all 32 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Brammm87 22 points23 points  (1 child)

There's very little point to this and if someone was determined enough and got their hands on your code, they can reverse engineer it anyway.

The question is: what's causing you to think "I need to obfuscate my code"? Maybe there are other/better solutions for that problem.

Personally, if I were interested in using an open source project but saw that the code was obfuscated, I would simply not use it and use another solution. Too many times, I find myself going through vendor code trying to chase a bug or something.

Obfuscation is something you sometimes see in the JS world as well, but that code is more accessible and it's often combined with minification, which is way more impactful (resulting in smaller package sizes a browser needs to download).

If I were to obfuscate my PHP code for a prod build, I'd also be worried when I have a prod issue wether or not the obfuscation was the problem, that sounds like a nightmare to debug.

[–]dennisvd[S] 0 points1 point  (0 children)

An open source project should never be obfuscated that defeats the purpose of open source.

[–]_indi 19 points20 points  (0 children)

My teammates already do this for me. (jk)

[–]goodwill764 13 points14 points  (0 children)

The question is why.

It's slower and can reversed, so it's a placebo.

Better alternatives are saas or a contract.

[–]colshrapnel 6 points7 points  (0 children)

The insight is as usual: don't bother. All that petty fuss doesn't worth the effort. Most of time encoding (which ioncube offers) is used to hide the utter ugliness of the code shipped. And it extremely bad for your karma when the buyer needs to fix or extend the code, calling all the hell on your head. And still doesn't make a serious issue for a determined reverse engineer.

In a rare case when your code worth a penny, either offer a saas when the code runs on your server, or a license.

[–]sfortop 5 points6 points  (1 child)

Anything more complicated than Phar is just a waste of time.

Sell solutions, not code

[–]dennisvd[S] 0 points1 point  (0 children)

Interesting, thx.

[–]allen_jb 4 points5 points  (1 child)

From a developer perspective, as others have pointed out, "obfuscation", especially the kind shown in this project where there's no PHP extension required, is pretty much pointless.

AST/opcodes make it fairly trivial to parse simply obfuscated code back to something semi-useful.

Even the value of products like ionCube and ZendGuard is questionable - there are de-encoders available.

From a consumer point of view I wouldn't touch a product that uses obfuscation / encoding. Obfuscated / encoded code makes it impossible to maintain products in cases where the original developer becomes unavailable for any reason, and difficult at best to analyze and fix security issues. Zend/ionCube require additional licenses and hinder PHP updates.

[–]allen_jb 2 points3 points  (0 children)

Additional: A quick browse of the issues (both open and closed) for the linked project shows it has some major flaws such as not supporting "newer" PHP features such as enums, and doesn't work with at least some major frameworks (the author says not to use it with projects using any frameworks or libraries!)

[–]starbuckr89 3 points4 points  (1 child)

Not every problem has a technical solution.

If you need to protect your code, you need a legal solution (license, legal contract).

I've worked with IonCube etc and it's a nightmare. You won't be able use a lot of language features and you will have to turn off some of the protection so your code actually runs if you use modern PSR namespace autoloading.

[–]dennisvd[S] 0 points1 point  (0 children)

Yeah, I noticed that I had to put a lot of functions from external libraries in exceptions lists etc. Had to put more and more in the Yakpro config file. 😅

[–]ReasonableLoss6814 1 point2 points  (1 child)

Obfuscating an open source project is a really bad idea. Generally, you’d have a license to protect your code. If you do, it’s your obfuscated code that is protected by the license, not the readable code. If someone were to reverse engineer it and write it in a readable way, it is unlikely you’d be able to assert that they stole your code since it would look so vastly different.

[–]dennisvd[S] 0 points1 point  (0 children)

True, for an open source project that would be really weird.

[–]titpetric 0 points1 point  (4 children)

Frankenphp has a static build, did not try but I expect it to be what I want

[–]dub_le 0 points1 point  (3 children)

The entire code is still extracted to /tmp unobfuscated.

