3

I am now working on a php project(Internet Shop) that will possibly deal with storing locally customer credit card information. So I was thinking among other things about encrypting php files with IonCube, especially those containing settings(encryption/decryption key, IV) for symmetric encryption algorythm. So I'm not sure if it will add an extra layer of security or not, since it appears IonCube-encrypted files and similar solutions can be decryped. Thank you!

Evgeny Tryastsin
  • 723
  • 2
  • 10
  • 19
  • You can easily google for how to decrypt ioncube'd files in a few minutes. – zerkms Oct 05 '11 at 01:23
  • my advice is, do not store this information. it's a liability. there are webservices that will handle this for you. – dqhendricks Oct 05 '11 at 01:31
  • @dqhendricks Thanx for advice! Most probably i won't store credit card info, but im also storing encrypted personal info, like address, phone. – Evgeny Tryastsin Oct 05 '11 at 01:35
  • if you are using PHP 5.3+, you can use mcrypt to encrypt/decrypt personal data before storing it in your database. you would probably want to use HMAC hashing on user passwords however. – dqhendricks Oct 05 '11 at 01:37
  • @dqhendricks that's what I was doing. I just was wondering if ioncube encrypting php-file with key and iv for mcrypt would improve general security or not... – Evgeny Tryastsin Oct 05 '11 at 01:43
  • ioncube is not recommended. if they can get into your files... you already have a serious problem. – dqhendricks Oct 05 '11 at 01:45
  • If they've gotten access to your encrypted PHP files you've already had a PCI breach which means Visa/MasterCard will shut you down while you're forced to do a forensic analysis of everything under the sun. – ceejayoz Oct 05 '11 at 02:19

3 Answers3

3

IonCube is not a suitable solution here. If you encode a file which contains something along the lines of:

<?php $SecretValue = "xyzzy"; ?>

It's still trivial to recover the secret value:

<?php require("encoded.secrets.php"); print $SecretValue; ?>

So the IonCube encoding is basically worthless here.

  • What about private class variables? Can they be accessed? – wyred Aug 17 '12 at 05:43
  • 1
    Haven't played with ionCube in ages, but on PHP 5.3 or later, I suspect you could turn private class variables into public ones using the `reflection` extension (specifically, `ReflectionProperty::setAccessible`). –  Aug 17 '12 at 05:46
  • 1
    @wyred I have discovered by experience that a `var_dump` of a `new class_name()` will reveal all private variables in a class. – uınbɐɥs Sep 16 '12 at 18:46
  • Would it be safe if we put the variables inside a function? I only need to store the secret key inside 2 functions for encrypting and decrypting. – wyred Sep 26 '12 at 07:49
  • I wouldn't count on it. It'll be considerably more complicated, but there's probably still some tricky way to get PHP to end up revealing the values of those variables. –  Sep 26 '12 at 16:25
  • ioncube can prevent that "non-encoded" files can require or include encoded files. Another layer is, that all encoded files can be encoded with a own defined include key, so that files without- or a differernt include key cannot include them. By the way. Functions for listing class variables or function should be disabled on a production server via php.ini. – AppGeer Oct 30 '14 at 09:43
3

ionCube and Zend are fine for code protection, and even if some decompilation service produced usable code from an encoded file, this would typically do little if anything to diminish the benefits from encoding and license enforcement, and may even result in increased revenue in the longer term for the software provider.

Data hiding, however, is entirely different. Keep in mind that PHP and all of the associated library wrappers, plus the libraries themselves, are opensource and therefore easily modified. Data sent into and returned from any PHP function can be easily exposed by simple changes to the PHP internals. Want to see the database password to MySQL? Just modify the mysql_connect() wrapper or the underlying MySQL library and log the details. Some encoding systems, for example ionCube, can encrypt non-PHP files and then decrypt at runtime via closed source routines in their runtime component, which may in some cases provide some benefits over the opensource PHP routines such as mcrypt.

duskwuff is not entirely incorrect with the example cited as in some systems, ionCube for example, it is possible to protect files from being included by non-encoded files, or files encoded by a different copy of the Encoder through a mechanism called "include attack protection". None the less, storing sensitive data in variables, particularly globals is a poor approach, and it would be better to have such data returned by a function with a misleading name and that perhaps performs differently unless called in a particular way. e.g. a function called mytime() that does return the time unless called with a "magic" value.

Nick
  • 1,334
  • 10
  • 14
1

If you're going to encode/encrypt your files, Zend Guard is supposed to be one of the best, but as others have said, if they can get to your files that's the least of your worries.

Nexerus
  • 1,088
  • 7
  • 8