Though am still a learner, I have developed a small php application and planning to sell the same. Meantime, I would like to protect my script using api or something and srictly not obfuscating or encoding, or using zend frame work?

Is there any easy way? using base64decode, I should get to know the site if some one installs on any site with their sitename and gets stored in my database.

If anyone can help me with the script / direction, I would be greatful.

Member Avatar


I was going to offer as a solution, but no encoding/obs, so difficult.

There are tools like Zend Guard and ionCube Encoder that can encrypt/obfuscate the code in such a way that it takes some doing to reverse engineer them. But it's not fool proof, and can be overcome. PHP is a scripting language, after all, so the script needs to be read at some point by the PHP parser.

Other than that, you can't really enforce a licensing schema on PHP code. (Not that you really can with binary programs either, for that matter. Pirates are stubborn that way.) Not if you are indenting to distribute the code, at least.

In some situations you may be able to provide functionality (or at least partial functionality) from an external source that you can control, so that in order to effectively use your code, the user will have to at some point connect to your servers. That would let you track who is using it. Of course, this may not be possible at all for your code. Depends on what it's meant to do.

Member Avatar


How about selling your product as a service? You host the whole caboodle and get them to pay for using it. Depending on the demand, you'll probably need a steer away from shared hosting and you need to ensure that security is top notch. Security would have to be majorly impressive for a distributed package anyway.

Advantages of distributed systems - feedback with regard to security issues - you don't usually get this with hosted service. Distributed systems - can be difficult to send patches out to plug holes - and to get customers to update - and doens't engender confidence if you have to do it very often. This is a silent process when you host everything yourself. Just a few rambling thoughts.

I totally agree with Diafol and Atli's recommendations. Ioncube is the most cost effective at less than a dollar per page. While the rest are just expensive to purchase, because they don't offer per file or page obfuscation. There is a source guardian for 199 dollars and another one I don't remember its name runs for 99 dollars. For the expensive ones, you can keep the software and can do unlimited obfuscatation as you want.

Now, real truth about obfuscating your source. Pretty much all of them now can be decrypted offshore. I know a company that can easily decrypt large application in less than a week for less than $50.00 a pop. Compare that to your licensing fee.. make sure to price your product less than the cost to obfuscate your application.

Besides, any highly knowledgeable programmers will be able to recreate any PHP programs, or maybe better. PHP is a fast changing language; thus making codes written today becomes an obsolete codes by tomorrow. Why waste all the money and time in obfuscating the source, only to decrypt them at a later date for upgrade. Many PHP functions are being thrown into the deprecated bin everytime a new distros are release.

Advance solution (REQUIRES LOTS AND LOTS of Coding and logic analysis).. I did this for a company some 1 1/2 years ago.

  1. Create an environment-aware installer. Make sure that the installer will gather all important data about the server, salted id, and domain name, every time the installer is initialized. Let the script create a temporary secret file e.g. install.file.txt. The installer should be able to create a new salt within the crucial files of your application, by appending pre-existing php file. The salt should be stored in the database and must be check at least once a month or so, for the purpose of license inventory.

  2. Allow your installer to be able to Create a cURL script, and able to communicate with your server. Upon installation , the installer should be able to send data to your server e.g. domain name, IP address, data and time, unique installation ID randomly generated by the installer, location of the install.file.txt, and the salt . Your server must download and process recieved data and send a response, if the domain name matches the domain names in your database, if not send a false boolean response.

  3. The installer on the remote site will have to wait for the response coming from your server. If the domain name validates to false, then script will store the false value ONLY YOU and your installer should know the location e.g. installation failed date. Installer will then delete the most crucial files of your application.

  4. If they attempt to re-install, installer will look for the secret file to revalidates. Obviously, it will always validate to false.. if this happens , installer will not continue.

  5. If the installer validates to true, then application installation should continue, and then store the installation data in the database, delete all temporary files created by the installer.

  6. Make sure to make your application to be able to accomodate changes such as server relocation, domain change, and many other things that are important to the webmasters without affecting convinience of user of your application.

The easy way? Host your own application and focus more on the development to make your application better, instead on using great amount of time in encryption and protecting your script.

commented: great suggestions! +9