if you want to sell servers and thin-client sets whose central application is a php program on the server,

how do you ensure that the php program is not copied?


I hear that Source Guardian is good, perhaps on a website sponsored by Source Guardian (you never can tell).

Does anyone know any other inexpensive (Source Guardian is only $250 - very cheap if you calculate $/hour programming) or free program that works really well?

Does anyone have any feedback about Source Guardian?

I have never used Source Guardian, but here are some decent ones I have used:

Zend encoder (Made by the makers of PHP)
ionCube loader ($199)
PHP Obfuscator (free, but not maintained)
Turck MMCache (free)

so, zend encoder is probably the best one to buy if you're into a philosophy of supporting php, right? but i can't figure out how much it costs.

all these programs create scripts that are still susceptible to reverse engineering, right? i mean, couldn't someone right another program that undoes this, theoretically? (i don't think my program is that valuable, but, you know, in theory...)

I do know that the files are fully encrypted (meaning you cant edit or view them). Obviously if they are going to run the files they have to be decrypted by the zend encoder. Now if I think about it then the files would have to be decrypted on the clients(who purchased your software) at some point in time, but then their would be an easy way to steal the files. It might be possible (since it uses zend optimizer) that the file is physically compiled. In which case they wouldnt be able to get anything but assembly code on it. I am not sure what truly happens behind the scene, all I know is your average user isn't going to get close to your files. It's pretty much all you can ask for in the end.

Zend Encoder is now called Zend Guard, but it's very pricy (around $600).

It is by far the best solution as it is made by the Developers, but because of its price I would go for turck-mm cache. See

http://turck-mmcache.sourceforge.net/

Php is like an exe. You write in c, your code is compiled to machine code and then packed with some packer (usually upx) or encrypted in this case. On runtime it is unpacked/decrypted and bytecode is fed to php virtual machine. You could intercept it, so no security here except you get bytecode/machine code instead of php/c. There might exist some php bytecode decompilers.
And there is no 100% security. Never.

yeah,

i just checked out turck mmcache more thoroughly.

it looks like it is stored in compiled form with no way to get the php source code back.

in fact, turck was originally made as a way to speed up php code, so that the compiled version would sit in cache and run 2-10x faster than the php source code.

so, it looks like turck stores that compiled code in an encrypted fashion. i don't know how this ensures any more security than simply storing it in compiled code.

but, you can do nifty things like put in time bombs, i guess pretty easily, because no one can see your php code. (i started a new thread with more on this - because i have questions about it - http://www.linuxquestions.org/questi...ctions-617852/ )

to continue this thread, does anyone know that my assumptions above are wrong or why you would need to encrypt a compiled version of code?

I don't know what it would be encrypting it doesn't make any sense (and is impossible) to encrypt compiled code, so it probably doesn't actually encrypt it.

"Encoded files can be run on any site which runs PHP with Turck MMCache 2.3.10 or above. The sources of encoded scripts can't be restored because they are stored in a compiled form and the encoded version doesn't contain the source. Of course, some internals of the scripts can be restored with different reverse engineering tools (disassemblers, debuggers, etc), but it is not trivial."

Sorry. encoded, not encrypted.

Ahh, that makes sense.

Two things:

Turck has forked:
http://eaccelerator.net


Zend doesn't seem to encode compiled code. It just bargles up php code and then un-bargles it and executes it. My colleague showed me a program yesterday that converts encrypted Zend back into php code.
???

To my way of thinking, absence of source-code in a PHP application would be a "deal breaker." I would not purchase or license the product.

Remember that if you have registered your copyright to your product, and you sell it to me and especially if you have required me to execute a (reasonable...) pre-sales license agreement with you, you're covered, and "my ass is grass" if I try to cheat you.

Having legally established that fact, therefore, you need to start treating me as your customer, and to make sure that I have what is most important to me, in my business. "I'm the customer. You work for me now." The time for dis-trust is over, especially if it (as it certainly does do, in this case...) gets in the way of the business relationship that we have mutually agreed-to.

There are many problems with your reasoning. For one many sites are hosted... What stops the customer's hosting provider (or an employee from it) from stealing the code. What stops the customer from stealing/modifying the code so that you can't tell it was them... easy enough if they have the source.

If they have the source they can then look for ways to hack and break your code to find security vulnerabilities (possible without it, easier with it).

What happens if someone hacks into the persons server and then steals the code.

There are so many ways that your code could be stolen or modified. When distributed on the internet if done properly could cause a loss to your business.