19 February 2013

protecting php file with ionCube encoder

One of the issues PHP developers face is that PHP is an interpreted language, meaning PHP source code is readable by anybody who downloads your applications. In this article I will show you how to protect your intellectual property by encoding your PHP source code.

The tool we are going to use to protect our code is ionCube PHP Encoder. Before releasing your PHP software, you use the encoder to convert your plain-text PHP files into special encrypted files.While ionCube PHP Encoder is a commercial product, there is a time-limited trial available for download.

Because your PHP is encoded into a special byte-code (as opposed to just being obfuscated), a loader must be installed on your web server. A loader is a PHP module that must be installed. Fortunately, ionCube PHP Encoder is commonly used and therefore many web hosts will already have a loader installed.

On the ionCube website there is a loaders page which contains the latest versions of the loader for all supported platforms (you must install the correct loader for your platform). You will need the loader for your platform installed in order to be able to run code you encode from this article.

Before we proceed, let's take a quick look at an encoded file. Snippet 1 shows a basic PHP script.
Snippet 1
  
<?php
    echo "Hello, world!\n";
?>
    
 

We can then run this script through the encoder. While there are many different options available, encoding a script with the default options yields the following PHP file.
Snippet 2
  
<?php //000a8
echo('Site error: the file '.__FILE__.' requires the ionCube PHP Loader '.
basename($__ln).' to be installed by the site administrator.');exit(199);
?>
4+oV5BgRgd22U2z7JoK/KmKPIcszhD8pg3hvN+5vc4HFcsGMn/El/4CMYaLFFzaqguLCeb9su8xn
i0+eWxJg/kwNHRkiBvY1aMf1AvwPf14DIwCvegtJC7cbx9cN5jBjwSspVjhVsQnxFx9oBut6R0Kc
V+OLw6XBTNm5sKpbL6DVm2jqk8Wasm9oJgKLZxBtvVBeP5vZrOiod+L7SoplcmTgtyr5wzS3sEzj
r7ixXPUY4H82MyuzZyjYTkSKkz9qlMzWHddrUHJX3y0zPfDqWDUeD1BibJQJ9BXkP7jb4pdKQv/h
sMqhthNQQRSp6nOJHq8oDDYLE+p403GYs2As9qEI2wNAg6j6ln0BRP7shcbNTb5a8O4VjjLhGDwG
1AYOxaM4R5QneCFr+xYdtEYSep8FW1i9IBzF1FuDa7eMoPDqaQdjTLAPsy5O831yGpAHohx3FzUK
aewZTV+tdru=
    
 

While you cannot understand what this code does just by looking at it, your PHP installation with the correct loader installed interprets this just as if it was the code in Snippet 1.

Encoding Your PHP Files

The ionCube PHP Encoder is a command-line script you run either one or more files, or on an entire set of folders. If you're encoding an entire PHP application you would typically run it on the original source folder. The encoder will duplicate the entire tree, except the PHP code will be encoded.

In the previous section I showed you what the encoded PHP code from a basic "Hello World" script looks like. The command I used to generate this encoded script is as shown in Snippet 3
Snippet 3
  
/usr/local/ioncube/ioncube_encoder5 helloworld.php -o helloworld-enc.php
    
 

In this example, the -o specified the output location. In this example I just created the encoded file in the same directory with a different filename. Typically you would want to create the file with the same filename as the original (without replacing the original source code).

To achieve this, set the input and output both to be a directory. The encoder will automatically recurse through all directories in the input directory and encode all PHP files.

To demonstrate this, let's assume helloworld.php is in a directory called src. Snippet 4 shows the command we use to encode this entire path. The example outputs the encoded files to the build directory.
Snippet 4
  
/usr/local/ioncube/ioncube_encoder5 src -o build
    
 

Protecting Non-PHP Code

Depending on how your web application has been designed, there may be some non-PHP files you would to prevent users from being able to read. A good example of such files is XML files or Smarty template files.
The ionCube PHP Encoder includes an encryption option. This feature is used to protect non-PHP files (but it differs from the PHP encoding since the output isn't a bytecode format format).

To encrypt files, the --encrypt command-line option is used. You can then specify a file pattern that will be encrypted. For example, if you want to encrypt every file with extension tpl you would specify --encrypt "*.tpl". Without doing so, the encoder would simply copy all tpl files exactly as-is into the target directory.

Snippet 5 shows the command we can now type on our src directory. The directory contains the helloworld.php script and a template called index.tpl.

Snippet 5
  
/usr/local/ioncube/ioncube_encoder5 src/ -o build --encrypt "*.tpl"
    
 

Your application must be able to handle these encrypted files. Fortunately, when a loader is present in a PHP installation, a number of additional functions are made available that allow you to deal with encrypted files.

The ioncube_read_file() will decrypt files that have been previously encrypted. This function accepts a filesystem path as its only argument and will return the decrypted data. If the input path was not encrypted it will be returned as-is.

Summary

In this article I showed you how you can protect your PHP code using the ionCube PHP Encoder. While I only showed your the absolute basics, there are many other features available with the encoder that make it ideal for projects of all sizes.

Some of those features include:
  1. Adding a licensing mechanism to your code so only license-holders can use your code
  2. Handling various events in the loading process (such as if the loader isn't found)
  3. Writing custom properties to an encoded file

No comments:

Post a Comment