One of the issues PHP developers face is that PHP is an interpreted language, meaning PHP source code is readable by anybody who downloads your applications. This article will tell you how to protect your intellectual property by encoding your PHP source code.
The tool we are going to use to protect our code is ionCube PHP Encoder. Before releasing your PHP software, you use the encoder to convert your plain-text PHP files into special encrypted files.
Note: While ionCube PHP Encoder is a commercial product, there is a time-limited trial available for download.
Because your PHP is encoded into a special byte-code (as opposed to just being obfuscated), a loader must be installed on your web server. A loader is a PHP module that must be installed.
Note: Fortunately, ionCube PHP Encoder is commonly used and therefore many web hosts will already have a loader installed.
On the ionCube website there is a loaders page which contains the latest versions of the loader for all supported platforms (you must install the correct loader for your platform).
Note: You will need the loader for your platform installed in order to be able to run code you encode from this article.
Before we proceed, let’s take a quick look at an encoded file. Listing 1 shows a basic PHP script.
Listing 1 A basic “Hello World” script (helloworld.php)
We can then run this script through the encoder. While there are many different options available, encoding a script with the default options yields the following PHP file.
Listing 2 Encoded version of “Hello World” (helloworld-enc.php)
‘.__FILE__.’ requires the ionCube PHP Loader ‘. basename($__ln).’ to be installed by the site administrator.’);
While you cannot understand what this code does just by looking at it, your PHP installation with the correct loader installed interprets this just as if it was the code in Listing 1.
Encoding Your PHP Files
The ionCube PHP Encoder is a command-line script you run either one or more files, or on an entire set of folders. If you’re encoding an entire PHP application you would typically run it on the original source folder. The encoder will duplicate the entire tree, except the PHP code will be encoded.
The command we used to generate this encoded script is as shown in Listing 3.
Listing 3 Basic usage of the encoder (listing-3.txt)
/usr/local/ioncube/ioncube_encoder5 helloworld.php -o helloworld-enc.php
In this example, the -o specified the output location. In this example we just created the encoded file in the same directory with a different filename. Typically you would want to create the file with the same filename as the original (without replacing the original source code).
To achieve this, set the input and output both to be a directory. The encoder will automatically recurse through all directories in the input directory and encode all PHP files.
To demonstrate this, let’s assume helloworld.php is in a directory called src. Listing 4 shows the command we use to encode this entire path. The example outputs the encoded files to the build directory.
Listing 4 Encoding an entire directory (listing-4.txt)
/usr/local/ioncube/ioncube_encoder5 src -o build
We now have a directory called build which is identical to src except that the PHP files are encoded.
Note: Even non-PHP files (such as images or stylesheets) are also copied as-is into the target directory.