If I would like to distribute PHP application with installer(package system of OS) how should I proceed? I don't want PHP files to be there, just working application, so when I type 'app' into console, it ends up being launching application, without need to install PHP on system(no php installation on host required). I would also like the application to have patch-able byte-code, so it's in parts, loaded when needed and only part needs to be replaced on update.
What I would do now is following:
->Compile PHP with extensions for specific platform.
->Make binary application which launches '/full/php app' when app is launched.
->Pack it in installer in a way, that there would be binary added to path when added, launching specific installation of PHP which is alongside the app with argument of start point->App would be running.
Problem is:
Maybe I don't want my PHP files to be exposed(in application, there will be available source anyway) is there some ready made stuff to do this? Is there some better way than I proposed?
Alternative: Modifying OP Cache to work with "packing" application to deliver byte codes to modified OP Cache which just reads the cache.
My suggestion would be a tiny tool I just finished, for almost exactly the same problem. (Oh yes I tried all the others but they're old and rusty, sometimes they're stuck with 4.x syntax, have no support, have no proper documentation, etc)
So here's RapidEXE:
http://deneskellner.com/sw/rapidexe
In the classical way, it's not a really-real compiler, just a glorified packer, but does exactly what you need: the output exe will be standalone, carrying everything with it and transparently building an ad-hoc runtime environment. Don't worry, it all happens very fast.
It uses PHP 7.2 / Win64 by default but has 5.x too, for XP compatibility.
It's freeware, obviously. (MIT License.)
(Just telling this because I don't want anyone to think I'm advertising or something. I just took a few minutes to read the guidelines about own-product answers and I'm trying to stay within the Code of the Jedi here.)
However...
I would also like the application to have patch-able byte-code, so it's in parts, loaded when needed and only part needs to be replaced on update.
It's easier to recompile the exe. You can extract the payload pieces of course but the source pack is one big zip; there seems to be no real advantage of handling it separately. Recompiling a project is just one command.
Maybe I don't want my PHP files to be exposed(in application, there will be available source anyway)
In this case, the exe contains your source compressed but eventually they get extracted into a temp folder. They're deleted immediately after run but, well, this is no protection whatsoever. Obfuscation seems to be the only viable option.
If something goes wrong, feel free to comment or drop me a line on developer-at-deneskellner-dot-com. (I mean, I just finished it, it's brand new, it may misbehave so consider it something like a beta for now.)
Happy compiling!
PHP doesn't do that natively, but here are a few ideas:
Self-extracting archive
Many archival programs allow you to create a self-extracting archive and some even allow to run a program after extraction. Configure it so that it extracts php.exe and all your code to a temp folder and then runs ir from there; deleting after the script has complete.
Transpilers/compilers
There's the old HPHC which translates PHP code to C++, and its wikipedia age also contains links to other, similar projects. Perhaps you can take advantage of those.
Modified PHP
PHP itself is opensource. You should be able to modify it withot too much difficulty to take the source code from another location, like some resource compiled directly inside the php.exe.
Use Zend Guard tool that compiles and converts the plain-text PHP scripts into a platform-independent binary format known as a 'Zend Intermediate Code' file. These encoded binary files can then be distributed instead of the plain text PHP. Zend Guard loaders are available for Windows and Linux platform that enables PHP to run the scripts encoded by Zend Guard.
Refer to http://www.zend.com/en/products/zend-guard
I would like to add another answer for anyone who might be Googling for answers.
Peach Pie compiler/runtime
There is an alternative method to run (and build apps from) .php source codes, without using the standard php.exe runtime. The solution is based on C#/.NET and is actually able to compile php source files to .NET bytecode.
This allows you to distribute your program without exposing its source code.
You can learn more about the project at:
https://www.peachpie.io/
You've got 3 overlapping questions.
1. Can I create a stand-alone executable from a PHP application?
Answered in this question. TL;DR: yes, but it's tricky, and many of the tools you might use are semi-abandoned.
2. Can I package my executable for distribution on client machines?
Yes, though it depends on how you answer question 1. If you use the .Net compiler, your options are different to the C++ option.
3. Can I protect my source code once I've created the application?
Again, depends on how you answer question 1. Many compilers include an "obfuscator" option which makes it hard to make sense of any information you get from decompiling the app. However, a determined attacker can probably get through that (this is why software piracy is possible).
Here is a scenario:
A custom php framework is built.
A user manual of the functions is written for developers
Developers are invited / paid to write additional classes, modules or extensions to the framework
But you don't want them to have access to the actual source code
For instance writing (or potentially many other ways):
highlight_file(ROOT_PATH_SHARED.SCRIPT_FOLDER.'search.class.php');
Is this possible or will someone working within PHP always be able to pull out the source code?
You need to encrypt/obfuscate your source code.
ioncube and zend guard says that they can do it.
I have not had any experience with them however.
Also, if you are using a framework, ensure that they work after encryption.
PHP is an open-source language. Somebody who knows what they are doing will always be able to read your code, if they have access to the server's file system.
Your developers will need to be able to run the source code, in order to test and debug their own code. However, they could do their testing remotely, treating your core app as an API. That way the developers would not require the kind of source code access that would allow them to view, download, or edit your proprietary source code.
The alternative is to encode or encrypt your source code, and decode it at runtime. The problem is, this would not keep out someone who was determined. If they have access to the file system, they can retrieve your encryption key. For better security, restrict access to the files themselves.
I am working on magento extensions licensing and trying to figure out how to restrict magento extensions to work on one magento installation only.
How would you do it? I believe ioncube doesn't allow to do anything like that. It can only restrict per domain or IP.
PHP is open source and it seems like anybody can crack this protection. I really don't know where to start.
There is no 100% way to achieve what you need. Even the source encoded with commercial encoders like IonCube (which require corresponding software installed btw, so it will restrict your potential auditory at least to managed hostings) don't guarantee to protect your code from modifications and changing the logic.
The best what you can do IMHO is:
1) Implement some logic based on $_SERVER host - i.e. make it per/domain license with allowing some "obviously" non-live domains (like containing dev. etc) - this is good practice
2) Use code obfuscator and encode some "important" piece of your code (for example model or helper class file). Try googling "php code obfuscator".
This is general direction, in fact this is the place where you everyone better figure out it's own unique path, the weirder the better >:o
I have a php page which contains keys and salts and I would like to hide such information just in case. Anyone know a good free software that could do this?
I have both zend and ion installed on my server, which I heard some source scramblers use. Any ideas?
Your PHP source cannot be viewed directly via browser. You can obfuscate the php files on the server for extra protection. Obfuscation makes it more difficult for an attacker to understand your code, if he eventually gets in. Remember to keep an un-obfuscated back-up of your files.
Check Out
Obf
http://www.pipsomania.com/best_php_obfuscator.do
Zend Guard
Or just search for http://www.google.com.ng/search?sourceid=chrome&ie=UTF-8&q=php+obfuscator
I'm writing some scripts that are free, but only to members within my teaching program. What I want to do is check what sites have installed the script.
I was thinking of obfuscating some PHP that posts back to my server when installed so I can see the domain it's used on. Obviously the user could remove this, but if I was to put a few application variables in with the code it might stop them removing because doing so would break the script.
Any comments on this approach?
if you really want to be sure, use something like Zend Guard (aka Zend Encoder) to encode the php file.
If you want some of it to be user-editable, just encode the core functions (along with your security check) in a separate file and then leave the higher level code open for them to tinker with/modify as required.