I just wanted inform developers that sells scripts that if they want to ensure it to not be stolen.. use http://www.sourceguardian.com/ or some other encryption program.
latehorne IM'd me. Looks like he was banned for self promotion. The link points to a site that is not his, and if you do a whois on the domain, you will see that it is registered to some company in the UK. latehorn is from sweden, not the UK. He tells me he wasnt trying to spam, but sincerely offer sound advice for script makers, so they don't get their code ripped off. To keep the thread on topic (and it's a good one) - I'll add my favorite encoder to the list: http://www.ioncube.com/
I prefer to steer clear of encoders: I just know that at some point a client / customer is going to be running on a server that doesn't have the necessary extensions, then they won't be able to run my code. I use a 'two prong' attack. First, I use a heavily modified obfuscator. Pretty much everything is obfuscated, right down to constant names. Secondly, I use some RSA algorithms in association with licence files. Add this to the obfuscated mix and I'm pretty happy that it will stay safe enough. But that's just me
I've not seen anything like this out of latehorn in the past, and really have no reason to expect he was doing anything on the down low. I suppose I could be wrong, but if this is what got him banned, I am a bit surprised. He's been quite helpful and knowledgable in the past IMO. Anyway...
Anyone know if you need to encrypt php files that sit on your web server. Can they be stolen / modified by malicious users?
Difficult to find out. If you have some good profitable sites, you'll want to make sure your small lone ranger hosting company dont steal your valuable php code
Yes this is the question that is knocking in my mind from last one year. What if the host himself steals the scripts?
In reality, I think the chances of this are pretty slim. To cover yourself, make sure that you and your host are in countries that allow for taking people to court for copyright infringement. That seems like a fairly obvious thing to do. You have to remember, though, that your host is in the business of hosting. Unless your script is related to hosting, what use is it to them? Plus, think of the negative PR they'll get if they steal directly from their customers. Now, I'm not saying this is related to you, but I would estimate that a lot of people put too much value in the scripts that they write. I'll tell you why 95% of these scripts aren't ripped off by the host... it's because they're not worth ripping off, no matter what the site owner thinks!
TwistMyArm, Did you "roll your own" obfuscator from scratch or was it something you purchased/found? Would love to know. I have been using Ioncube, considering purchasing Zend for the same reason you indicated... I'm running into more and more compatibility issues. Too bad, cause I like their product.
This is why I use dedicated servers. If your site is important enough you need to protect it and make sure the server is secure for yourself.
This is exactly what we had to do. A lot of hosts have all kinds of ioncube loader versions, and it doesn't work properly when loading it with our ioncube-encoded script. We just ended up buying zend guard, and it seems to have solved most of the compatibility issues we are having. nevertheless, there are still a rare few users who have hosts who don't support ioncube and zend at all..... oh well, can please everyone.
I found an open source one called PHPCodeBuster at http://www.intricks.com/projects/PhpCodeBuster/ . From there, I tweaked it to allow obfuscating constants, as well as accepting a 'do not change' list (so that I could ensure certain functions, classes, variables and so on weren't changed). I've sent the code back to the original author but unfortunately I had changed the formatting a lot, so we're still trying to work through all of that. The beauty of this obfuscator as opposed to a lot of the older ones is that this uses the actual PHP parser to determine what everything is before going to work... the older ones tried to basically 'recode' the parser so that they could work out what the code was trying to do and they were rather unsuccessful. The code I use passes your files to the PHP parser and it returns it, basically, all marked up, telling you what each portion of the script is used as. This makes it a lot more reliable! As I say, I'm still trying to get it merged back with the original developer but I was planning on uploading it myself at some point. If you or anyone else is interested, let me know: it might just give me the motivation to get it online!
Absolutely. I always like options, TwistMyArm... so I'd love to have a copy. Also, I've toyed with POBS and I've found that it's inconsistent when it comes to creating an end result that's usable. What I'm saying is that I had a project based off a long php class and the whole thing ended up so fried that going back in and debugging it would have been a nightmare.
Yeah... POBS was one of those that tried to do its own parsing, badly. So long as you're not using variable variables or other 'run time' (as opposed to 'parse time') functionality my code works. Well, let's just say that I haven't had any problems with it! One of the things I do want to work on is variable variables... I have an idea, at least, but will have to work on that maybe for the next version. OK: give me a few days and I'll upload it. The script I use to do it all will be fairly well tuned to the project I'm working on at the moment, just because that's how it's set up, but I'm happy to make this a 'proper' project for me if the need is there.