FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Protect Your PHP





RockaZA
Protecting your PHP code.

When you dont have control over your scripts after you've done programing them (ie you have to hand them over to someone else). It becomes valuable to ensure they can't change it, or use them for purposes which you haven't intended it for.

There are a few PHP encryption software packages available, but they tend to be expensive. An personally, I always try to find a "free" way to do it before I pay. Hey I'm on this site aren't I Cool .

Anyway I came across a nice little website that will encrypt your files for you. All you do is upload it and then it will give u a download link to the encrypted version, as well as a decrypt file (which needs to be placed in the same directory as the encrypted file).

The resulting encrypted file is completely unreadable.

This encryption does however require Zend Optimiser to be present on the hosting system. Zend optimiser is a free download.

Im not yet sure if Frihost has it installed, but if they dont I hope they seriously consider it.

Heres the link:
http://www.freephpencoder.com/
Fire Boar
Why exactly should you care what people use your PHP for? Encrypting code just stifles innovation and prevents people from extending what might potentially be an extremely good base. Besides, PHP is interpreted so it is impossible to really "encrypt" PHP. After all, a machine has to read it to run it, so if a human writes a program to read the code as the PHP application does and output the result in a more legible format, we're done.
rvec
there are ways to make php export the script right before it executes it, so there's no encryption that will work on php files. Also
Quote:
it becomes valuable to ensure they can't change it, or use them for purposes which you haven't intended it for.

Why would you care?
They payed for it, they should be able to do whatever they want with it. If they want your support it's something else, but even then you can just tell them that you only give support for the usage you have intended for it.
RockaZA
yes i know it sort of goes against the open source nature of php, but there are situations when it can be handy.

For instance I've been asked by a web designer to create a generic PHP based CMS that he can offer to his clients. Since he will be making profit off every client that he sells the system to I want to take royalties. If I just handed him the PHP script I would have no control over it and he could just use it as he pleases, make money off it and pay me nothing.

If the code is encrypted, he would need me to implement it for every site he sells.
Fire Boar
RockaZA wrote:
yes i know it sort of goes against the open source nature of php, but there are situations when it can be handy.

For instance I've been asked by a web designer to create a generic PHP based CMS that he can offer to his clients. Since he will be making profit off every client that he sells the system to I want to take royalties. If I just handed him the PHP script I would have no control over it and he could just use it as he pleases, make money off it and pay me nothing.

If the code is encrypted, he would need me to implement it for every site he sells.


Agree on a price beforehand, or a royalty contract. Your reasoning is like saying that you should hand books to publishers in encrypted form so that you have to give out each book personally, otherwise you won't make any royalties. Provided you have a legal contract or an agreed one-off payment, he is obliged to honour it by law.

The book analogy is also applicable here: would the clients prefer an obfuscated mess of PHP code that just happens to be a generic CMS, or an open PHP script that they can analyse themselves, improve upon, extend, and so on? Encrypting PHP for commercial reasons actually only goes to lower the value of the end product.
RockaZA
ok thanks for the advice. I'm still new to this while thing.

I just want to get value for my efforts and not be taken advantage of.
raver
In most cases, yes.. it is very stupid to encrypt your php codes. But there are some situations where it is needed. I have done hundreds of scripts, all which were given open sourced to the clients.

I am currently working on a personal project which i will encrypt at the end. IF you don't have full control over the server on which you are hosting it, then any hack-pot of an employee from the hosting company can take your files. In most cases that is not a problem, but when it is your source and many-many hours went in just on a few algorithms, you don't want anyone snooping around Wink
inphurno
raver wrote:
IF you don't have full control over the server on which you are hosting it, then any hack-pot of an employee from the hosting company can take your files.


well that would be the case with any shared hosting even frihost Smile even if you had a vhost or you rented a whole server the admins at the hosting company would still have access. the only way would be to real sure about your hosting would be to setup your own server and that could be a bit overkill imo but if you're up to the task why not...
rvec
inphurno wrote:
raver wrote:
IF you don't have full control over the server on which you are hosting it, then any hack-pot of an employee from the hosting company can take your files.


well that would be the case with any shared hosting even frihost Smile even if you had a vhost or you rented a whole server the admins at the hosting company would still have access. the only way would be to real sure about your hosting would be to setup your own server and that could be a bit overkill imo but if you're up to the task why not...
If you own the server, why encrypt the files? If the user would be able to download the files he can execute them on his own version and see what's in them, if he can't download them there is no need to encrypt them.
snowboardalliance
Fire Boar wrote:
RockaZA wrote:
yes i know it sort of goes against the open source nature of php, but there are situations when it can be handy.

