Keeping PHP From Prying Eyes

PHP  is well known as an open source scripting language. Though PHP itself is open, that doesn’t necessarily mean that all PHP developers want their code to open as well.

Zend, the lead commercial sponsor behind PHP, is set to release a newly re-named tool in April that will help PHP developers protect their code from prying eyes. Currently in Beta testing, Zend Safeguard offers the promise of obfuscating source code as well as providing license management capabilities that aim to make PHP based application development and deployment more attractive to ISVs.

Called SafeGuard 4, the release is the decedent of Zend’s Encoder program, which has been available for a few years. Encoder and now SafeGuard work by encoding PHP code so that it’s not readable or interpretable by a PHP server without the use of a decoder.

The decoder used is Zend Optimizer, which is a PHP acceleration application that is widely deployed and enables the PHP server’s interpreter to process the encoded PHP code.

“Even you if were to be able to reverse engineer the encoded material what you’d get is nonsensical to you,” Mark de Visser, chief marketing officer at Zend, told

Safeguard includes a basic level of obfuscation that changes the names of local variables. The strong level of obfuscation goes even further in its mission of protecting source code by obscuring all functions, classes and class methods in an application.

De Visser noted that the obfuscation provides an enhanced model for source code protection.

Safeguard 4 will also provide a mechanism by which developers can manage the license of their PHP application.

“If you’re a commercial vendor of software you can make it work for a year, or only one machine or whatever variation you choose,” De Visser explained. “It enables users to distribute software in a professional manner and control its usage.”

But protecting PHP code may not be for everyone.

Safeguard is targeting software vendors and isn’t expected to impact end users of Web-based PHP applications. The reason is directly related to how PHP itself works and is rendered in Web browsers.

De Visser explained that if a developer puts up a PHP application on a Web site, or a service delivery via the Web, there is no need to encrypt the code. That’s because by the time the PHP makes it onto the browser, the PHP code has already done its work. A PHP enabled Web server processes the PHP code and provides HTML output for Web browsers. Therefore users don’t see the PHP code.

“There is a significantly growing amount of packaged software using PHP as opposed to software that is used for just putting up Web sites,” De Visser said.

Zend isn’t the only company provide PHP code encryption. Sourceguardian and ionCube both offer solutions as well.

De Visser said he believes Zend has at least one advantage over its competitors. Code encryption tools need something (in Zend’s case Zend Optimizer) in order to run. “Zend has the advantage of having the broadest distribution of the optimizer,” he added. “You can assume that it’s present on pretty much every PHP server.”

Unlike PHP, which is freely available and open source, Zend Sourceguard is neither free nor open source. As of press time, pricing had not yet been finalized, though it is expected to be around $1,000 per year on a subscription basis. An open source license would likely hinder the product effectiveness, according to De Visser.

“I think that if you would expose the encryption mechanisms than you would enable decoding easier. This is not a product that lends itself well to being an open source product.”

News Around the Web