How to compile a PHP file?

Question:

Is there any way to transform PHP file into bytecode or something similar, and then run it natively? I need some files on a system to be precompiled for performance reasons in some cases, and "safe" against prying eyes in others.

Searching, I found the PHAR files, but I didn't find out if they are purely a decompilable package like a .jar , or if they are bytecode .

Answer:

TL;DR

A simplistic technique you can use to protect yourself "from prying eyes" and have a basic (low) type of "security" is to obfuscate code.

It is possible to get higher security with bytecode obfuscators, however the available tools (that I know of) are paid and require the installation of extensions in PHP, which would not be possible in shared hosting, for example.

Motivation

Particularly, several years ago I used a simple obfuscation technique when I developed a CMS ( Content Management System ) of my own that was installed on the websites of several clients, that is, hosting that were in their possession. This was back when the PHAR extension was still experimental.

My goal with the obfuscation was to prevent any "nephew" (pseudo-webdesigner) who knew how to use an FTP client from starting to dig into the system, trying to copy it to another site, etc. In fact, it has already occurred to a curious client, given the knowledge, to eavesdrop on the source to try to circumvent certain validations. So, it was a kind of "security for dummies ".

Simplistic Implementation

I knew the "security" gained via obfuscation was only against snoopers without programming skills, so I used a very simple technique.

First I installed Phing , a kind of Ant for PHP, so that I could automate the obfuscation process.

Then I created a task where, for each file:

  1. php_strip_whitespace the php_strip_whitespace method to clean up the source code.
  2. It encoded the content in base 64 and put it in a String.
  3. The result was placed in a new file in a parallel folder structure, which used an eval to get the code running.

The code was very similar to this one, which I found in SOEN :

<?php
$infile=$_SERVER['argv'][4];
$outfile=$_SERVER['argv'][5];
if (!$infile || !$outfile) {
    die("Usage: php {$_SERVER['argv'][0]} <input file> <output file>\n");
}
echo "Processing $infile to $outfile\n";
$data="ob_end_clean();?>";
$data.=php_strip_whitespace($infile);
// compress data
$data=gzcompress($data,9);
// encode in base64
$data=base64_encode($data);
// generate output text
$out='<?ob_start();$a=\''.$data.'\';eval(gzuncompress(base64_decode($a)));$v=ob_get_contents();ob_end_clean();?>';
// write output text
file_put_contents($outfile,$out);

The biggest difference is that originally I didn't capture the output to a variable or use compression.

Note that this is an extremely simplistic approach. For example, this technique does not take performance into account. In the personal example I mentioned there was no noticeable impact, but if there is a volume of accesses and/or a reasonable amount of files this should be a concern. Also, it's easy for a developer to decompile the original code.

"Market" solutions

Rather than reinventing the wheel, there are some tools you can use to obfuscate. In fact, some even store and obfuscate the bytecode , which runs counter to the performance part of the question.

Note that I have no experience with these tools, as they didn't even exist when I needed them. However, I suggest that you do some tests and check for yourself, trying to reverse the obfuscation, if you are able to do it and with what difficulty. Also, calculate the timing difference of a request when using "normal" code and "compiled" or obfuscated code.

POBS

An open-source obfuscator that, in addition to obfuscating code in general, alters function and variable names in ways that are difficult to read even if reverse-engineered.

PHP Protect

A free tool that processes all scripts in a folder. It probably uses a simple obfuscation technique.

Thicket Obfuscator for PHP

Paid tool. Says to use a different technique to improve the performance of the obfuscated script.

IonCube PHP Encoder

Paid tool that makes it possible to store the bytecode , encrypt it, obfuscate it, add an expiry time, restrict its use to a MAC Address, etc. It already has a Phing task called IoncubeEncoderTask to process files automatically.

This is one of the most complete tools in the category. However, to execute the encoded files, it is necessary to install an extension in PHP. So this solution is unfeasible for shared hosts .

Zend Guard

Paid tool from Zend (the company that develops PHP) that allows you to obfuscate the code and protect the script execution in different ways (similar to the one described above on IconCube).

Considerations

No protection guarantees 100% security. Even the best paid solutions presented above are not 100% secure. The website zendecode.com , for example, claims to instantly decompile Zend Guard and IconCube code.

Anyway, in my opinion, the best protection is not in the code, but in offering services with quality and excellence. After all, for our luck or misfortune, there aren't many good software vendors out there and copying their code (unless it contains some sensitive information) won't give potential competitors much competitive advantage.

Scroll to Top