# Using PHP encoders to Protect Source Code [phpBolt example]

How to protect PHP source code? Well, this is one of the most asked question among PHP developers. Many PHP developers need to protect their application source code before they distribute it to their customers and make it difficult for others to modify it without their permission. If you are one such developer, then this tutorial will explain how to use PHP encoders to protect your source code. I’ll also show how to use phpBolt encoder with an example.

## PHP source code protection methods

There are couple of techniques to protect PHP source code.

• Making the code difficult to read – which involves in minification & obfuscation
• Encoding the source code.

The first technique involves in minification and obfuscation – which makes the code very difficult to read. The minifying process involves in removing developer comments, white spaces and line breaks. But still the meaningful identifiers (variable names, function names, classes, built-in PHP symbols) used in the code can help the third person to understand the code with little effort and otherwise, it just takes few minutes to de-minify the code. However, the readability can be made really hard when minification is combined with obfuscation. The obfuscation involves in renaming the meaningful identifiers with random cryptic names, thus making the source code difficult to read & understand. There are several tools available online to minify and obfuscate PHP codes.

Obfuscation Example:

Original source code:

<?php
{
echo "henry";
}
?>

An obfuscated code would look like below:

<?php
function xyz123()
{
echo "henry";
}
xyz123();
?>

From the above obfuscated code, you will see function name get_username obfuscated to a meaningless name such as xyz123.

Warning

Sometimes, obfuscation may modify the code to an extent that it may not execute properly. So it’s important to exclude certain functions and variables that might not work after obfuscation. Here’s a exclude list from Zend Guard.

The second method involves in encoding the source code and distributing the encoded package to the customers.  But this method requires a loader or an extension to be loaded at the client site to decode the encoded PHP sources files. There are few commercial PHP encoders available in the market that ranges from $250 to$600.

## List of PHP encoders

NameSupported PlatformPHP versions supportedObfuscationEncodingPrice
ZendWin, Linux, MacPHP v5.0 +YY$600/yr ionCubeWin, Linux, Free BSD, OS XUpto PHP 7.2YY$255-$509 SourceGuardianWin, Linux, Free BSD, OS XPHP 4-7.3NY$199
NuCoderWinPHP 4.x & 5.xYN$299 Both these techniques helps to protect PHP source codes, but it does prevent the distribution of the application. Thus the reason, most of the commercial encoders comes with a locking feature, that allows to lock the application to a specific IP address, domain name, hardware address or to a site URL. Certain encoders allows to set expiry dates to offer a trial version of your application as well. ## Are there any open source PHP encoder? Not many, probably because an opensource version of PHP encoders will be easily available for the people to create decoders isn’t? So there are not many PHP encoders available. ## Free PHP encoder A free encoder called phpBolt saves you from buying commercial encoders. phpBolt helps to protect your PHP source code by encrypting and decrypting code using a key. ## How to use phpBolt encoder Step 1: Download phpBolt extension In order to use phpBolt, you need to download loader extension. Look for bolt.so inside the corresponding platform folder. For example, if you are using 64 bit version of Linux and PHP version 7.3, then you need to use bolt.so located inside the folder – phpBolt-extension/linux\ 64/linux\ 64\ -\ php73/ Step 2: Install bolt.so extension Copy bolt.so from the respective platform folder into the folder where all PHP extensions are stored. In my case, /etc/httpd/modules was the folder that stores all PHP extensions. Open php.ini as below: # vim /etc/php.ini Add bolt.so extension : extension='/absolute-path/bolt.so' Remember to replace absolute-path with the path of the extension. In my case, extension='/etc/httpd/modules/bolt.so' Now you have successfully setup bolt loader extension. Step 3: Test sample encrypted file Download the sample encrypted hello world program and place it inside your web server root directory. Once done, have a quick look at the encrypted PHP program. It would look like the below: <?php /** * define('PHP_BOLT_KEY', 'kyc7fh'); We want give key to client */ define('PHP_BOLT_KEY', 'kyc7fh'); bolt_decrypt( __FILE__ , PHP_BOLT_KEY); return 0; ##!!!##i4psiIu8tLxssa+0u2xztLG4uLtsw7u+uLBzh2w= • The line containing PHP_BOLT_KEY constant contains the key used for encrypting PHP program. • bolt_decrypt( encrypted_code, encryption_key) will decrypt the encrypted PHP code & executes it. • And what you see in the last line is the encrypted PHP code. That’s it! Now try executing hello.php and view the desired output in the web browser. So how did that work? The bolt.so loader extension in the server uses the PHP_BOLT_KEY to decrypt the encrypted PHP code and executes it on the server. ## Step 4: Encrypt PHP code In step 3, we executed a sample encrypted PHP program. But how do you encrypt your custom PHP program? Here we go. In order to encrypt your PHP program, you need to download the encryption script from this link. Look out for a download form at the bottom of the page, where you will need to input your email & name and click “Download” button. You will receive an email with a link to download the package – which will contain loader extension, sample encrypted program and encryption script. a) Look out for encrypt.php – this is the encryption script that helps you to encrypt your source code. b) Open encrypt.php and change necessary lines as shown below: <?php /** * src : source folder * encrypted : Output folder */$src = 'src/';   //Source folder that contains the source code of your PHP application
$php_blot_key = "kyc7fh"; //Key to encrypt & decrypt PHP source code. You will be sharing this key with the client Note: Remember to set your custom key for encryption. The above key is only example use. Wait, a small change has to be made in encrypt.php file, so that the PHP_BOLT_KEY constant sets key value properly in all encrypted files. Because, the downloaded encrypt.php didn’t set the key properly. To do that, look out for line given below (line 46 – line number might change in future version)$preppand = '<?php bolt_decrypt( __FILE__ , PHP_BOLT_KEY); return 0;
##!!!##';

