Welcome to a guide on how to encrypt and hide PHP source code. Need to hide the source code for security reasons? Or maybe a client is not willing to pay in full? Sadly, there are no “smart solutions” to hide PHP code.
It is impossible to totally hide the PHP source code since it is an interpreted language, but there are a few possible alternatives:
- Use a code obfuscator to make the source code difficult to read.
- Use a code protector or encoder. Something like an alternative PHP engine, but with the ability to protect the source code.
- Lastly, compile the PHP code using a converter or virtual machine.
Either way, hiding the source code is not going to be straightforward. I will not recommend doing so, as you may end up wasting time and money instead. But if you really want to do it, this guide will walk you through the possible options – Read on!
TABLE OF CONTENTS
METHOD 1) FREE PHP OBFUSCATORS
The first alternative is to use one of the many free PHP obfuscators. They simply turn the original code into a mess of a seemingly jumbled script that cannot be easily read by humans.
ONLINE OBFUSCATOR
Do a search online for “free PHP obfuscator”, and you will get a number of different services to choose from. One of them is Mobile Fish, which we can copy and paste our PHP code into. For example, when we input the following script:
<?php
$varA = "Hello World";
$varB = "Foo Bar";
$varC = $varA . " " . $varB;
echo $varC;
That will give us a very surprising:
<?php
eval(str_rot13(gzinflate(str_rot13(base64_decode('LUnHEqtVEvyaiZm94VrsCe8FCG4vG2vvPV+/zb5IqKHJd7pNcjK11MP9z9Yf8W0P5fLPOBQLgf10XqZxXv7Jh6bK7/8//K0ZktMXwmdd/Jqi9bUbsfwXb+7zM6dqGvWBmum9BhBBonvN6B7xmmqDF3HjL8TBAc5FB4pHAZgxYHFutXHARa8oNxgdmB3wSy/gDr4kGG+t5mDdEVqBaI/5AScO5Riz9i3DkLcyil8CUlaqxRTCJCzXTdc24t27J6Zecgao72FI5LrXStDW5DzU6tQdYOOxuW9jJjOC5wu5phBAQjCYyvcxIeaKjqb0tkPCjmcXEb9pfovRY87Hgsyu+YhQ1bNa0MH9yfF80Q2MnhXJYSUcZGLCQxJa/+vLeXBhbcS61ouEOqSrpfpcptYYFmPFd742ydVgPtak3gQIjFBWmE629WsLJLyXba4qaZyvma/olhpRYYuQlWCnLomQdktC9U1zbBDa1jjEtxWYGpUSFMUUGGjfhzpkCBEP+BsJeHJwWtvrykyAcPMh3EyyC2RpYnm3FggGng2lCP0Ukq7RY9aleWW1kosAvd0DX1dO+8JSEiN47otIg48kMyN4xZzetC1cvw2ZtgvIxcVg73ykCux7+5pCvZkWBxqjXU8ZrfIc8EUYQe5Jtyujt1/bnw7nqTn1lkHtHq5ggpnMgstZHs96NaOQhZd4sfk0MKSQV8BFGh3kwrHa0UMEHjUbHD1yBY2O0xjGA2SOxGYA2IJ8B/pM7b612/UDSZ67cMb1SIq/xU5qqluI4Dy+bRHIkbQzim7CSTjHvoDdnY+7A1tdobqtrO7OEW3msUxsVGxGdISXuC3V8zzh6c81ycPbD4VWcfEO7n0TpGmCCfkcZBli5zes58HTZKDRZ3mFmhFkXj5tlsRqfd3Jl4Ylv36oSwMOV7DWaXWqmhr4251tN2SoqGg9eGUpDOUYMGZgeYy0NU3C31E/Ss8IEHTyBzzUmTjzagmNOoefJQFagMV/OzAkISOvlNRUBttq+FxNKIkqRGCZuGb6nRg8Ot6YfONZDn7Hrw828OblLwQ9LMzplHOl39kjn8GFn1wyUxVr87awKekWzk6liQyLAETOmGzguP/Q7u9cvzfig0i2y5urjxhNO8XQwoy5V+ulZ6euoUNY5GmJ5Iv7qgy7XTja2+SIDvEaTdG46Qj0BRB9HtQx/UypNM04Yb5MFSQsEWW/RayG3jY2uCRLmqPP+FIyfQsYWa5n2/JGAY8uVprRUQ56ndo5C3l0XuWtyFGbFHkUEaEaf/A17S83HFV9ztJ8vXv/+zbLiIhL0DtJ0OnK+dO5IaoaTPCg7Ox+8hFb/+Ml8y085NLGkX5s5Pj4XeaQjSOURysaxWEmRy322pUMnJHJ434yXGyoEM5uNzpjgnlY3KrYNOiLdl5HO3hc7ONm0gOLZ9mM26f4wF6jUcJxLbS3ZVrfeAmEfGM0RIE/XuwjXR13Y45S/iaVdIPCD/LtcsnlRuRs2OZijg1aKEhs2o5DdytoEoegoMlFSyKYlReG/sQtPtbf+mrvflqjeI2YRVcbhlwbpBrPh0QVRPE6kUmojx685cx10xD5Hl9Jjk0uxl8vIqI2ct7HCFv4ItrWL5s0WWHzF3QmdtF+L+HrlFYue2kFbcIkWUoRPDxb7GA7ysDAn3dGQwb7Z2MqGjAq720ConcmNPsmva+eP0XA3+Z0YwFim67ogO5YRJE0ydOD6bx8uf0WbKFjyZB4WQnKphyjKsDBv2zUSikl+EeD8WdhEtEPIdUm9sOEq6FXF1WUDuVcMV5ylkoU9JeI2cTcLnExb56DAY1+6tLx+0KZ+T/bSOGfo8qySt6EbZZXu4XBDR8fGhZw+0qvLNtOG5VbYx1QH8NyAEI5kul8l44tG21VlDUYck/R6f2YtkegeLPMxkzONrLhCvWNj7vxV+PP5AyjjbaLS3LBUIyUvhexJ21n1uyebFNfpLyf15NOWCS9LLiRqIUq5BiX0oxA6Abr1fBnDeEPe9VzHwTubtuIHDl8fx+QAzZJXi2ILx8SrnNXi7wOfmtCzAD1zObVwl1ZYZVN+beUDN+sDMLTAT4ZGaeFmixyj/J9THN6YkLboU2f9gLQHEC6XDsQ5qvsAndep0uPE18L1LlN8cqEwoS4EfPKAwa/ub28wyPga0oeifc9PD5aqHu12kz7kBsVkbLvAiLIpXrtlycVCfFkIUUf3sodmjQV5MxCRGAsA5RnT/AzeCPL7zPdot/jGM8lzLbYxzFLrdhan6wfgiF/cvDXPYQgLbBZH+9fkerhLvJ+Ip7OGfqtObPFxsCOEwn/+nIfT9+IuQHavDJoBP0KjtIcCM2N/NzZizUe7A7U9JcTaPI1HCPlvuQfrmu7ZV7/FGSE/rlf9d//Ap9//xc=')))));
Yep, don’t think that is human-readable anymore.
OFFLINE OBFUSCATOR
Most online obfuscators have limitations on the number of characters. So if you have massive scripts, it is better to download and use an offline obfuscator instead. There are a couple of good ones out there, and one that I will recommend is YAK Pro – You can either download it from GitHub or clone it. It also requires the PHP-Parser library.
gh repo clone pk-fr/yakpro-po
gh repo clone nikic/PHP-Parser
Once you have downloaded both libraries, you can run YAK Pro in the command line to encode your scripts:
D:\http\yakpro-po-master>php yakpro-po.php test.php
Info: Using [D:\http\yakpro-po-master\yakpro-po.cnf] Config File...
