Tag Archives: php secuirty

Protecting your PHP Source Code with Ioncube Encoder

The ionCube Standalone PHP Encoder is the leading script protection solution for PHP 4, PHP 5 and PHP 5.3 based software.

IonCube protection uses 100% compiled PHP, and utilizing a closed source execution engine, ionCube Encoding tools deliver the best performance and PHP source code protection of any encryptor solution currently available. With features to meet the demands of both small and enterprise scale applications, the ionCube Encoder’s unrivaled PHP protection, performance, and all round flexibility and feature set, is the ideal and only serious no-compromise solution for protecting PHP.

As PHP is encoded into a special byte-code, a loader must be installed on your web server. A loader is a PHP module that must be installed. Before we proceed, let’s take a quick look at an encoded file. Listing 1 shows a basic PHP script.



echo "Hello, world!\n";


We can then run this script through the encoder. While there are many different options available, encoding a script with the default options yields the following PHP file.


<?php //000a8

echo('Site error: the file <b>'.__FILE__.'</b> requires the ionCube PHP Loader '.

basename($__ln).' to be installed by the site administrator.');exit(199);









While you cannot understand what this code does just by looking at it, your PHP installation with the correct loader installed interprets this just as if it was the code in Listing 1.

Encoding your PHP files

The ionCube PHP Encoder is a command-line script you run either one or more files, or on an entire set of folders. If you’re encoding an entire PHP application you would typically run it on the original source folder. The encoder will duplicate the entire tree, except the PHP code will be encoded.

Now let us use the command to generate this encoded script  as shown in Listing 3.


/usr/local/ioncube/ioncube_encoder5 helloworld.php -o helloworld-enc.php

In this example, the -o specified the output location. In this example we just created the encoded file in the same directory with a different filename. Typically you would want to create the file with the same filename as the original (without replacing the original source code).To achieve this, set the input and output both to be a directory. The encoder will automatically recurse through all directories in the input directory and encode all PHP files. To demonstrate this, let’s assume helloworld.php is in a directory called src. Listing 4 shows the command we use to encode this entire path. The example outputs the encoded files to the build directory.


/usr/local/ioncube/ioncube_encoder5 src -o build

We now have a directory called build which is identical to src except that the PHP files are encoded. There are many other command-line options. You can discover some of these by running ioncube_encoder5 with no arguments. Additionally, the “Encoder User Guide API” document is extremely useful.



Protecting Non-PHP Code

Depending on how your web application has been designed, there may be some non-PHP files you would to prevent users from being able to read. A good example of such files is XML files or Smarty template files. The ionCube PHP Encoder includes an encryption option. This feature is used to protect non-PHP files (but it differs from the PHP encoding since the output isn’t a bytecode format format).

To encrypt files, the –encrypt command-line option is used. You can then specify a file pattern that will be encrypted. For example, if you want to encrypt every file with extension tpl you would specify –encrypt “*.tpl”. Without doing so, the encoder would simply copy all tpl files exactly as-is into the target directory.

Listing 5 shows the command we can now type on our src directory. The directory contains the helloworld.php script and a template called index.tpl.


/usr/local/ioncube/ioncube_encoder5 src/ -o build –encrypt “*.tpl”

Listing 6 shows the original template file:

{foreach from=$myArr item=row}



Now when we run the command from Listing 5, not only is the PHP script encoded, the index.tpl file is encrypted. Listing 7 shows what the encrypted file may look like.





Your application must be able to handle these encrypted files. Fortunately, when a loader is present in a PHP installation, a number of additional functions are made available that allow you to deal with encrypted files.

The ioncube_read_file() will decrypt files that have been previously encrypted. This function accepts a file system path as its only argument and will return the decrypted data. If the input path was not encrypted it will be returned as-is.

Note: The ioncube_read_file() method will only work from within an encoded PHP file. Additionally, it can only decrypt files that were encrypted with the same encoder that encoded the PHP file. This prevents other people from being able to decrypt your files.

Since we encrypted a Smarty template in the previous example, let’s take a quick look at the changes required to Smarty to read encrypted files. The ionCube website contains notes on patching Smarty so it is compatible. This change ensures ioncube_read_file() is available, meaning you can used the patched version in applications whether or not they’re encoded. The API also includes a ioncube_write_file() function which allows you to directly write encrypted data from within your application. This allows you to protect data generated by your application.