I’ve been told by a number of people that I should encode or obfuscate the source code for Tasks Pro™. I’d like to believe that I don’t need to – that people will be honest, etc. but I’m not sure that’s realiztic.
I’ve looked into a number of options. Here are some of them:
- Zend Encoder
- ionCube Encoder
- SourceGuardian
- PHTML Encoder
- PHP Processor
- PHP Obfuscator
- SourceCop
- PHP Code Lock
I read a bunch of forum posts and reviews.
After all this, it seems that the only really secure encoding is a system that requires a loader like Zend or ionCube. Installing and configuring the loader is a burden I really don’t want to place on my users. I’ve worked hard on the installer for Tasks Pro™ so the only steps you need to do to install are:
- Install PHP & MySQL
- Create a database (or you can use an existing database)
- Put your database settings into the database.inc.php file
- Run the installer
Basically, I’m trying to do everything I can to make it possible to install Tasks Pro™ even if you aren’t familiar with PHP and MySQL. Requiring my customer to configure and add a loader (or worse, edit the php.ini file) doesn’t jive with what I’ve been trying to accomplish. Also, it would make it harder for me to allow people that buy Tasks Pro™ to customize their installation, which is something I’d like to allow.
Has anyone else had experience with this sort of thing? I’m interested in hearing how your decision panned out.
If you are a potential customer, how would this affect your decision to purchase?
This post is part of the project: Tasks Pro™. View the project timeline for more context on this post.
Well, I’m a potential customer, and I don’t think that an extra step or two would scare me off from your product. If one can install PHP & MySQL, I’d expect that the install of an encoder shouldn’t be a dealbreaker.
Looking forward to seeing the finished product, Alex.
Thanks Rob, I appreciate the feedback.
Yeah, I can’t see where it’d be a dealbreaker for me, either. As long as you have pretty decent HOWTO’s in there–or pointers to some on the Web if they exist–things should be peachy.
There probably should be some notice about this sometime in the purchase process, though.
as a potential customer who has access to my server and can thus change the php.ini file and add loader files, i would still have to say that requiring anything that severe would be a problem in the long run. not all the applications i write are distributed to controlled host environments. so in the end something like sourceguardian would be the better option…
speaking of the pro version, do you have an estimated release date and price point?
Let’s just say it’s coming along well. 🙂
If I didn’t run my own server, this would be a deal breaker. I do run my own server and already run PHPA, and if you decided to go with a non-Ioncube route I wouldn’t use Tasks Pro.
I’v installed tasks and was successfull without beeing an expert with website installation and all. But, you’re losing me in this conversation you’re having here which mean that if you go that route, it will need solid documentation. Because you’re talking russian for me.
Also, in your documentation, you need to separate the simple user documentation from the administrator docs. The actual Tasks documentation is too technical for many users.
I agree, that is why I’ve spent the last week and a half writing up documentation for Tasks Pro. I’m probably half done right now and hating every minute of it. 🙂
Just for completeness. There is another exellent encoder.
Turck MMCache http://turck-mmcache[...]rceforge.net
It´s open source and also includes an PHP accelerator.
That is actually running on this server, but it is definitely out due to level of difficulty of the install.
oh, then the simplest code obfuscator should do the job
Tasks Pro™ License Decisions
I posted a few weeks back regarding encoding options for Tasks Pro™. In the end, I decided to go with a PHP obfuscation solution instead of an encoded solution and to only encode a the code which enforces the number of users allowed by the purcha…
Leasing Tasks Pro™?
I had an interesting e-mail conversation today with a fellow interested in a leased license of Tasks Pro (as an additional pricing option). There are several software packages that use this model. It’s an interesting idea; basically, this would allo…
With Zend the user only needs Zend Optimiser installed which many servers already have 😉
Unfortunately, many is not all. 🙂
I am trying to decide on encoder/obfuscator and have many of the same requirements so I would appreciate hearing about your choice. – Jack Barnard, Boulder, CO
Hi. I’m one of the providers of obfsucators above. A good solution requires *no* changes
at the server site other than installing the software. Doesn’t
require Zend Optimizer. Doesn’t require Turck. Doesnt’ require special procedures for the site manager. Our obfuscator
has all those properties.
Did you ever find a decent solution for this Alex? I’ve been looking for something along these lines as well.
I’m using a solution that isn’t publicly available right now.
Initially I was using PHP Code Lock, but I had compatibility problems and couldn’t get the “version 2” to work at all.
Alex, I was also in the same dilemma a few days ago. The hard fact that I found was that almost, if not all, encryption methods could be cracked.
I finally ended up on POBS (http://pobs.mywalhalla.net/) for my purpose. I have tried eAccelerator (http://eaccelerator.net/), and was very much impressed with it, but had to drop since I cannot ask my customers to install extensions 😉
I would stay away from the encoders, if you want to secure your code. There are many sites like these: http://www.phprecovery.com/
thay can decode virtually all of the encoded systems out there. I will check out POBS, however, which looks like it would be very difficult, if not impossible to decode in a reasonable amount of time.
I have tested a couple of these Obfuscators and License Managers, and I would like to point out that some of them have Function and Variable renaming. Renaming is only done if you set the option when obfuscating – as by default some are turned Off for your conveniece.
How is it your convenience? Well, when an error occurs, you can get the function name and variable name if needed from the output message and *Understand it*.
I turn this *Renaming* ON, so that if a developer Reverse Engineers it, it will make his life hell. I have read of some other obfuscators for JAVA, where the application keeps a list of function names and variable names on the master encoder’s machine to be able to decode error messages with ease – a great idea, and not sure if any PHP Ob’s do this or not.
Please – Correct me if I am wrong.
The Semantic Designs PHP obfuscator renames variables, constants, functins, and class names. A cross-reference is produced so that an obfuscated name can be easily mapped back to the original one.
This will make Chris happy.
— IDB
I wanted to add an obfuscator to your list…
If you’re still looking you may want to take a look:
http://www.raizlabs.[...]pobfuscator/
Hi Alex,
Now your Tasks Software.. tried a free version .. now bought the full version..
Love it 🙂
I am a provider of PHPshadow, which is not listed above. I’d like to add a caveat to Ira Baxtor’s comment that a good solution requires no change on the server. Well, let me assure you that irreversible code is only possible through an additional compiled extension on the server, or a JIT module. Anything that claims “No changes required on server” is producing code that can be reverse engineered.