0

First off, I am personally against obfuscation and agree with others who are so, such as most respondents to this previous question.

However, I have been told to find one. So, please, let's not rehash why obfuscators are useless. Thanks.

I have to find a PHP obfuscator which

  • is preferably free :-)
  • will obfuscate all strings, but not SQL (!!??) (e.g., in $_SESSION['password'] = 'secret'; it should obfuscate $_SESSION, password and secretm but should not obfuscate strings like odbc_exec($connection, 'drop database if exists users');)
  • can scan a project across multiple directories and know that variable $password declared in file a.php and renamed to $lI1O0l should be so named in file b.php which includes a.php and all other dependency stuff)
  • will strip all comments and reduce whitespace
  • is tried and proven on medium-large projects (at least a few hundred files in a few dozen directories)
  • (and this one is tricky) - does not access the internet. So, if it is a commercial product it might have licence files which I get from the vendor and send to my customer's IT dept (on CD, for instance) for installation. But the customers' PCs will not have internet access to determine if the obfuscator is validly licensed.

Does such a beast exist? Would it make any difference if I run my code through a PHP compiler and ship an executable to the customers (if so, which compiler).

I realize this is rather a contentious subject, but I'm just asking for advice to help me try to do my job ...

Thanks in advance

Community
  • 1
  • 1
Mawg says reinstate Monica
  • 38,334
  • 103
  • 306
  • 551
  • 1
    No. You can compile to opcode (I suppose). Maybe just author the site in a language with the obfuscation capabilities requested. – Jared Farrish Oct 13 '11 at 03:45
  • 2
    Why do you care if it obfuscates SQL...? – bdonlan Oct 13 '11 at 03:46
  • 2
    Why don't you start looking at the answers to your linked question, and start fiddling around with the suggested products? Your requirements are very specific and I guarantee you will never find a product that fits all of them in default configuration. –  Oct 13 '11 at 03:46
  • @bdonlan - I don't think the *OP* cares... – Jared Farrish Oct 13 '11 at 03:47
  • 1
    Requirements are too specific. Rewriting variable names selectively is pretty complicated in itself. You won't find such a thing as source code obfuscator. – mario Oct 13 '11 at 03:47
  • @Mario: You won't? Gosh, I though that's what mine did. – Ira Baxter Oct 13 '11 at 05:08
  • @bdonlan, I care that it *doesn't* obfuscate SQL - since hte SQL driver woldn't be able to undertsand it. Which, of course, gives something way to hackers ... – Mawg says reinstate Monica Oct 13 '11 at 05:48
  • @bdares, "I guarantee you will never find a product that fits all of them in default configuration" is an answer in itself. – Mawg says reinstate Monica Oct 13 '11 at 05:49
  • @Jared Farrish, sorry, too late to re-author. It is written in PHP and now it "needs to be obfuscated" – Mawg says reinstate Monica Oct 13 '11 at 05:50
  • @mario, "Requirements are too specifi - requirements are ... requirements. I don't get to choose them; they are required of me (whcih is why I stated that I am anti-obfuscation) – Mawg says reinstate Monica Oct 13 '11 at 05:51
  • @Mawg it sure is, if you're unable or unwilling to configure a solution to fit your needs. –  Oct 13 '11 at 05:51
  • @Mawg, it matters whether you want to obfuscate strings _in the source code only_ for SQL. After all, any strings that are printed to the user also can't be obfuscated, right? – bdonlan Oct 13 '11 at 15:07

2 Answers2

3

You're probably best off just using an encoder like Zend Guard or similar.

Amber
  • 507,862
  • 82
  • 626
  • 550
  • Using the obfuscator created by the language developers is the obvious choice. – Jeff Day Oct 13 '11 at 03:56
  • I did consider it, but can you garantee that it doesn't need internet access to verify that it is validly licenced? A non-negotiable requiremnt (not of my choice) is that the solution work on PCs with no internet access. – Mawg says reinstate Monica Oct 13 '11 at 05:54
  • @Mawg http://www.zend.com/en/products/guard/faq#faq2 and http://www.zend.com/en/products/guard/faq#faq4 – Amber Oct 13 '11 at 06:01
  • @amber. Thanks. Those URls don't actually explicitly state that the product will not "phone home" and can work without internet access (so far as I can see), but I have emailed them and if it will work I will ask you post an answer. – Mawg says reinstate Monica Oct 13 '11 at 06:19
2

Our PHP Obfuscator will do most of this. It has been used on very large PHP applications.

