how do you protect your php app?

I believe you can use the Zend Encoder, this isn't a free product though. I'm not aware of any free product that does this. You can get the zend encoder for a reduced price (greatly reduced!) with their "small business program".

Originally posted by Froggy
I believe you can use the Zend Encoder, this isn't a free product though. I'm not aware of any free product that does this. You can get the zend encoder for a reduced price (greatly reduced!) with their "small business program".

if i'm not mistaking, you also need to install it on the server...how do you plan to force your customer to install it and what if they are on share host and their host provider do not plan to install it.

it require to install Zend Optimizer for Zend Encoder to work so what if your customers refused to install Zend Optimizer?

you can't refuse a sale if your customer doesn't want to install Zend Optimizer.

http://www.zend.com/store/products/zend-encoder.php

you can't refuse a sale if your customer doesn't want to install Zend Optimizer.

That's a bit of a stupid comment, he can refuse to sell his product to anybody he wants. Besides, zend is pretty commonly available.

it require to install Zend Optimizer for Zend Encoder to work so what if your customers refused to install Zend Optimizer?


Then they can't use your product? I fail to see what the issue is...its just like any technology. What if you want to use Ruby on rails application? Well you need to find a host that has it. If someone wants to use your product then they need to find a host that has the Zend Optimizer installed. It is fairly common for hosts to have this installed though, its trivial to install.


you can't refuse a sale if your customer doesn't want to install Zend Optimizer.


Why not? YOu also have to refuse a sale if they don't have php installed. How is this any different? Are you using a database, will they need to install mysql too? Again how is this different?


If you don't like the way this works try a different platform for development, such as java or .net.

Originally posted by gogocode
That's a bit of a stupid comment, he can refuse to sell his product to anybody he wants. Besides, zend is pretty commonly available.

so you want to lose a sale because your customer doesn't want to install Zend optimier? of course you can refuse to sell...the Zend encrypt soultion is to have server install their software but can you force it down the customers? is there a soultion to this that doesn't require any extra software install on sever? i know with asp you can put main code in COM+/DLL. is there any similar way to do this in php? there is also issue in the past that Zend Optimier didn't work with php, i think it was version 4.3.10.

Originally posted by Froggy
If you don't like the way this works try a different platform for development, such as java or .net.

so if you develop in php that mean your customers must install Zend software? isn't there a issue regarding Zend Optimizer and php 4.3.10?

asp can use com+/dll and perhap you're right. maybe java or .net is a better platform for selling web based software.

maybe java or .net is a better platform for selling web based software.


Java and .net are much better for selling web based software. The technologies were made with this in mind. But the market for java etc is a bunch different market. If you are selling software to people on shared hosting this isn't the technology to use.

But with that said I still fail to see why you have an issue with the Zend Optimizer. All they need to do is have php + zend optimizer installed. I could see your point if say the optimizer wasn't free or was hard to install, but its both free and easy to install. Furthermore you can give install instructions with your web application (you can write scripts to make it easier even). This is no different than requiring that they have mysql installed.

But why do you want to hide your code in the first place? I would imagine if vbulletin (the makers of this board), don't need to hide their code than you won't need to either.

If your software doesn't cost much it makes much more sense for people to buy it then change your code. The only reason I can think of that would require you to hide your code is if your code contained some algorithm that needed to be protected. Or maybe if the software was very expensive and hence it would start to make sense for people to steal and edit the code. Usually both of these are not the case with php applications!

you make a good point about vbulletion but if it's commerical software. you don't want people to take your code, turn around and sell it. anyway, it seem java or .net is better choice for web based app.

If you want the long answer (~5000 words) then you might want to take a look at this months issue of php|architect - www.phparch.com. You can buy the PDF of the August issue for $3.50 (US) as it includes a feature article on how to protect your PHP product(s) and brings up many of the points here (and more) regarding the encoders available. Should have everything you need to make a decision :)

The short answer is that most hosts have Zend Optimiser installed and so for most users it wouldn't be a problem. Most web hosts are also happy to install it for users as it's a well known application.

However, the other solution to that is to use something like the ionCube encoder (www.ioncube.com) and/or SourceGuardian (www.sourceguardian.com). Both of these come with 'run time loaders' which the user simply has to upload along with your encoded script. As long as the host isn't running php in safe mode, they won't need to install anything and everything will work just fine.

