eaccelerator looks a (by the documentation) like it might not be there yet as it mentions that work is still being done to make it compatible with PHP 5.
Comparing IonCube to Code Guardian: It appears that IonCube compiles the scripts into native PHP bytecodes so that the parsing and compiling steps can be skipped at runtime. Code Guardian makes no such claims. Hence, it would appear the IonCube is a better long-term solution than Code Guardian. I will have to try it out to make sure that it is as usable as Code Guardian.
One nice thing about code guardian is that you can just place the ‘ixed’ directory containing all of the extensions for the various versions of PHP, processors, and OSes, and it will automatically use the proper extension for the given platform. This is nice, as some people don’t know what OS/processor their web server is running — hence this could save some headaches for my users.
… more on this later…
thanks for the tips.
O eaccelerator (a turk-mmcache fork) : http://www.eaccelerator.net no encoder more.
SourceGuardian is also bytecode compiler just FYI. Also check out phpshield – it is simpler, but cheaper solution as well. Thanks for the article.
Both Ioncube and Zend can be decrypted. No point in spending all that cash to dash out a release that can get decrypted now is there?
Steve: Regarding eAccelerator, i believe it now supports PHP v5.1
http://eaccelerator.net/wiki/Release-0.9.5
Kind Regards,
Shortz