0

I have finished my code in PHP (using Laravel) and I would like to run it on a client's hosting. I can upload the files and config the db, not a biggy!

The problem is, they can see the code (I mean everything - Controllers, Models, and etc)

I know about Phar file but it seems there's no specific way for creating a Phar file for Laravel. I have checked this URL which is useful for applications using Composer: https://github.com/clue/phar-composer but I couldn't get it to work.

What I want is to actually upload the file in a way that nobody can see the code within. Something like JAR files in Java which contains all code inside. I'd like to know the ways that I can upload my files without being worried about my files being read or used by others.

Sean
  • 953
  • 1
  • 7
  • 26
  • Already has a question into Stack: http://stackoverflow.com/questions/18203112/is-it-possible-to-hide-encode-encrypt-php-source-code-and-let-others-have-the-sy What you want is encrypt or obfuscate your code. – capcj May 15 '17 at 12:24
  • 1
    FYI JAR files are just archives and you can see what is inside them. – nerdlyist May 15 '17 at 12:27
  • @CarlosAlexandre dude, that is encrypted and can be decrypted. It is written in the answer! I'm looking for something that solves this if there's any. – Sean May 15 '17 at 12:33
  • @nerdlyist You can see what's inside phar file too but they are useless for you – Sean May 15 '17 at 12:34
  • @Sean You can decrypt only with your password, is not so simple to decrypt by bruteforce. Some of those services is really hard to decrypt, it's the best you can do. Anyway, if you are SO WORRIED about that don't put on client hosting, because always will have a chance to trying to read your code! – capcj May 15 '17 at 12:39
  • 1
    That is incorrect. It is bytecode and can be read as is or decompiled. No matter what people will see your code the way you are doing this. Either get a good contract and lawyer or create an API and self host the important stuff. – nerdlyist May 15 '17 at 12:39
  • @nerdlyist PHAR? can be decompiled? Really?! Anyway, thanks for the info ... it really is helpful – Sean May 16 '17 at 04:52

1 Answers1

0

We've looked into that before, but the code obfuscators have limits. Any of it can be reverse engineered, however. I've found the best model is to self host and create a SaaS model then give them a client API library like how Amazon's Sendy or a payment gateway makes calls. You can make your own that calls on your self-hosted SaaS via cUrl calls. This way, you give them code but it's vanilla "gatekeeper" code and all your business logic and other valuable code stays secure on your server so they can't get to your real code but you have full control over its access. This is very scalable, too.

Aaron Belchamber
  • 1,480
  • 1
  • 16
  • 20
  • I was thinking about something like this too. What I was thinking was to create a sub-domain for every client, ask them to buy their domain names and change their NS to my sub-domain. In this case, the domain name remains the same as they bought and the files are hosted on my server. – Sean May 15 '17 at 12:37
  • Well, this cUrl library solution is completely portable and serves as an interface to your SaaS. The cUrl library can even route posts requests on their own domain to different routes on your server. So from my experience, it's minimally intrusive for your clients this way. it's worked well for me in different systems I've set up, the cUrl can even deliver entire pages and forms of content from your site to theirs. I hope this helps! – Aaron Belchamber May 15 '17 at 12:47