Oct 24

Protecting Your PHP Source Code With ionCube Encoder

Tag: PHPSubramanyam Inkollu @ 10:08 am

Encoding Your PHP Files

The ionCube PHP Encoder is a command-line script you run either one or more files, or on an entire set of folders. If you’re encoding an entire PHP application you would typically run it on the original source folder. The encoder will duplicate the entire tree, except the PHP code will be encoded.

In the previous section I showed you what the encoded PHP code from a basic “Hello World” script looks like. The command I used to generate this encoded script is as shown in Listing 3.

Listing 3 Basic usage of the encoder (listing-3.txt)
/usr/local/ioncube/ioncube_encoder5 helloworld.php -o helloworld-enc.php

In this example, the -o specified the output location. In this example I just created the encoded file in the same directory with a different filename. Typically you would want to create the file with the same filename as the original (without replacing the original source code).

To achieve this, set the input and output both to be a directory. The encoder will automatically recurse through all directories in the input directory and encode all PHP files.

To demonstrate this, let’s assume helloworld.php is in a directory called src. Listing 4 shows the command we use to encode this entire path. The example outputs the encoded files to the build directory.

Listing 4 Encoding an entire directory (listing-4.txt)
/usr/local/ioncube/ioncube_encoder5 src -o build

We now have a directory called build which is identical to src except that the PHP files are encoded.

Note: Even non-PHP files (such as images or stylesheets) are also copied as-is into the target directory.

There are many other command-line options. You can discover some of these by running ioncube_encoder5 with no arguments. Additionally, the “Encoder User Guide API” document (available from here) is extremely useful.

Protecting Non-PHP Code

Depending on how your web application has been designed, there may be some non-PHP files you would to prevent users from being able to read. A good example of such files is XML files or Smarty template files.

The ionCube PHP Encoder includes an encryption option. This feature is used to protect non-PHP files (but it differs from the PHP encoding since the output isn’t a bytecode format format).

To encrypt files, the --encrypt command-line option is used. You can then specify a file pattern that will be encrypted. For example, if you want to encrypt every file with extension tpl you would specify --encrypt "*.tpl". Without doing so, the encoder would simply copy all tpl files exactly as-is into the target directory.

Listing 5 shows the command we can now type on our src directory. The directory contains the helloworld.php script and a template called index.tpl.

Listing 5 Encoding PHP files and encrypting template files (listing-5.txt)
/usr/local/ioncube/ioncube_encoder5 src/ -o build --encrypt "*.tpl"

Let’s now take a look at what effect this had on the source code. Listing 6 shows the original template file.

Listing 6 A template before being encrypted (index.tpl)
{foreach from=$myArr item=row}
    {$row}
{/foreach}

Now when we run the command from Listing 5, not only is the PHP script encoded, the index.tpl file is encrypted. Listing 7 shows what the encrypted file may look like.

Listing 7 An encrypted template file (index.tpl)
!odMbo!
oGkVHCn70iD3x0iNno6StW4000000000pkStDhZrw5wtaVwr8YByvTkxU/tMRAa8JBW2sOPu5OTW
Yk1KK+DyvUiMDXg2Wasd9IU12Kno0p0HeaPHg8258DO=1

Your application must be able to handle these encrypted files. Fortunately, when a loader is present in a PHP installation, a number of additional functions are made available that allow you to deal with encrypted files.

The ioncube_read_file() will decrypt files that have been previously encrypted. This function accepts a filesystem path as its only argument and will return the decrypted data. If the input path was not encrypted it will be returned as-is.

Note: The ioncube_read_file() method will only work from within an encoded PHP file. Additionally, it can only decrypt files that were encrypted with the same encoder that encoded the PHP file. This prevents other people from being able to decrypt your files.

Since we encrypted a Smarty template in the previous example, let’s take a quick look at the changes required to Smarty to read encrypted files. The ionCube website contains notes on patching Smarty so it is compatible. This change ensures ioncube_read_file() is available, meaning you can used the patched version in applications whether or not they’re encoded.

The API also includes a ioncube_write_file() function which allows you to directly write encrypted data from within your application. This allows you to protect data generated by your application.

The API user guide documents a number of other PHP functions that are available to you.

Summary

In this article I showed you how you can protect your PHP code using the ionCube PHP Encoder. While I only showed your the absolute basics, there are many other features available with the encoder that make it ideal for projects of all sizes.

Some of those features include:

  • Adding a licensing mechanism to your code so only license-holders can use your code
  • Handling various events in the loading process (such as if the loader isn’t found)
  • Writing custom properties to an encoded file

Additionally, if you use a tool such as Phing to simplify your PHP application build process, there is a built-in hook to run all of your code through ionCube PHP encoder.

Source: http://www.phpriot.com