Just as a note, you want to look for php encoders rather than obfuscators. Encoders are much more secure and generally apply things like encryption, whereas obfuscators simply 'jumble up' your PHP and so it can easily be reversed back into source code by the most inexperienced user.

anyway, it seem java or .net is better choice for web based app.


I like java better than php, but you should use whatever your audience is using. If you are making things for people on shared hosting than php (or perl) is the way to go. The market for java applications is much different than the market for php applications.

Also tickedon gave references to encoders that don't require you to install anything. They both seem pretty nice (although the zend stuff seems better...)

Originally posted by Froggy
Also tickedon gave references to encoders that don't require you to install anything. They both seem pretty nice (although the zend stuff seems better...)

ionCube and SourceGuardian are pretty much on par with what Zend offers and in some cases are better - for example, ionCube offers an ASCII encoding option which Zend doesn't. They are also much cheaper as well ;)

All 3 are very good and offer a similar set of features. You just have to decide based on the minor variations each one has :)

Originally posted by tickedon
If you want the long answer (~5000 words) then you might want to take a look at this months issue of php|architect - www.phparch.com. You can buy the PDF of the August issue for $3.50 (US) as it includes a feature article on how to protect your PHP product(s) and brings up many of the points here (and more) regarding the encoders available. Should have everything you need to make a decision :)

The short answer is that most hosts have Zend Optimiser installed and so for most users it wouldn't be a problem. Most web hosts are also happy to install it for users as it's a well known application.

However, the other solution to that is to use something like the ionCube encoder (www.ioncube.com) and/or SourceGuardian (www.sourceguardian.com). Both of these come with 'run time loaders' which the user simply has to upload along with your encoded script. As long as the host isn't running php in safe mode, they won't need to install anything and everything will work just fine.

Just as a note, you want to look for php encoders rather than obfuscators. Encoders are much more secure and generally apply things like encryption, whereas obfuscators simply 'jumble up' your PHP and so it can easily be reversed back into source code by the most inexperienced user.

thank. the encoder sound like the soultion of com+/dll that doesn't require extra software. anywho, i wasn't picking on zend encoder, i just don't think you should force user to go extra step to get your php app running. that's all.

But why do you want to hide your code in the first place? I would imagine if vbulletin (the makers of this board), don't need to hide their code than you won't need to either.

If your software doesn't cost much it makes much more sense for people to buy it then change your code. The only reason I can think of that would require you to hide your code is if your code contained some algorithm that needed to be protected. Or maybe if the software was very expensive and hence it would start to make sense for people to steal and edit the code. Usually both of these are not the case with php applications!


Froggy sometimes you are really a tool. I cant explain why I feel compelled to reply to everything you write, but your advice is poisonous.

It isnt your concern why he wants to protect his code. Maybe he wants to do it so that his competitors dont lift it into their product and profit from all of his time and hard work.

Your last sentence is most ridiculous. There are plenty of php applications that are robust and enable functionality not available by other products (including your 'superior' solution called java).

Surely there are no java or .Not apps that 'hide' their source code, whats the point?

It isnt your concern why he wants to protect his code.


You can say this to just about everything people ask on this boards
(i.e. its not your cocern why ______), I was curious why he felt he needed to protect his code. He obviously doesn't have to answer the question. If you have something you are concerned pepole are going to "lift" then you should (this fails under a protected algorithm usually..), but many web applications aren't of that sort (for example vbulletin). I find that many people are just overly paranoid here, hence my question.


Your last sentence is most ridiculous. There are plenty of php applications that are robust and enable functionality not available by other products (including your 'superior' solution called java).


I never said there weren't any robost php applications. But the majority of php applications aren't of this nature, I don't know how someone could pretend otherwise. And ok there are php applications that don't exist in java...err..ok...I said more than once that the markets are much different. Futhermore I never said java was superior...I said I liked it more. I also said that its better for things like the distribution of web applications (better in the sense that it makes it easier...you just need to ship a war file or EJB). I never
told them to use java, rather the opposite because he mentioned shared hosting which leads me to believe the application is something that would be much better done in php (or perl).


Surely there are no java or .Not apps that 'hide' their source code, whats the point?

Java's code is distrubuted in bytecode by default. Its not all that common for people to go the extra step to obfuscated the code too.


Also I don't know what advice I think I was giving, but I responded telling the poster about the Zend Encoder and then went to disagree that having to install the zend optimizer on the host end is a big deal. Apparently telling someone about the zend encoder is "poisonous advice".