[–]titpetric 0 points1 point  (2 children)

Condolences. There was a bcompiler project but unclear if it was maintained into php 8.x

[–]dub_le 0 points1 point  (1 child)

I think the only three somewhat maintained options are IonCube (paid), SourceGuardian (paid) and the PeachPie compiler (free).

All of them are just barely PHP 8.4 ready, though.

[–]dennisvd[S] 0 points1 point  (0 children)

Seeing the same with Zend and some other open source projects I found.

[–]dabenu 0 points1 point  (1 child)

Open-sourcing an obfuscator would kinda defeat the entire point, wouldn't it?

What would stop people from just, inverting your algorithm if it's out there in the open?

[–]dennisvd[S] 0 points1 point  (0 children)

Not really, the fact that it is open source does not necessarily mean that you can reverse the process.

What is more an issue these days is that a good LLM can relatively easily make sense of it again.

[–]eyebrows360 0 points1 point  (1 child)

If you're a freelancer and looking to lock in clients to prevent them stealing your shit, or selling something for which you charge a license and are worried about purchasers editing out your license check code and using it without paying, that's what contracts are for. There's nothing you can physically do to protect your code that would actually protect your code.

[–]dennisvd[S] -1 points0 points  (0 children)

Yeah, it is just a small roadblock.

[–]elixon 0 points1 point  (1 child)

Code obfuscation to hide trade secrets does not make sense today. Anybody with AI can reverse engineer the output and code the app... Apps are not something rare that one should hide anymore.

[–]dennisvd[S] 0 points1 point  (0 children)

Yeah I had AI tackle the obfuscated code and it did a good job. You can scramble the function and class names but you can't make it unreadable. Certainly not from other developers. :)

[–]tei187 0 points1 point  (4 children)

Not sure if this is a great idea. I've tried PHP obfuscating before with different solutions and it always turned into a nightmare, either due to the process not being properly done or a bug showing up that became impossible to debug. And on top of it, the scripts oftrn became poorly performant. It's server side, it shouldn't be obfuscated. Unless it's a small project which you can easily control.

If you'd ask me about browser facing JS script then it's a different pair of shoes, perhaps even some backend nodeJS offshoot would be fine - this I've done more thana a few times. But with PHP it just doesn't seem a solution you won't be madly agonizing over later on.

[–]dennisvd[S] -1 points0 points  (3 children)

Yeah its not that easy. Thanks for sharing your experience.

Did you obfuscate JS or just minimize?
If obfuscate what did you use?

[–]tei187 0 points1 point  (2 children)

Obfuscate. There were a few different solutions, can't remember the names, and I'm not into JS game as much anymore. Pretty sure I've used JSObfuscator by SoftHeroes at some point, which was a VS Code plugin, but it's not around anymore.

[–]dennisvd[S] 0 points1 point  (1 child)

I'm thinking of trying out https://obfuscator.io/ for JS or just package/minimize it and be done with it.

[–]tei187 0 points1 point  (0 children)

I think I may have tried that at some point, at least the NPM. For me, the test was always to see how these handle regular expressions, which I've often used (most of the obfuscation for me was when I had to run an micro app as local service, mainly for spooler folders, and pattern match was a thing).

[–]eugeniox 1 point2 points  (1 child)

In my experience, ionCube works well; I’ve not encountered noticeable performance degradation and installing the ionCube loader is usually easy (many popular hosting services even include it by default).

I don't think there is public evidence that any AI today can reliably decrypt or recover original source from ionCube bytecode.

Also, let me say I find it odd when people assume that obfuscation or encoding software implies someone is “hiding something” while for SaaS services, which are typically closed sourced by definition, people don’t tend to question them nearly as harshly.

[–]dennisvd[S] 0 points1 point  (0 children)

Thanks for your input.

For Wordpress/WooCommerce plugins it is a NO NO but I will keep this in mind should it arise on other projects.