and replace it with the one below:

$preppand = "<?php bolt_decrypt( __FILE__ ,'". PHP_BOLT_KEY . "'); return 0; ##!!!##"; The above replacement makes sure that the PHP_BOLT_KEY is properly set in all encrypted PHP files. c) Execute encrypt.php. Make sure this file is copied or present inside the application folder that you would like to encrypt. If not, then you need to set absolute path of your application folder in$src variable (whichever you choose).

$php encrypt.php The above command will read the$src variable and encrypts all PHP files located inside the given folder. Once done, an encrypted folder will be created containing all the encrypted PHP files.

# php encrypt.php
Successfully Encrypted... Please check in <b>/var/www/html/encrypted/</a></b> folder.
Note:

You may execute encrypt.php via browser as well.

d) Now, look out for the encrypted files inside encrypted folder. You may open the files to confirm the encryption.

<?php bolt_decrypt( __FILE__ ,'kyc7fh'); return 0;
##!!!##i4psiIu8tLxWe3Z2Vmx2bJK+u7rAbMC7bMC0sWyju76wnL6xv79srby8uLWvrcC1u7p6bKC0tb9ssrW4sWywu7G/unPAbLC7bK26xcC0tbqzeGyuwcBsuLutsL9WbHZsw7x5rri7s3m0sa2wsb56vLS8bMO0ta+0bLC7sb9srbqwbMCxuLi/bKO7vrCcvrG/v2zAu2y4u62wbMC0sWzAtLG5sXpWbHZWbHZsjLytr7ets7Fso7u+sJy+sb+/Vmx2e1ZWe3Z2Vmx2bKCxuLi/bKO7vrCcvrG/v2zAu2y4u62wbMC0sWyju76wnL6xv79swLSxubFsrbqwbLvBwLzBwGy1wHpWbHZWbHZsjMKtvmyuu7u4Vmx2e1awsbK1urF0c6Ocq6GfkauglJGZkZ9zeGzAvsGxdYdWVnt2dmyYu62wv2zAtLFso7u+sJy+sb+/bJG6wrW+u7q5sbrAbK26sGygsbm8uK3AsWx2e1a+sb3Btb6xdGywtb66rbmxdGyrq5KVmJGrq2x1bHpsc3vDvHmuuLuzebSxrbCxvnq8tLxzbHWHVg==

e) That’s it! Package all the files inside encrypted folder and distribute it to your clients.

Install bolt.so at the client server:

The client server should have bolt.so loader extension added to php.ini to execute the files encrypted using phpBolt encoder.

## Is phpBolt encoder is better than commercial encoders?

I haven’t used any of the commercial PHP encoders, so I don’t know, to be frank. Also, some of the users complained that few encoders have broke their application. So if you ever want to use PHP encoders, make sure you have listed down what files you need to encode & what you should not and test it properly before shipping it to the client site. It’s advised to read the documentation properly before using encoding tools.

Though phpBolt creates a separate folder to store encrypted files, it’s better you backup your application code before executing encrypt.php script.

Disclaimer

This tutorial is for an information purpose only. Techglimpse.com or the author does not own any responsibility in case of issues/errors that may occur while using encoding tools. Play it at your own risk.

Updated on November 28, 2019