For instance I've been asked by a web designer to create a generic PHP based CMS that he can offer to his clients. Since he will be making profit off every client that he sells the system to I want to take royalties. If I just handed him the PHP script I would have no control over it and he could just use it as he pleases, make money off it and pay me nothing.

If the code is encrypted, he would need me to implement it for every site he sells.


Agree on a price beforehand, or a royalty contract. Your reasoning is like saying that you should hand books to publishers in encrypted form so that you have to give out each book personally, otherwise you won't make any royalties. Provided you have a legal contract or an agreed one-off payment, he is obliged to honour it by law.

The book analogy is also applicable here: would the clients prefer an obfuscated mess of PHP code that just happens to be a generic CMS, or an open PHP script that they can analyse themselves, improve upon, extend, and so on? Encrypting PHP for commercial reasons actually only goes to lower the value of the end product.


Not going to say encrypting the source is a good thing, but just pointing out that while you may have the legal power to enforce this, actually doing it is another story. I doubt he wants to deal with legal fees and getting a lawyer if things get messy. The only people who really go through that kind of trouble are huge corporations with legal teams.

My point is, agreeing on a price and setting up a contract is no guarantee to get paid
AftershockVibe
snowboardalliance wrote:
Not going to say encrypting the source is a good thing, but just pointing out that while you may have the legal power to enforce this, actually doing it is another story. I doubt he wants to deal with legal fees and getting a lawyer if things get messy. The only people who really go through that kind of trouble are huge corporations with legal teams.

My point is, agreeing on a price and setting up a contract is no guarantee to get paid


This is why most web developer outfits I've seen (at least in the UK) who are doing work with overseas or small companies either demand a down payment before they start a project or are paid on a weekly basis. That however is getting off-topic.

Back on subject, it should be noted that whatever you think, your PHP code is not valuable. Any idiot with a keyboard can throw together a few PHP scripts - examples abound on the internet.

What is valuable is the service you provide. Your clients will value your communication skills, familiarity with the project, cost, ease-of-use and speed. If you are obfuscating your code then all you are doing is detracting from the value you provdide.
RockaZA
I'm beginning to realise thats true. But like I said I'm still new to this freelance thing.
aningbo
Quote:
Protecting your PHP code.

When you dont have control over your scripts after you've done programing them (ie you have to hand them over to someone else). It becomes valuable to ensure they can't change it, or use them for purposes which you haven't intended it for.

There are a few PHP encryption software packages available, but they tend to be expensive. An personally, I always try to find a "free" way to do it before I pay. Hey I'm on this site aren't I Cool .

Anyway I came across a nice little website that will encrypt your files for you. All you do is upload it and then it will give u a download link to the encrypted version, as well as a decrypt file (which needs to be placed in the same directory as the encrypted file).

The resulting encrypted file is completely unreadable.

This encryption does however require Zend Optimiser to be present on the hosting system. Zend optimiser is a free download.

Im not yet sure if Frihost has it installed, but if they dont I hope they seriously consider it.

Heres the link:
http://www.freephpencoder.com/


why would i need it? i won't give me codes to anyone since m not a hardcore coder. nice find though. thanx. might come in handy
polly-gone
I could see a few uses for PHP encryption software. For example, I am currently working on a project, and because I don't want to divulge too many details Wink , I will just say that it has a lot of algorithms, etc that are completely unique (I did my research Cool), and if I need to show the code to anyone else, I might encrypt the algorithms just so that they can't be copied.

But that is absolutely pointless since PHP can be decrypted with a few workarounds.

-Nick Smile Smile Smile
riccopt
when you use ZEND OPTIMIZER you need to upload files in BINARY mode, as they are "parsed" as "images" by ZEND... which as far as I know is no longer being used/supported by PHP
chatrack
Hi,

Is Encrypting php code can affect it's execuiton speed? I think php execution will start
only afte decrypting to original php on server side. so it may cause longer execuition time.

Am I right ?
Hogwarts
AftershockVibe wrote:
Back on subject, it should be noted that whatever you think, your PHP code is not valuable. Any idiot with a keyboard can throw together a few PHP scripts - examples abound on the internet.

What is valuable is the service you provide. Your clients will value your communication skills, familiarity with the project, cost, ease-of-use and speed. If you are obfuscating your code then all you are doing is detracting from the value you provdide.


I couldn't agree more here. Take, for example, the open-source project Magento. It's open-source, and anybody can develop for it, but Varien (the folks who made Magento) still maintain an absoloutely prominent position in the marketplace for Magento sites as they didn't write a manual for it. This means that whilst other people can use magento, those people pretty much advertise Varien and thus (because Varien are the only people with an idea of what's going on) they get a whole lot more sales on their services -- meaning more money for Varien.
Fire Boar
chatrack wrote:
Hi,

Is Encrypting php code can affect it's execuiton speed? I think php execution will start
only afte decrypting to original php on server side. so it may cause longer execuition time.

Am I right ?


No. PHP cannot be encrypted, as such. It can be obfuscated, in which case it's just as straightforward for a machine to execute as before, only far more difficult for humans to read. Or, it could be compiled into a binary using something like the Zend optimizer. This actually speeds the execution up, because the computer no longer has to parse the symbols, instead receiving the byte code immediately.
Shadowninja7194
I thought it could be heh, guess that's why I'm learning.
Echo51
If you are paranoid about somebody stealing your code, never release it to the web, it will be hacked eventually Wink

also, run your own home server, then you're then boss over who has access to it, problem solved Smile
PureReborn
If you don't want to give out your code. Don't ever let it off your own server.

If you dont want ppl to change your code (or understand it) then write very obtuse code. Use variable names like detla/beta/abcd and other generally horrible coding practice.
sonam
I think if I am sale my code then my code is not in my ownership and new owner can do what he/she want with it. The same is with simple Open Source codes but like Hogwarts wrote if you create something complicated then no one can easy follow your idea and just grab your code. BTW, how I know always is copyright inserted in open sources.

In software industry I see some examples where few companies try to copy product of one (free software). After few minutes I see difference, something going wrong, some buttons not working, support is stupid, etc. It is not easy to stealing and sale code.

Sonam
Mrs Lycos
Alright an example: imagine you code a browser game (so popular today) and you sell it as a "script" for people who want to run their own game in their servers (be it rpg, strategy, sports management). You could add as many warnings as you want that what you are selling is just a license to the use of the script for the game. They don't own the code, the engine, the formulas that you created, the ratios, the database structure, the algorithms, the way you made it all work together. They may have the "ideas" of what to call the units in the game, the name and how many stats points use in what items and what to call them, etc. But the core is yours- your intellectual property. And that is not as simple as you may think it is.
And you are making money out of selling this "game script", but then if the guy you sold it to, either gives it away or resells it, then what happens to your business? It may have taken even a couple of years to code it to a standard where you could make money from it-down the drain.
And here is where encrypting comes handy. You have a product, you want to protect it.
Quote:

Back on subject, it should be noted that whatever you think, your PHP code is not valuable. Any idiot with a keyboard can throw together a few PHP scripts - examples abound on the internet.


I don't agree. Something that works on php doesn't mean that anyone that can put php words together can make it happen. That is why you need programming and math skills to make complex sites. You are not selling php words, you are selling your ability to make those php words work in a way nobody else does.

And the idiots that pull php scripts together, taken from free php scripts sites, are no programmers, and they may have the ability to make scripts that other people did work together, but they will never create something new from the ground up, something they had right to.
Just like any other piece of software, if you have something unique you WILL want to protect it- if you want to sell it.
Nemesis234
Mrs Lycos wrote:
Alright an example: imagine you code a browser game (so popular today) and you sell it as a "script" for people who want to run their own game in their servers (be it rpg, strategy, sports management). You could add as many warnings as you want that what you are selling is just a license to the use of the script for the game. They don't own the code, the engine, the formulas that you created, the ratios, the database structure, the algorithms, the way you made it all work together. They may have the "ideas" of what to call the units in the game, the name and how many stats points use in what items and what to call them, etc. But the core is yours- your intellectual property. And that is not as simple as you may think it is.
And you are making money out of selling this "game script", but then if the guy you sold it to, either gives it away or resells it, then what happens to your business? It may have taken even a couple of years to code it to a standard where you could make money from it-down the drain.
And here is where encrypting comes handy. You have a product, you want to protect it.

if you legitimately sold your code and paid the proper tax on the income and for the copyright, then the person re-selling would be breaking the law and would be liable for any loss of income sustained by the original coder.

php cannot be encoded, its just plain impossible. its like saying encode some html, its impossible. you could make it hard to read, but if someone was willing to break the law, i recon they would be willing to "de-code" your code.
sonam
Quote:
Just like any other piece of software, if you have something unique you WILL want to protect it- if you want to sell it.


Right, you are talking about professional game, software, script... But like Nemesis234 (he is faster then me Wink ) wrote in that case your work is copyrighted and law is on your side.
Sonam
Mrs Lycos
sonam wrote:

Right, you are talking about professional game, software, script... But like Nemesis234 (he is faster then me Wink ) wrote in that case your work is copyrighted and law is on your side.
Sonam


Do you mean if you are in the States, or Europe, you are "protected by the law" and only if the person breaking the law is in the States or Europe... But there is a rest of the world...

For example if you are a programmer in Romania, and someone from China steals your code... Who are you going to complain to??? The UN? Which law? And if you sell your scripts at $1000 (just to write a very -very- high number here), how much do you think you will have to pay a lawyer to carry this out? in the remote case you ever find the real person and get something back.
sonam
Mrs Lycos wrote:

Do you mean if you are in the States, or Europe, you are "protected by the law" and only if the person breaking the law is in the States or Europe... But there is a rest of the world...

For example if you are a programmer in Romania, and someone from China steals your code... Who are you going to complain to??? The UN? Which law? And if you sell your scripts at $1000 (just to write a very -very- high number here), how much do you think you will have to pay a lawyer to carry this out? in the remote case you ever find the real person and get something back.


If you have professional work and if you want to encrypt it then it is OK to do it. Here is two levels and we are talking simultaneous on both. Some professional company will invest in encryption, some freelance will risk without encryption, this is true. Some very low standard encryption is useless and can produce more troubles then unencrypted source.

Sonam
mahirh
simple , i use a self destruct machanism in scripts i sell (which i dont) (top secret , even nasa did not think of it) which automatically destoys itself when it is not in domains i allow , and even if it very low tech drm , no one will find the code from over 10,000 lines of code except me hahaha , if you use encryption , i have a top secret way to crack almost all encryption in php implemented (do not pm me) based on
Code:
file_get_contents
polly-gone
Coooome on dude... are you serious "even nasa did not think of it"?

And cracking PHP encryption is pretty easy anyway.

-Nick Rolling Eyes Rolling Eyes Rolling Eyes
bobsled
is the encryption can protect the site from hacking?
welshsteve
The only code you should try and hide are things that can compromise the security of the website, such as database login details, any user data stored etc. As for scripts that do fancy things etc, with PHP being opensource why shouldn't it be shared around?
silverdown
The topic is old and the site mentioned in creation post no longer is valid.
mahirh
polly-gone wrote:
Coooome on dude... are you serious "even nasa did not think of it"?

And cracking PHP encryption is pretty easy anyway.

-Nick Rolling Eyes Rolling Eyes Rolling Eyes

NASA doesn't even use Php (at least on the main site) , so they don't need Php protection
Related topics
PHP safety?
[tutor] How to protect images without htaccess using PHP
HTTP AUTH with PHP and mySQL
PHP Tutorials
[PhP] News Posting Tutorial (code, actually ^^')
How to Protect ur windows System
PHP script has MSQL access denied
Simple login system
Web Protect Help
Error I can't seem to fix.
How to...easilly protect your directories within your site..
PHP, FORM HELP
How to build PHP mail form with Spam protection
Protect Your Computer with Deep Freeze
Relatively Secure Session Management System for PHP
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.