CodeIgniter Forums

Full Version: ionCube and Codeigniter
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2
Hello guys, currently i'm working on a project which requires alot of seciruty. I stumbled upon a problem with the source code being plain php and human readable. After googling for PHP obfuscators i found ionCube which claims to be the best. Like veryone else i aske the one million dollars question: what about the performance??

On their website they claim that ionCube  doesn't effect the speed that much and it might actually speed up the code


Quote:Q. Do encoded files or the loader affect performance?


A. Not much, and when the loader is installed in the php.ini file, encoded files may run faster than the unencoded scripts. Unlike unencoded scripts and those from source based encoders, ionCube encoded files are compiled and optimised at encoding time, and so don't need to be parsed or compiled at runtime. This reduces the usual overhead in PHP, and offsets the performance overheads of the code protection.

Since i have no experience with php encryption i wanna know your opinion. Is it a good practice to use ionCube for high security projects? Does it really good idea to use it?
I would exhaust all other methods of increasing security before considering encrypting the source code using something like ionCube.

PHP code should never be displayed when deployed to the end user if PHP is installed correctly and the file extension is .php.

Hiding source code in case someone gains access to your server might add a small layer of security for the code used; however as most data is typically stored in a database (which is easy to access once the server is compromised), there is very little reason to encrypt the source code itself unless the code itself is vital to an organisation.

From a security standpoint it may add a layer of protection, but it also adds extra development time ( any updates have to be made on the original source code and then encrypted before being pushed live ) and a small hit to performance.
Hi,
simple method is to remove php tags from your php file and display it on Google Chrome.
Eveny if it's USELESS to reduce or obfuscate it, since Chrome Dev tools can reverse obfuscated code.

As advoor said... php is not mean to be displayed to front end user, if it so, you're showcasing your app source-code and don't really need to obfuscate it...

Obsucate Php Code is unusable even for more improvements.
@flevasGR well... if they've managed to get to your PHPs, then your security is lost already...
Even if you obfuscate it
(06-08-2015, 04:52 AM)FlevasGR Wrote: [ -> ]Hello guys, currently i'm working on a project which requires alot of seciruty. I stumbled upon a problem with the source code being plain php and human readable. After googling for PHP obfuscators i found ionCube which claims to be the best. Like veryone else i aske the one million dollars question: what about the performance??

On their website they claim that ionCube  doesn't effect the speed that much and it might actually speed up the code



Quote:Q. Do encoded files or the loader affect performance?


A. Not much, and when the loader is installed in the php.ini file, encoded files may run faster than the unencoded scripts. Unlike unencoded scripts and those from source based encoders, ionCube encoded files are compiled and optimised at encoding time, and so don't need to be parsed or compiled at runtime. This reduces the usual overhead in PHP, and offsets the performance overheads of the code protection.

Since i have no experience with php encryption i wanna know your opinion. Is it a good practice to use ionCube for high security projects? Does it really good idea to use it?

I wouldn't worry about the performance.

The rest of your questions however don't have a straightforward answer - you either need to do that or you don't; there's no "good idea" or "good practice" in that regard.

(06-08-2015, 05:20 AM)advoor Wrote: [ -> ]I would exhaust all other methods of increasing security before considering encrypting the source code using something like ionCube.

PHP code should never be displayed when deployed to the end user if PHP is installed correctly and the file extension is .php.

Hiding source code in case someone gains access to your server might add a small layer of security for the code used; however as most data is typically stored in a database (which is easy to access once the server is compromised), there is very little reason to encrypt the source code itself unless the code itself is vital to an organisation.

From a security standpoint it may add a layer of protection, but it also adds extra development time ( any updates have to be made on the original source code and then encrypted before being pushed live ) and a small hit to performance.

There are valid use cases for trying to encrypt PHP source code - you are not always the one deploying the code on your server(s); some companies sell software and they don't want their clients to be able to modify it.

(06-08-2015, 06:29 AM)Blair2004 Wrote: [ -> ]Hi,
simple method is to remove php tags from your php file and display it on Google Chrome.
Eveny if it's USELESS to reduce or obfuscate it, since Chrome Dev tools can reverse obfuscated code.

As advoor said... php is not mean to be displayed to front end user, if it so, you're showcasing your app source-code and don't really need to obfuscate it...

Obsucate Php Code is unusable even for more improvements.

ionCube does encryption, not obfuscation - it's not plain-text code that's just hard to read.
my bad!!!
Thanks for your answers. I will clarify everything i can

@advoor 
The development time is not a problem. It's automated anyway so when i want to deploy on the server i just push a new verion on the production branch. What i could do is to make a ruby files which takes tare the compiling and pushed the new verion.

@Blair2004 
ionCube is not obfuscates code. It messes up everything and makes it trully unreadable. Here, take an example:

Code:
E¿¦gŠ³ùy}1Â~]lZ,nÍšm«Í)rÓ+øÅJ§õäJ©ÐðáA[þf1ˆOÜÑRÙŸ‹©s$|2÷9qB¤'Ú¿Ì„?…äõ ÷pΉY\'ìÛš©)"ópò`›kâ!yõ_ÿ„ÛJí0¯C úÝ¢/àÂ玛Ëð7üè õÁýÏ}Zúš³A‰—Zù¸‡W"H$ëñÄžõ·v*…¶ÅP˜¼Y´ý`Å«e°2¥íÆ}‹½`”j&ÜgoEUIù“Ð
zî¹ò…M·:M1¬K‘VÖr7‹4tÕÄýÂí•0)牝}}6ïÁ–T™Ta~¿YÒ—– M)ɨdžÅè»0¿W±ŠEAcIýÉ~8я1¸ô愬Á:‡ .°ãrß¾À¢ÖœíÊýÍÕœ½òsÁ¶    Û]$!×eµ=Ê19kÖÔü
>ÕNÁq–{    {æ+Ùä ÞNgº»g}•çÛò
?Rdí4‹6%¢    ¢–z>_¤0çÈÁ-;Ý5EՍ}ú? »CÈ žUPãì³ 
ž{°‰…;†5邝ø( y‘?`^32Þë-¯E7ïšJJ;–™‰âñlŠÄˆ6™@xÒ@ËîYÊ%ªè¾žà¶ eÏWُ†8«\qdÞ¯%±Š©¨Ö÷?^Êxdly*I¨ârýº«€

@Avenirer 

well, it's not just the guy who will get access. It's that i dont want anyone from the team im working with to see what is going on.
(06-08-2015, 09:37 AM)FlevasGR Wrote: [ -> ]well, it's not just the guy who will get access. It's that i dont want anyone from the team im working with to see what is going on.
Does your team not have access to view the production branch itself? I assume you're talking about git. It will only be encoded on the server, so if they have access to the git branch they will still be able to see the raw code.
That's really amazing, it can be usefull for commercial soft.
Pages: 1 2