Froggy, how old are you? This person asked a specific question and the entire thread is going to "Java" talk.
Also, innova is right - it's not your concern why he wants to protect his code. He might want to do it for fun, it's not relevat to know.

But the majority of php applications aren't of this nature, I don't know how someone could pretend otherwise.

You never get tired, do you?

Also I don't know what advice I think I was giving, but I responded telling the poster about the Zend Encoder and then went to disagree that having to install the zend optimizer on the host end is a big deal. Apparently telling someone about the zend encoder is "poisonous advice".

So you are also running a hosting business so you're telling this from your experience?
Come on, give us a break; allready...

@all - sorry for this kind of post. Froggy, if you feel like responding, please PM so we won't go offtopic here and ruin the thread.
Thanks for understanding.

Originally posted by tickedon

However, the other solution to that is to use something like the ionCube encoder (www.ioncube.com) and/or SourceGuardian (www.sourceguardian.com). Both of these come with 'run time loaders' which the user simply has to upload along with your encoded script.

Be careful with SourceGuardian, they recently stopped supporting a previous version of their product and it left end users unable to use programs that were encoded. I paid $600 for a SourceGuardian-encoded script which stopped working when we upgraded to PHP 4.4. Without a guarantee that they will support their product it would be risky to pay for a SourceGuardian-encoded script.

Scott

Since you don't feel the need to PM with your personal attack on me...I won't either.


Froggy, how old are you? This person asked a specific question and the entire thread is going to "Java" talk.

Interesting...me asking the poster why he wants to encode his applicaiton is "none of my business" , but apparently my age is your business... This thread has in no sense been about java. Do I tend to talk about java, sure...why? Its the primary language I develop in.
Did I suggest that they use java? no. I merely mentioned it as an alternative (along with .net) IFFFFF they weren't happy with php.
I suppose for a php zealot, mentioning alternatives is bad? Oh and to think other platforms may have adantages in certain areas over php, oh my!!


So you are also running a hosting business so you're telling this from your experience?
Come on, give us a break; allready...

Do I have to own a hosting business to know that its easy to install?
Also tickedon said similar things, I'll quote if for you:


The short answer is that most hosts have Zend Optimiser installed and so for most users it wouldn't be a problem. Most web hosts are also happy to install it for users as it's a well known application.


WHy aren't you jumping on his balls too?

Its starting to seem like you are harassing me on posts, why don't you stop = )

Be careful with SourceGuardian, they recently stopped supporting a previous version of their product and it left end users unable to use programs that were encoded. I paid $600 for a SourceGuardian-encoded script which stopped working when we upgraded to PHP 4.4. Without a guarantee that they will support their product it would be risky to pay for a SourceGuardian-encoded script.


Where you not able to get an updated version form the vendor of the software? If not then the vendor seems at fault.

Originally posted by Froggy
Where you not able to get an updated version form the vendor of the software? If not then the vendor seems at fault.

It isn't the vendors responsibility. They bought SourceGuardian to encode their scripts, several years ago most likely. Now SourceGuardian refuses to publish the necessary loaders and is saying that the vendor must buy a new version of their product and re-encode the scripts. It makes no sense for the vendor to have to do that.

As an end user you have to wonder if or when SourceGuardian will decide not to support their current version and how many scripts will suddenly stop working as a result. It's safer to just use another product.

Scott

They bought SourceGuardian to encode their scripts, several years ago most likely.


At some point software vendors have to axe old versions of their product. How long you support an old product is a hard issue to deal with.

But I'm still not sure why you don't put any blame on the vendor. They are selling a product for $600 a pop and can't afford to get a new (supported) version of the encoder they use?

From looking at the SourceGuardian site, http://www.sourceguardian.com/ixeds/old_sourceguardian_loaders.htm, it seems its v1 and v2 that they've stopped supporting. V2 is old and V4 has been out for months if not a year.

SourceGuardian offer an upgrade from v1/v2 of their product to v4 for $50 (http://www.sourceguardian.com/upgrade/index.php). For a $600 script that should be small change and if there's anyone to blame its the script vendor (and not sourceguardian) for not supporting their product properly :)

As Froggy said, at the end of the day there needs to be a stage where you 'break' backwards compatibility so you can add new features in. Happens all the time in business 

Since the user has had his question answered, I’m closing this thread to prevent any further ‘mud slinging’.