Re: PHP Source code protection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Feb 7, 2008 4:56 PM, Greg Donald <gdonald@xxxxxxxxx> wrote:
> On 2/7/08, Richard Heyes <richardh@xxxxxxxxxxx> wrote:
> > > http://www.phprecovery.com/
> >
> > Pointless? I think it is exactly the answer to the original persons
> > question.
>
> Yup, it's the exact correct answer, to a pointless question.
>
> Even Zend knows it's pointless to encode PHP.  When you type "decode
> php" into Google you see ads for the Zend Encoder.  Does that tell you
> anything?

    Actually, Greg, I respectfully disagree.  First, just because
there may be ways to reverse-engineer things doesn't mean it's a bad
idea to attempt to protect your code against such.  I know that people
can smash in the windows of my Durango and steal my equipment, but I
still lock it when I park it and go into the store.  Why?  Because I
don't want to make things easy enough for someone to be tempted to
take something.  I know that if they want something badly enough,
they'll take it.... but I'm just not going to make it that easy.

    And if Zend considered it "pointless", they probably would no
longer attempt to further develop - nor put their name on the line to
sell - the product line.  By definition, pointless means "Lacking
meaning; senseless.  Ineffectual: pointless attempts to rescue the
victims of the raging fire."[1]  I fail to see the correlation here;
Zend is aware that there are ways to decode their method of
obfuscation (any and all are trivial, really), but admitting defeat is
failure in this case.  That, in my opinion, is pointless.

> Encoding PHP, or licensing it, or compiling it to an extension, or any
> other silly obfuscation ideas you come up with, in the end, only keeps
> an honest person honest.  If someone wants to reverse code that you
> have put in their possession, they will find a way.

    It also keeps script kiddies from typing "decode php" into Google
and being able to pull one over.  While industry standards may not be
the lock that cannot be picked, proprietary obfuscation will keep
people who don't know what they're doing out of your code --- and if
they possess the acumen and free time to be able to reverse-engineer
the code themselves, I honestly don't know why they'd pay someone to
develop the application in PHP for them in the first place.

> Deductive reasoning leads to two possible options:
>
> 1) Don't give the code to anyone.
> 2) Give the code to the client and accept the fact that it may get pirated.

    I completely agree with you here.  I'll also add the same thing I
always tell people when they ask me about security: any time there is
a way to connect to a device over the wire or otherwise, the data will
never be secure.

    That stands for ASP (Application Service Providers, in this case -
the only *decent* ASP there is! ;-P) as well.



    [1] - http://www.answers.com/pointless&r=67

-- 
</Dan>

Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux