Encoding PHP Files to Protect your PHP Application

The beauty of the scripting language such as PHP is in the ability given to PHP developer to change the source code and see the result right away. However, the openness of PHP source code can sometimes be a disadvantage in some situations where you might not want your application code to be so open. In this review we'll cover how to use a PHP encoder to leverage the power of PHP in a way that protects your source code from un-authorized modification or reverse engineering.

Why Should you Encode your PHP Applications?

There are many reasons why you might like to encode or obfuscate your PHP source code from your customers, including protection of your intellectual property, increased application performance, and even protecting yourself from the technical support problems that arise from un-authorized modifications made to your PHP Source. Luckily, there are several PHP Encoders on the market that come to the rescue, and in this article we will take a look at Nu-Coder - a PHP Encoder from NuSphere.

PHP Encoder from the authors of PhpED

When we first reviewed Nu-Coder - PHP Encoder from NuSphere it was a year ago when NuSphere started shipping Nu-Coder version 1.4. We liked the product then already because:

  • Nu-Coder encodes your PHP scripts by converting the source code of PHP Script into compiled PHP bytecodes, giving it the highest possible protection
  • In addition to hiding of the source you also get the performance boost from loading the precompiled byte codes directly to PHP Engine
  • Nu-Coder features Command Line Encoder for Unix, Linux and Mac OS operating systems, both Graphical and Command Line Encoder for Windows integrated in PHP IDE
  • Our testing showed that Nu-Coder boasts the same reliability and quality that we saw in other NuSphere's products, such as PhpED. It is indeed commercial grade, production ready PHP Encoder.
  • Support for both PHP versions 4 and 5 all in one executable
  • Much faster running of PHP files
  • Very attractive pricing

NuSphere recently announced the release of Nu-Coder 2.0 with License Manager, obfuscation and multiple enhancements to PHP Encoding API. PhpED 5.5 release soon followed providing the User Interface to Nu-Coder in addition to the available Command Line Interface and we decided it was time to take a look again at the latest in NuSphere's PHP Encoding technology. It is safe to say, we weren't disappointed by what we saw. In addition to robust encoding protection of php files already available, the newly added License Manager now helps php developers to create demo/trial as well as commercial versions of their applications.

Different Approaches to Encoding of PHP files

Before we dive into the encoding of our php application we thought it would be a good idea to look at the possible ways of protecting php files. The products that we see on the market can be placed in two major categories:

  • Encoders that encrypt original PHP source code - somewhat similar to Javascript comressors available on-line and on desktops.
  • Encoders that convert the source code of PHP Scripts into compiled PHP bytecodes that are later loaded directly to PHP interpreter.

The encoders from the first category simply "mess" with PHP source to make it unreadable. If you use this type of php encoder you will most likely need some special additional file, which would pre-process the encrypted file before giving it to PHP loader. The advantage of this approach is in the simplicity because most likely you won't need any additional loaders or php extensions installed on the server. However, the drawbacks of using such encoder are quite severe:

  • First and foremost, the protection provided by these encoders is questionable because the source code is while encrypted is still available. Decryption of such files is not terribly hard, as a matter of fact there are websites offering their decryption "services" for just $5(USD5) a pop. If there is a malicious user who wants to get your source - there is a pretty good chance that he/she will break this protection
  • Second problem is the performance of the files encrypted with the php encoders from this category. Execution times tend to be slower because of the additional overhead produced by decrypting of the file prior to the processing.

Php encoders from the second category are arguably the only real thing because they kill two birds with one stone: by converting PHP Source into compiled byte codes these encoders both provide the highest level of protection as well as the performance boost instead of the slowdown. The level of protection is very high because the source code is no longer present on the server at all. The performance is much better because compiled byte codes are loaded directly to PHP interpreter and the step of the compilation is skipped at the execution time. The drawback of these encoders is in the need to install the loader, which is typically a php extension on the server. This category is an exclusive club - we know of only 3 PHP encoders doing byte codes compilation: Zend Guard, ionCube and Nu-Coder. Only two of them - Zend Guard and Nu-Coder - are produced by the companies which also make commercial grade PHP Editors/IDE.

Continue to Part 2 of Encoding PHP Files to Protect your PHP Application