What I Am Trying
I am building a Codeigniter application for a client.I need to upload the codeigniter application in the client server. Therefore I need to encrypt or protect my source files.
What I Require
What should I do to protect or encrypt my Codeigniter source file or Project.
Well that would take away the whole point of open source now would it.
You will have to encrypt/obfuscate your source by using ionCube or Zend encoders.
However, I am not sure if the app will work after encoding since you are using a framework.
ionCube says that they work with codeigniter but I don't have any experience for it.
I haven't used Zend before.
Even though you encrypt them I have seen posts where they claim to be able to get the normal clean code. I don't know how much of this is true.
But if you need to protect the source code ionCube or Zend encoders say that they can.
http://www.ioncube.com/ OR http://www.zend.com/en/products/guard/
i also needed this type of feature and all users suggest ioncube and ZendGuard but this software is paid versions. so research on this feature i get a such a perfect tool and it's allow to make only single PHP file encoding as i want i use this.
after implement this encoded code in my project no affect to code and works perfectly and it is Byterun.
There are problems in ionCube. The problem is when CodeIgniter code is obfusacate and encrypted, the calling area of that function/class/variable does not recognize newly created function/class/variable name and generates error.
ionCube knows the pitfalls and offers a way to exclude such files that are being called outside that file, but thats what MVC do. Not an elegant solution by ionCube.
https://blog.ioncube.com/2014/10/16/common-obfuscation-pitfalls/
I did not check ZendGuard, but my guts feelings says, the same problem will appear if we use any code encryption tool. The point is, we made a file, class, method, variable encrypt and obfuscate (encrypt / obfuscate), after the process, it will produce new name for class, method, variable. Now, another model, controller, method is calling the same variable/method, and then it will not recognized and an error will be thrown. I am not 100% sure in case of ZendGuard or other tools but checked the ionCube.
I am working on magento extensions licensing and trying to figure out how to restrict magento extensions to work on one magento installation only.
How would you do it? I believe ioncube doesn't allow to do anything like that. It can only restrict per domain or IP.
PHP is open source and it seems like anybody can crack this protection. I really don't know where to start.
There is no 100% way to achieve what you need. Even the source encoded with commercial encoders like IonCube (which require corresponding software installed btw, so it will restrict your potential auditory at least to managed hostings) don't guarantee to protect your code from modifications and changing the logic.
The best what you can do IMHO is:
1) Implement some logic based on $_SERVER host - i.e. make it per/domain license with allowing some "obviously" non-live domains (like containing dev. etc) - this is good practice
2) Use code obfuscator and encode some "important" piece of your code (for example model or helper class file). Try googling "php code obfuscator".
This is general direction, in fact this is the place where you everyone better figure out it's own unique path, the weirder the better >:o
As in JSP we give "WAR" file to clients and it contains .class files and other configuration files but not the source code, is there any way, in PHP, to deliver the project (website) to client without giving them source code.
Facebook created a project called HipHop php, a php compiler.
See this post:
Can you "compile" PHP code?
Short answer, not really.
I mean you can compile php into a single .phar file however anyone with moderate php knowledge can get the code from that.
There are also solutions http://www.ioncube.com/ though I don't know how easily someone can get the code from it however I would strongly advise against any solution like this as they generally require the user of this "compiled" code to you their proprietary software to run it.
I have a php page which contains keys and salts and I would like to hide such information just in case. Anyone know a good free software that could do this?
I have both zend and ion installed on my server, which I heard some source scramblers use. Any ideas?
Your PHP source cannot be viewed directly via browser. You can obfuscate the php files on the server for extra protection. Obfuscation makes it more difficult for an attacker to understand your code, if he eventually gets in. Remember to keep an un-obfuscated back-up of your files.
Check Out
Obf
http://www.pipsomania.com/best_php_obfuscator.do
Zend Guard
Or just search for http://www.google.com.ng/search?sourceid=chrome&ie=UTF-8&q=php+obfuscator
I'm currently developing a PHP framework. Other developers may create modules for the framework. Source code of these modules should reside in the framework directory.
Since the project is open-source, modules know location of the config file which has database password in it. How to protect passwords from malicious modules? Please check that modules may just require_once the config file and do harmful things!