Info: yakpro-po version = 2.0.3
Info: Process Mode = file
Info: source_file = [D:\http\yakpro-po-master\test.php]
Info: target_file = [stdout]
Obfuscating D:\http\yakpro-po-master\test.php
<?php
/* __________________________________________________
| Obfuscated by YAK Pro - Php Obfuscator 2.0.3 |
| on 2022-11-17 02:37:07 |
| GitHub: https://github.com/pk-fr/yakpro-po |
|__________________________________________________|
*/
goto LLSso; mh5vK: $EjslL = $ZvlM7 . "\x20" . $c23ok; goto xEHTG; LLSso: $ZvlM7 = "\x48\x65\154\x6c\x6f\x20\127\x6f\162\154\144"; goto uktyA; uktyA: $c23ok = "\106\x6f\x6f\x20\x42\141\162"; goto mh5vK; xEHTG: echo $EjslL;
Info: [variable ] scrambled : 3
Info: [function ] scrambled : 0
Info: [method ] scrambled : 0
Info: [property ] scrambled : 0
Info: [class ] scrambled : 0
Info: [class_constant] scrambled : 0
Info: [constant ] scrambled : 0
Info: [label ] scrambled : 4
P.S. I have set Yak Pro to directly output the code in the command line here. But it does accept quite a lot of configuration parameters, and you can specify where to save the obfuscated code to. Please check out their official webpage for more documentation.
NOTES & LIMITATIONS
- Obfuscators work on the basis of hashing the original script.
- It is still possible to reverse engineer and get back the original script.
- Obfuscated scripts are not good performance-wise. It has to decode the hashed string first, then run
eval()
. - The level of protection and performance depends on the encoding-decoding algorithm.
METHOD 2) PAID PHP PROTECTORS & ENCODERS
Don’t trust the free PHP obfuscators? Or need something more professional? Then there are a few paid PHP code protectors and encoders available. Be warned though, they can cost quite a lot.
THE PHP PROTECTORS & ENCODERS
THE BEST ENCODER?
Personally, I have not gone deep into the paid options – They are expensive! But Zend Guard looks good, and even comes with a licensing system… Not a sponsored post, but check out their quick start tutorial if you are interested:
NOTES & LIMITATIONS
The performance of “code protectors” varies, it really depends on how the engine works. Some can be simple obfuscators as above, while a few others act as an “alternative PHP engine” or “PHP BlackBox extension” – Hence the price.
METHOD 3) PHP COMPILER
This final option may cause some code ninjas to cringe, as it involves compiling PHP code and breaking the “traditional” way of how things work.
INTERPRETER VS COMPILER
A quick recap for those who have forgotten the difference between interpreters and compilers:
- Interpreted languages: The source code is read and executed “on the fly”. For example, PHP and Javascript are interpreted languages. To run a PHP script on a computer, PHP must be installed first.
- Compiled languages: The source code needs to be compiled into a self-contained executable first. For example, we can create executable files with Java. The executable files can run independently on computers without having to install Java.
NOTES & LIMITATIONS
PHP is an interpreted language “by default” and there is no official way for us to compile PHP scripts. Some of the “PHP compilers” available out there work by converting PHP to another language, then compiling it.
In this case, the compiled scripts will officially turn into a standalone executable – No longer readable by PHP engines or web servers as originally intended. So please do take extra note of this aspect, “compiled PHP” scripts are mostly meant for self-contained command-line applications only.
THE PHP “COMPILERS/CONVERTERS”
Do a search on the Internet, and there are plenty of options.
EXTRAS
That’s all for the options, and here is a small section on some extras that may be useful to you.
WHICH IS THE BEST?
It depends on the situation and what you want.
- Free obfuscators don’t perform that well, but they protect the code well enough and cost nothing.
- Paid encoders may not perform that well either, but they do offer a certain level of protection.
- Compilers are not 100% compatible and do not produce website-friendly scripts. But they perform very well, trying to reverse-engineer a compiled script is virtually impossible.
TO ENCODE OR NOT TO ENCODE
It all boils down to your original intention. If you have a million-dollar system, and security is a concern – Then yes, spending some time and money to protect your intellectual property is well worth all the effort.
But if you are facing a problem with non-paying customers, it may still be a good idea to free obfuscate some of the main library files – Don’t waste too much time, money, and let the non-paying customer suffer the performance loss. Keep the full source code and better performance as a bargaining chip. Just move on with your next project and customer.
THE END
Thank you for reading, and we have come to the end of this guide. I hope that it has helped you with your project, and if you want to share anything with this guide, please feel free to comment below. Good luck and happy coding!
Informative, thanks.