1

I'm currently writing a little commercial PHP Script which would be a VPN (PPTP) manager, in command line.

Actually, it's a socket server which is waiting for commands like "create", "suspend", "unsuspend", "changepassword"... Then it parses the PPTP files and modify them.

The thing is that I will have to give the PHP files which are so simple that they ONLY need php5-cli to be installed (and no apache, nothing else), I need to protect it from being read (actually, it's only 1 file, which is an entire class. The rest can be clear). I want the system to be lightest as possible, that's why there is no need of GUI, web-server, curl, *sql...

I thought about IonCube, but it's very expensive and can't be used on with cli scripts because it needs a loader, which is loaded by apache. This is the problem of every encoder I think.

I thought about HipHop PHP (From Facebook), but it's hard to understand how to use (because I can compile my sources, but the user guide says how to launch our clear source with it :/ ).

So, I'm here to get help about that. I have some PHP-cli scripts, which must run in command line, which don't need a webserver to work, and I only need (as it's a commercial product) to protect my sources from reading and illegal ditribution (it will be easy to bypass the licence system). This file is simply a PHP class.

Thanks.

-- Edit -- Precisly, I want to make it paid by month, 6 months, year. If it's clear, then everybody will be able to comment the licence check, and have it for free. I love the opensource, for proof, I've written 3 classes for this project, a debug/warning/error manager with output handling (stdout/stderr/logfile) and a Socket class, which you just have to include and extends from, and you have a complete server (and you just have to implement needed functions, the server will call the "received commmand"(), and I don't want to obfuscate these 2 classes.

Improve this question
8
  • 3
    Make money on support, not on selling your sources Commented May 15, 2012 at 10:11
  • 2
    @zerkms I agree, but that doesn't make this a useless question. Commented May 15, 2012 at 10:12
  • @Pelle ten Cate: the sad fact is that if your software is really good - it would be deobfuscated anyway, and if it is terrible - then no one would need sources even for free Commented May 15, 2012 at 10:15
  • 3
    Indeed, anything can be reverse engineered if somebody wants to do it enough. Although FWIW PHP is a terrible language to do something like this in anyway - you would do much better to write it in a language that can be multithreaded, PHP non-blocking IO is so hard to write and potentially problematic it's not really worth the bother. If you write it in C (for example) you can make your application better, easier to write and protect your source much more easily as you can simply distribute compiled binaries. Commented May 15, 2012 at 10:22
  • 3
    Better spend the time on making your software better. Lots of commercial PHP applications are sold unencrypted anyway. Commented May 15, 2012 at 10:26

1 Answer 1

Reset to default
1

As to ionCube, there is an online encoder available that does a one-time encode of your script for just a few bucks, depending on the size of your codebase. If you write your own licensing mechanism, you could be able to use that. Besides, your statement about the ionclube loader is incorrect, no apache necessary, it's just a module that can be loaded in php.ini. IonCube is - in my opinion - a good choice.

Do take your time to really ask how much protection you need. A computer will always understand how to interpret your code, so eventually a human being will be able to peek inside, if he really wants to.

If the ionCube loader isn't an option on your clients, there are several 'obfuscators' for PHP out there that will probably stop the "quick peekers" from understanding the code in less than one hour. These obfuscaters won't encrypt your code, but they will make it less readable by changing all your variables, functions and class names into some arbitrary hashes, and remove all your comments and whitespace. They don't need anything on the server to be run, but in the end your PHP code will still be just the same.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

This it the point. Thank you for your information. This is a good choice. As I said on my first post, it's not "my idea" that I want to hide, but the licence mechanism. And even if it's reversable, the point is to loose at least "customers" as possible. So I'll try to use the online encoder, I saw that you can also check "for testing" and it's free. Thanks.
Testing encoding is free, but then your encoded file will only be valid 8 hours, from the top of my head, for a limited amount of hours anyway. Do realise that all clients that run PHP_CLI needs to run the ionCube loader as well!
@Pelle_ten_Cate what do you mean by "Clients that run PHP_CLI needs to run the ionCube loader"? If it's a php module which is enabled/installed, when the customers launches the script, ionCube will follow. Isn't it ?
What I mean is the module needs to be installed/enabled in php.ini. That means: you can't run it on any PHP installation without that module.
Ok thanks. This is what i've expected. So I'll put the "install" process in a README, and my script will also check the installation. Thank you all for your help, once the PHP is OK, I'll make it in C/C++ (and try to avoid giving sources to compile).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.