(06-08-2015, 04:52 AM)FlevasGR Wrote: Hello guys, currently i'm working on a project which requires alot of seciruty. I stumbled upon a problem with the source code being plain php and human readable. After googling for PHP obfuscators i found ionCube which claims to be the best. Like veryone else i aske the one million dollars question: what about the performance??
On their website they claim that ionCube doesn't effect the speed that much and it might actually speed up the code
Quote:Q. Do encoded files or the loader affect performance?
A. Not much, and when the loader is installed in the php.ini file, encoded files may run faster than the unencoded scripts. Unlike unencoded scripts and those from source based encoders, ionCube encoded files are compiled and optimised at encoding time, and so don't need to be parsed or compiled at runtime. This reduces the usual overhead in PHP, and offsets the performance overheads of the code protection.
Since i have no experience with php encryption i wanna know your opinion. Is it a good practice to use ionCube for high security projects? Does it really good idea to use it?
I wouldn't worry about the performance.
The rest of your questions however don't have a straightforward answer - you either need to do that or you don't; there's no "good idea" or "good practice" in that regard.
(06-08-2015, 05:20 AM)advoor Wrote: I would exhaust all other methods of increasing security before considering encrypting the source code using something like ionCube.
PHP code should never be displayed when deployed to the end user if PHP is installed correctly and the file extension is .php.
Hiding source code in case someone gains access to your server might add a small layer of security for the code used; however as most data is typically stored in a database (which is easy to access once the server is compromised), there is very little reason to encrypt the source code itself unless the code itself is vital to an organisation.
From a security standpoint it may add a layer of protection, but it also adds extra development time ( any updates have to be made on the original source code and then encrypted before being pushed live ) and a small hit to performance.
There are valid use cases for trying to encrypt PHP source code - you are not always the one deploying the code on your server(s); some companies sell software and they don't want their clients to be able to modify it.
(06-08-2015, 06:29 AM)Blair2004 Wrote: Hi,
simple method is to remove php tags from your php file and display it on Google Chrome.
Eveny if it's USELESS to reduce or obfuscate it, since Chrome Dev tools can reverse obfuscated code.
As advoor said... php is not mean to be displayed to front end user, if it so, you're showcasing your app source-code and don't really need to obfuscate it...
Obsucate Php Code is unusable even for more improvements.
ionCube does encryption, not obfuscation - it's not plain-text code that's just hard to read.
