I have a php page which contains keys and salts and I would like to hide such information just in case. Anyone know a good free software that could do this?
I have both zend and ion installed on my server, which I heard some source scramblers use. Any ideas?
Your PHP source cannot be viewed directly via browser. You can obfuscate the php files on the server for extra protection. Obfuscation makes it more difficult for an attacker to understand your code, if he eventually gets in. Remember to keep an un-obfuscated back-up of your files.
Check Out
Obf
http://www.pipsomania.com/best_php_obfuscator.do
Zend Guard
Or just search for http://www.google.com.ng/search?sourceid=chrome&ie=UTF-8&q=php+obfuscator
Related
Here is a scenario:
A custom php framework is built.
A user manual of the functions is written for developers
Developers are invited / paid to write additional classes, modules or extensions to the framework
But you don't want them to have access to the actual source code
For instance writing (or potentially many other ways):
highlight_file(ROOT_PATH_SHARED.SCRIPT_FOLDER.'search.class.php');
Is this possible or will someone working within PHP always be able to pull out the source code?
You need to encrypt/obfuscate your source code.
ioncube and zend guard says that they can do it.
I have not had any experience with them however.
Also, if you are using a framework, ensure that they work after encryption.
PHP is an open-source language. Somebody who knows what they are doing will always be able to read your code, if they have access to the server's file system.
Your developers will need to be able to run the source code, in order to test and debug their own code. However, they could do their testing remotely, treating your core app as an API. That way the developers would not require the kind of source code access that would allow them to view, download, or edit your proprietary source code.
The alternative is to encode or encrypt your source code, and decode it at runtime. The problem is, this would not keep out someone who was determined. If they have access to the file system, they can retrieve your encryption key. For better security, restrict access to the files themselves.
What I Am Trying
I am building a Codeigniter application for a client.I need to upload the codeigniter application in the client server. Therefore I need to encrypt or protect my source files.
What I Require
What should I do to protect or encrypt my Codeigniter source file or Project.
Well that would take away the whole point of open source now would it.
You will have to encrypt/obfuscate your source by using ionCube or Zend encoders.
However, I am not sure if the app will work after encoding since you are using a framework.
ionCube says that they work with codeigniter but I don't have any experience for it.
I haven't used Zend before.
Even though you encrypt them I have seen posts where they claim to be able to get the normal clean code. I don't know how much of this is true.
But if you need to protect the source code ionCube or Zend encoders say that they can.
http://www.ioncube.com/ OR http://www.zend.com/en/products/guard/
i also needed this type of feature and all users suggest ioncube and ZendGuard but this software is paid versions. so research on this feature i get a such a perfect tool and it's allow to make only single PHP file encoding as i want i use this.
after implement this encoded code in my project no affect to code and works perfectly and it is Byterun.
There are problems in ionCube. The problem is when CodeIgniter code is obfusacate and encrypted, the calling area of that function/class/variable does not recognize newly created function/class/variable name and generates error.
ionCube knows the pitfalls and offers a way to exclude such files that are being called outside that file, but thats what MVC do. Not an elegant solution by ionCube.
https://blog.ioncube.com/2014/10/16/common-obfuscation-pitfalls/
I did not check ZendGuard, but my guts feelings says, the same problem will appear if we use any code encryption tool. The point is, we made a file, class, method, variable encrypt and obfuscate (encrypt / obfuscate), after the process, it will produce new name for class, method, variable. Now, another model, controller, method is calling the same variable/method, and then it will not recognized and an error will be thrown. I am not 100% sure in case of ZendGuard or other tools but checked the ionCube.
I have a bluehost account and I have the option of using ioncube, source guardian, or neither. What is the benefit of encoding the php if the end-user can't see the source anyway? Are there other benefits other then encoding?
Is ioncube preferred to source guardian?
thanks,
me
PHP code obfuscation is generally used when you need to license a PHP application to someone else. You don't want the person getting the code to install on their server to be able to easily copy the code.
I'm writing some scripts that are free, but only to members within my teaching program. What I want to do is check what sites have installed the script.
I was thinking of obfuscating some PHP that posts back to my server when installed so I can see the domain it's used on. Obviously the user could remove this, but if I was to put a few application variables in with the code it might stop them removing because doing so would break the script.
Any comments on this approach?
if you really want to be sure, use something like Zend Guard (aka Zend Encoder) to encode the php file.
If you want some of it to be user-editable, just encode the core functions (along with your security check) in a separate file and then leave the higher level code open for them to tinker with/modify as required.
Is it possible to somehow view another websites php files/codes?
Or to rephrase the question, Can my php codes be viewed by anybody except for those who have access to the file?
If so, how can I best prevent this?
Ps: Server OS is Ubuntu 9.10 and PHP version is 5+ (Apache2)
A bug or security vulnerability in the server (either Apache or the PHP engine), or your own PHP code, might allow an attacker to obtain access to your code.
For instance if you have a PHP script to allow people to download files, and an attacker can trick this script into download some of your PHP files, then your code can be leaked.
Since it's impossible to eliminate all bugs from the software you're using, if someone really wants to steal your code, and they have enough resources, there's a reasonable chance they'll be able to.
However, as long as you keep your server up-to-date, someone with casual interest is not able to see the PHP source unless there are some obvious security vulnerabilities in your code.
Read the Security section of the PHP manual as a starting point to keeping your code safe.
By using exploits or on badly configured servers it could be possible to download your PHP source. You could however either obfuscate and/or encrypt your code (using Zend Guard, Ioncube or a similar app) if you want to make sure your source will not be readable (to be accurate, obfuscation by itself could be reversed given enough time/resources, but I haven't found an IonCube or Zend Guard decryptor yet...).
Noone cand read the file except for those who have access to the file. You must make the code readable (but not writable) by the web server. If the php code handler is running properly you can't read it by requesting by name from the web server.
If someone compromises your server you are at risk. Ensure that the web server can only write to locations it absolutely needs to. There are a few locations under /var which should be properly configured by your distribution. They should not be accessible over the web. /var/www should not be writable, but may contain subdirectories written to by the web server for dynamic content. Code handlers should be disabled for these.
Ensure you don't do anything in your php code which can lead to code injection. The other risk is directory traversal using paths containing .. or begining with /. Apache should already be patched to prevent this when it is handling paths. However, when it runs code, including php, it does not control the paths. Avoid anything that allows the web client to pass a file path.