It won't not-obfuscate SQL strings, but I'm not sure where that requirement came from. What it does to such strings doesn't change thier functionality in programs.

You can tell it to not-obfuscate certain names (e.g., odbc), which is generally required if those names come from packages you can't obfuscate, too.

EDIT: And it doesn't need internet access to verify it is licensed.

Ira Baxter
  • 93,541
  • 22
  • 172
  • 341
  • @mario the first link in the article is an apparently working example. –  Oct 13 '11 at 05:54
  • @Mario: Always open to constructive advice. Can't help you on the FLOSS part; gotta eat somehow and nobody else pays my bills. Example choices are always hard; we tend to choose smaller rather than larger because most folks don't have the patience to look at 100 files. It does operate on a *parse* tree for the various source files, and yes, it *could* do more rewriting, which we hope to get back to sometime. In the meantime, I welcome you to poke around that site for other PHP tools, and tell me what you think. – Ira Baxter Oct 13 '11 at 06:19
  • Seen some of it before. But the site hasn't changed much. You should really make it more advertis-y. Yes, flashy doesn't suit a technical product like that, but all I can think of is redesign and str_split. -- I was thinking of a source rewrite ala pihipi, but that wouldn't quite be just obfuscation anymore, drain performance noticably, so not what's generally wanted in such cases. – mario Oct 13 '11 at 06:23
  • @mario: sorry, must be my old fogeydom. "str_split"? I know what this is as a PHP function, but I think you are using it colloquially. – Ira Baxter Oct 13 '11 at 06:29
  • 1
    Ok, it's looking acceptable. I have run a trial & it looks ok. I will ask if I may order then conform the functionality again. Thanks – Mawg says reinstate Monica Oct 13 '11 at 06:38
  • @Ira, I don't mean to offend, but this might keep casual hackers at bay, but this ------------ if (lg() == 0) { echo Os('eLogger log-in',FALSE); echo '
    eLogger
    '.l3; echo '

    '.l3; echo '

    There are currently no licences available for use

    '.l3; echo '

    '.l3; l2(); echo '
    '.l3; echo ''.l3; echo '
    '.l3; echo lt(); exit; }     – Mawg says reinstate Monica Oct 13 '11 at 06:46
  • @Mawg: Sorry, you didn't complete your thought. Have you read the docs yet? – Ira Baxter Oct 13 '11 at 06:52
  • replace prev comment by - while this might keep casual hackers at bay, it seems to me that in this output, I can clearly see the error string which is shown to the user "There are currently no licences available for use" and step back to last "if" and just reverse it ------------ if (lg() == 0) { echo Os('Log-in',FALSE); echo '
    logo
    '.l3; echo '

    '.l3; echo '

    There are currently no licences available for use

    '.l3; echo '

    '.l3; l2(); & so on ...     – Mawg says reinstate Monica Oct 13 '11 at 06:57
  • same way we used to dissamle DOS programs. Find the error string & look back to the last JMP or, in this case, if. Just change if (lg() == 0) to if (lg() != 0) and he product believes itself to be licenced :-( – Mawg says reinstate Monica Oct 13 '11 at 07:04
  • I thought that I had. I used the +Obfuscate switch. Did I miss anything? Ira, I am not tryng to disrespect your product or start a flame war. Maybe I should I email you for support? But what's fundemenally wrong with my previous comment (find he error string which the user sees and reverse the "if")? I'm off to read your docs again. Bets wishes. – Mawg says reinstate Monica Oct 13 '11 at 08:04
  • let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/4220/discussion-between-mawg-and-ira-baxter) – Mawg says reinstate Monica Oct 13 '11 at 08:23