Encrypt PHP Code

[hemi519]

Hi All,

I am having a php project. Before uploading it to live production server i want to encrypt all the php files. So if any one hacks my website they can not do anything id files are in encrypted version. Are there any opensource tools for this?

[traq]

I'm sure there are, but it would be pointless.

If you "encrypt" (base64encode() is the most common way of doing this) your code, your code has to be able to "decrypt" itself in order to run - meaning the necessary function would be present, and obvious, in the script.

If someone "hacks" your site and gains access to your scripts, then they can do whatever they want anyway - usually, attackers don't tinker with existing scripts, they run their own.

Focus on closing security holes and making regular backups.

[hemi519]

Thanks for the info, but i thought of going with ioncube encrypter

[djr33]

I completely agree with traq. I think you're missing the point of security. Unless you have some sort of trade secrets in your code, there's no point in protecting the code itself. And even if you do, then you really can't effectively encrypt it.

There are two kinds of encryption:
1. Reversible (decryptable), and if you want the code to work, you'd need this. So if it can work, then a hacker can figure out how it works and decrypt it himself. Read the info on "encrypting" javascript (or HTML) to find out more, since once they have access to your server it's basically the same situation.
2. One-way "encryption" that is NOT reversible, and will not be usable. This would be secure, but pointless. Note that it can be used for passwords since you can use the same algorithm to encrypt new input and see if it matches-- this is called a "hashing" system for passwords. See info about md5 for example.

There are a few frameworks that will try to encrypt PHP for you, such as Zend. But I just really don't see the point. What are you trying to protect? If they are on your server, they really don't want your code-- they want to mess with your files or upload their own files (and they can do that whether or not your code is encrypted).

[traq]

In addition, if you're thinking of "encoding" scripts that you are selling/distributing/whatever (so people can use your code but not copy it), you should realize that any solution will be equally ineffective. And there's the additional consequence of making your code look very suspicious (I won't bother with anything that has encoded chunks of code, or makes external calls, or similar. It's just shady).

[hemi519]

ok thanks for the info, then it is better for trying to fix the security holes

[traq]

I didn't mean to suggest that there were any security problems with your code (after all, I've never even seen it), but I would certainly focus my effort on keeping attackers out, rather than trying to slow them down after they've already broken in.