Currently I'm storing Database passwords in a directory named config, and protecting it by a .htaccess file:
<Directory config>
order allow,deny
deny from all
<Directory>
But that is not sufficient to prevent scripts steal the password, is it?
I've read the thread How to secure database passwords in PHP? but it did not help me finding the answer.
In PHP, you can't. It's not a sandboxed language; any code you run gets all the permissions of the user it's running under. It can read and write files, execute commands, make network connections, and so on, You must absolutely trust any code you're bringing in to your project to behave well.
If you need security boundaries, you would have to implement them yourself through privilege separation. Have each module run in its own process, as a user with very low privileges. Then you need some sort of inter-process communication. That could be using OS-level pipes, or by having separate .php files run as different users running as web services accessed by the user-facing scripts. Either way, it doesn't fit neatly into the usual way PHP applications work.
Or use another language such as Java, which can offer restricted code with stronger guarantees about what it is allowed to do (see SecurityManager et al).
Unfortunately, PHP is not a very secure language or runtime. However, the best way to secure this sort of information is to provide a configuration setting that has your username/password in it, outside of your document root. In addition, the modules should just use your API to get a database connection, not create one of their own based on this file. The config setting should not be global. You should design something like this in a very OOP style and provide the necessary level of encapsulation to block unwarranted access.
I've got an idea that may work for you, but it all really depends on what abilities your framework scripts have. For my idea to be plausible security wise you need to essentially create a sandbox for your framework files.
One idea:
What you could do (but probably more resource intensive) is read each module like you would a text file.
Then you need to identify everywhere that reads a file within their script. You've got things like fopen for file_get_contents to consider. One thing I'd probably do is tell the users they may only read and write files using file_get_contents and file_put_contents, then use a tool to strip out any other file write/read functions from their script (like fopen).
Then write your own function to replace file_get_contents and file_put_contents, make their script use your function rather than PHP's file_get_contents and file_put_contents. In your file_get_contents function you're essentially going to be checking permissions; are they accessing your config file, yes or no, then return a string saying "access denied" if they are or you use the real file_get_contents to read and return the file if not.
As for your file_put_contents, you just need to make sure they're not writing files to your server (they shouldn't be allowed, imagine what they could do!), alternatively, you could probably use a CHMOD to stop that happening.
Once you've essentially rewritten the module in memory, to be secure, you then use the "exec" function to execute it.
This would take a considerable amount of work - but it's the only pure PHP way I can think of.
I am not sure if it is possible, however you could maybe make a system which checks the files in the module for any php code which tries to include the config file, and then warn the user about it before installing.
However it really shouldn't be your responsibility in the end.
A very good question with no good answer that I know of, however...
Have you seen runkit? It allows for sandboxing in PHP.
The official version apparently isn't well maintained any more, however there is a version on GitHub that is quite popular: zenovich/runkit on GitHub
Although the best solution is perhaps a community repository where every submission is checked for security issues before being given the OK to use.
Good Luck with your project
Well, I see no problem here.
If it's a module, it can do harmful things by definition, with or without database access. It can delete files, read cookies, etc etc.
So, you have to either trust to these modules (may be after reviewing them) or refuse to use modules at all.
Don't include your actual config file in your open source project.
The way I do it is a create just the template config file config.ini.dist
When a user downloads your project they have to rename it to config.ini and enter their own configuration information.
This way every user will have their own database connection info like username and password. Also when you update your project and users download your newest version, their own config files will not be overwritten by the one from your program.
This a a very common way to store configuration in open source projects - you distribute a template config file and tell users that they have to rename it and enter their own configuration details.
I don't think there is a way to prevent a module to capture sensible data from the actual framework configuration and send it to some stranger out there. On the other end, I don't think that should be your responsability to protect the user from that to happen.
After all, it's the user that will decide to install any module, right? In theory it should be him that would have to verify the module intents.
Drupal, for example, does nothing in this direction.
There is a worst problem, anyway: what'd prevent a nasty module to wipe out your entire database, once it is installed?
And, by the way, what could the malicious stranger do with your database password? At the very least you anyway need to secure the connection of the database, so that only trusted hosts can connect to the database server (IP/host based check, for example).