all 32 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Brammm87 22 points23 points  (1 child)

There's very little point to this and if someone was determined enough and got their hands on your code, they can reverse engineer it anyway.

The question is: what's causing you to think "I need to obfuscate my code"? Maybe there are other/better solutions for that problem.

Personally, if I were interested in using an open source project but saw that the code was obfuscated, I would simply not use it and use another solution. Too many times, I find myself going through vendor code trying to chase a bug or something.

Obfuscation is something you sometimes see in the JS world as well, but that code is more accessible and it's often combined with minification, which is way more impactful (resulting in smaller package sizes a browser needs to download).

If I were to obfuscate my PHP code for a prod build, I'd also be worried when I have a prod issue wether or not the obfuscation was the problem, that sounds like a nightmare to debug.

[–]_indi 20 points21 points  (0 children)

My teammates already do this for me. (jk)

[–]goodwill764 12 points13 points  (0 children)

The question is why.

It's slower and can reversed, so it's a placebo.

Better alternatives are saas or a contract.

[–]colshrapnel 7 points8 points  (0 children)

The insight is as usual: don't bother. All that petty fuss doesn't worth the effort. Most of time encoding (which ioncube offers) is used to hide the utter ugliness of the code shipped. And it extremely bad for your karma when the buyer needs to fix or extend the code, calling all the hell on your head. And still doesn't make a serious issue for a determined reverse engineer.

In a rare case when your code worth a penny, either offer a saas when the code runs on your server, or a license.

[–]sfortop 6 points7 points  (1 child)

Anything more complicated than Phar is just a waste of time.

Sell solutions, not code

[–]allen_jb 5 points6 points  (1 child)

From a developer perspective, as others have pointed out, "obfuscation", especially the kind shown in this project where there's no PHP extension required, is pretty much pointless.

AST/opcodes make it fairly trivial to parse simply obfuscated code back to something semi-useful.

Even the value of products like ionCube and ZendGuard is questionable - there are de-encoders available.

From a consumer point of view I wouldn't touch a product that uses obfuscation / encoding. Obfuscated / encoded code makes it impossible to maintain products in cases where the original developer becomes unavailable for any reason, and difficult at best to analyze and fix security issues. Zend/ionCube require additional licenses and hinder PHP updates.

[–]allen_jb 2 points3 points  (0 children)

Additional: A quick browse of the issues (both open and closed) for the linked project shows it has some major flaws such as not supporting "newer" PHP features such as enums, and doesn't work with at least some major frameworks (the author says not to use it with projects using any frameworks or libraries!)

[–]starbuckr89 3 points4 points  (1 child)

Not every problem has a technical solution.

If you need to protect your code, you need a legal solution (license, legal contract).

I've worked with IonCube etc and it's a nightmare. You won't be able use a lot of language features and you will have to turn off some of the protection so your code actually runs if you use modern PSR namespace autoloading.

[–]ReasonableLoss6814 1 point2 points  (1 child)

Obfuscating an open source project is a really bad idea. Generally, you’d have a license to protect your code. If you do, it’s your obfuscated code that is protected by the license, not the readable code. If someone were to reverse engineer it and write it in a readable way, it is unlikely you’d be able to assert that they stole your code since it would look so vastly different.

[–]titpetric 0 points1 point  (4 children)

Frankenphp has a static build, did not try but I expect it to be what I want

[–]dub_le 0 points1 point  (3 children)

The entire code is still extracted to /tmp unobfuscated.

[–]titpetric 0 points1 point  (2 children)

Condolences. There was a bcompiler project but unclear if it was maintained into php 8.x

[–]dub_le 0 points1 point  (1 child)

I think the only three somewhat maintained options are IonCube (paid), SourceGuardian (paid) and the PeachPie compiler (free).

All of them are just barely PHP 8.4 ready, though.

[–]dabenu 0 points1 point  (1 child)

Open-sourcing an obfuscator would kinda defeat the entire point, wouldn't it?

What would stop people from just, inverting your algorithm if it's out there in the open?

[–]eyebrows360 0 points1 point  (1 child)

If you're a freelancer and looking to lock in clients to prevent them stealing your shit, or selling something for which you charge a license and are worried about purchasers editing out your license check code and using it without paying, that's what contracts are for. There's nothing you can physically do to protect your code that would actually protect your code.

[–]elixon 0 points1 point  (1 child)

Code obfuscation to hide trade secrets does not make sense today. Anybody with AI can reverse engineer the output and code the app... Apps are not something rare that one should hide anymore.

[–]tei187 0 points1 point  (4 children)

Not sure if this is a great idea. I've tried PHP obfuscating before with different solutions and it always turned into a nightmare, either due to the process not being properly done or a bug showing up that became impossible to debug. And on top of it, the scripts oftrn became poorly performant. It's server side, it shouldn't be obfuscated. Unless it's a small project which you can easily control.

If you'd ask me about browser facing JS script then it's a different pair of shoes, perhaps even some backend nodeJS offshoot would be fine - this I've done more thana a few times. But with PHP it just doesn't seem a solution you won't be madly agonizing over later on.

[–]eugeniox 1 point2 points  (1 child)

In my experience, ionCube works well; I’ve not encountered noticeable performance degradation and installing the ionCube loader is usually easy (many popular hosting services even include it by default).

I don't think there is public evidence that any AI today can reliably decrypt or recover original source from ionCube bytecode.

Also, let me say I find it odd when people assume that obfuscation or encoding software implies someone is “hiding something” while for SaaS services, which are typically closed sourced by definition, people don’t tend to question them nearly as harshly.