Lately as my previous webserver has been hacked and I’ve been faced with the reality that my PHP scripts weren’t secure. This led me to change all my account passwords including SSH, MySQL, POP3 and lots of others. Fortunately I’ve always been using a different set of passwords for my other accounts like forums, online communities and banking so I didn’t have to change those.
How many of you have stored their database password into an includable PHP configuration file? And how many of you are using the same password for more than one database? Well let me tell you, chances are, if you are running a Wordpress blog, you’ve already got a password stored into wp-config.php. Now what if your webserver’s configuration got messed up and started serving PHP files as plain text instead of parsing them?
And believe me it can happen, I once moved a website to somebody else’s server which wasn’t configured properly and it showed the content of PHP scripts!
Encrypting Your PHP Scripts
Encrypting PHP files does not only protect your passwords, it also protects your intellectual property. Sure, open-source is a beautiful thing but let’s say you’ve develop this awesome PHP application and you distribute it for free. What’s the best way to find it’s vulnerability? Just go through the source code and find out!
There are a bunch of commercial softwares that allow you to encrypt your PHP files:
- Zend Guard : Previously known as Zend Encoder, Zend Guard protects your commercial PHP 4 and PHP 5 applications from reverse engineering, unauthorized customization, unlicensed use and redistribution. Encrypted files require Zend Optimizer (free) to be installed on the webserver. Yearly license: $995 USD.
- SourceGuardian For PHP : PHP Encoder : Best know as PHP Encoder SourceGuardian is an advanced package with a long list of features for making the resulting code as hard to read as possible. There are no requirements as to running encrypted PHP scripts on a webserver. Full license: $250 USD.
- ionCube PHP Encoder : ionCube provides PHP file encryption through a software or online on a pay-per-download basis. This entry-level encryption application is more affordable than its two competitors. Pricing : $199 USD.
There are also some open-source encryption softwares available for free but they haven’t been updated in awhile (over 3 to 4 years ago!) so I don’t recommend them. However you can try them out if you really want to:
- Turck MMCache for PHP : While it requires to install additional software on the server, it is also compatible with Zend Optimizer.
- PHP Obfuscator (POBS) : POBS is written in PHP and is to be used online from your webserver.
If you know of any other method of protecting / encrypting PHP scripts, let us know!
November 6th, 2007 at 7:17 am
Stephane,
I use Roboform to remember the thousands of different passwords I have. Are you familiar with Roboform and do you know of any vulnerabilities it may have?
I have seen some internet marketers use Zend Guard and ionCube to protect their code. Thanks for the resources. I’ll know where to find them if I ever generate my own scripts.
November 6th, 2007 at 3:52 pm
I’ve never used Roboform, in fact I’ve got all my passwords in my head
I don’t trust any software when it comes to storing passwords.
I think I’m gifted on the memory side when it comes to remembering passwords… yet I forget most of what my girlfriend ask me to do lol….