should i encode php?

cyjetsu

I have come across some php encoders and read a statement on a website saying php encoding is good so a client's/company's data and website/server system will be more secure.
so should all php programmers always encode their php? and also leave the same decoder with the client so that they can edit the php or let another developer make changes?
I can not find much mention online on forums regarding php encoding, so I presume it is not done often?
Someone enlighten me.

paulnf

I have come across some php encoders and read a statement on a website saying php encoding is good so a client's/company's data and website/server system will be more secure.

I'm far from the foregone authority on this subject but based on my understanding why would we encode php code between a client and a server when the php code is never sent to the client to begin with? just the results of processing the code is sent. either way this is an interesting subject i'm curious to see what more experienced developers have to say on the subject.

bpat1434

I think by client, he meant a customer of his business. I.e. I create a major application and encode it using Zend Guard. I would then make them purchase a copy of Zend Guard so someone later could come in and see the code rather than having to recreate it from scratch.

No, you don't need to encode all of your projects all of the time. There is no inherent security risk with leaving php code decoded. Matter of fact, I believe all open source scripts you find are just plain text. If they were all encoded, everyone would require a decoder (of the same type the script was) and then the code wouldn't be as "open".

What encoding can do (note emphasis on can, and not "will") is to help obfuscate your code, speed up your code (since PHP doesn't have to compile it at runtime) and secure your code (licensing, intellectual property, etc.). So it in no way really affects security; however, it does affect the security of your intellectual property from someone just using it on their own.

So if you want to spend the $600 to get an encoder or whatever, I'd suggest you either use the Zend Encoder or IonCube. Those are probably the two most well-known and widely available ones today. I'm actually contemplating purchasing Zend Guard so I can encode a project I just completed for someone. Just a way to make them keep coming back to me 😉

NogDog

bpat1434;10884567 wrote:
...speed up your code (since PHP doesn't have to compile it at runtime)...

That will depend upon the encoder used. Many of them actually slow down your script by requiring multiple calls to eval() and base64_decode() in order to decode the script.

bradgrafelman

I think that bpat was considering only actual encoders, e.g. the ones he mentioned that turn the script into bytecode and whatnot.

Code obfuscators, on the other hand, that do nothing but a series of eval/base64 calls, are (in my opinion) nothing more than a laughable attempt at securing code used only by those who don't really know what they're after.

bpat1434

Yes, I was considering only actual encoders (Zend, IonCube, NuSphere's NuCoder). Most of the time they'll help speed up the app; however, it really does still depend upon the efficiency of the original code.

taraaas

Hi,
which of those 3 (IonCube,NuCoder,Zend) encoders offers the strongest security? Anyone have any idea?
What about other encoders e.g. PHPLocker or PHPShield?
PHPLocker in my opinion is not trustworthy as there is hardly no information about the product on the site http://www.php-locker.com/index.htm

PHPShield - may be interesting as well as the 3 mentioned at the beginning

bpat1434

PHPLocker seems to be just an obfuscation program. What that seems to do is to take your code, and turn it from:

function thisIsMyFunction($data1=null, $name=null, $email=null)
{
    if(is_null($data1) && is_null($name) && is_null($email))
    {
       return false;
    }
}

function a($v=null, $v2=null, $v3=null){ if(is_null($v) && is_null($v2) && is_null($v3)) { return false; } }

It doesn't technically encode anything, which is how it probably can get around actually requiring any modules/decoders on the system.

After actually testing the software, doesn't seem like it works 🙁 It hung for me when trying to encode 1 file. However, ZendGuard can do an entire project in a few seconds.

If you're going to use PHPShield, you may as well go for the better SourceGuardian (same code as PHPShield).

To be honest, most servers have either Zend or IonCube loaded by default. So you'd be better off with one of those. NuSphere I think only created NuCoder so they could have one entire package for coding and licensing and such (much like Zend).

So stick with IonCube or Zend. Remember, if you actually encode your project/scripts, you need to actually have the decoder on the server. Some admins may not want to put 3rd-party extensions (like NuCoder or SourceGuardian) on their servers, but would be more apt to put Zend or IonCube on there. But those are just my feelings.

taraaas

Thx
Next question
anyone knows the considerable difference between Zend Guard and Ioncube?

I can state here the price. Zend is something about 3 times more expensive than Ioncube. The licence for Zend, as I recall well, is one year, while in Ioncube there is no time limit for it.

Is the strenght of encoding in Zend bigger? Is the efficency of encoding with Zend bigger?

Any ideas?

bpat1434

I'm not sure. I would google and do my own due diligence in finding out everything I can. I have read a couple forum threads on this (thanks to Google) and found this benchmark which shows some differences; however, it's not the current version of Zend Guard they're using.

You'd have to make the choice on your own. Both are good, both have their downfalls. You just need to evaluate what it is you want from the encoder, and choose whichever is right for you.