Script encoding is a way to encrypt a project's source code such that it cannot be read by humans. For languages like C or JAVA, the application compiles to bytecode but with scripted languages like PHP, no compilation is needed and thus encoding is needed to hide the source.
PHP Script Encoding
PHP is often used for Open Source projects — software in which access to the source code is a central feature of the application. By its nature, PHP lends itself to this type of environment because, with PHP, you run the source code itself. Unlike languages like C or Java, PHP is not compiled into binary executables, but is rather interpreted directly from the source. Because PHP source is, by nature, accessible (whatever the license attached to it), it is more difficult than compiled languages to control access to once the software is distributed.
PHP encoders makes it possible to encode or encrypt PHP source so as to obscure or obfuscate the code. The encrypted source code can only be run on a machine that has a proprietary script loader installed on it. The creator of the PHP application can include typical digital rights management features into distributed software, such as a requirement that a piece of software be registered, or an active connection to a central server that provides permission (license) to run the program.
PHP loaders can be tricky to set up and their effects on the application can sometimes be unpredictable. If you need to use one, make sure you get hosting from a hosting company that specifically supports the loader you need.
Commonly Used PHP Encoders
- ionCube Loader
A hashing function is not an encryption in the usual sense — it is a one-way encryption, or hash, function. This means that the output of a
crypt function cannot be used to reconstruct the input.
Hashing functions are used for two purposes:
- password storage and verification
- file verification
For password verification, the output of a hashing function is stored in a database instead of the password itself. When a user enters a password to log in, the entered password is hashed with the same function, and this is compared with the stored output.
File verification works the same way — if two files produce the same hashed output, they are, in fact, identical files.
Drawbacks of using script encoding
Using an encoder or obfuscator can make it more challenging to debug software. However, this can be avoided by using some organizational foresight.
By setting up a private "dev" server, code can be run without encoding. Then the code is encoded and deployed onto a private "test" server which makes sure that the encoded software still runs correctly. Finally, the code can be deployed to a live site, where the site is visible to the public but the code is obscured.