So far we've reached to a conclusion that in most of the cases code obfuscation is pointless:) But, there are only few exceptional cases when code obfuscation can get realy usefull. Code obfuscation is only needed when you have to:
1. Hide some special algorithm in your program (does not include string literals, because they usually get easily de-obfuscated in any case, doesen't matter how scrambled they are, strings are always easier to decode.) The very algorithm's logic should be the thing you intend to hide, not strings.
2. If you want to get a php software of yours, to a stage, that it is difficult to upgrade/reuse after someone else's modifications in his own version of your software :) Obscuring the program instructions do usually forces the "thief" to give up on changing your ready-written code, and start to write his own code, simply because it happens to be the more easiest action to be done :)
3. ...and of course if you've been using someone else's copyrighted source code in your program, and want to hide this when you deliver it (although the usefulness in this case is controversial)
All this is related to 'obfuscation' not 'encoding', because 'encoded' source code, is VERY EASY TO DECODE, and the worse: when successfully decoded it actually 'gives-back' the true ORIGINAL SOURCE CODE of the program that you've written, along with all the datails about logic, algorithms, true names of the objects, variables, even your comments. So, forget about 'encoders' if you want to do one of those things listed above with numbers. In those cases, a good 'php obfuscator' can get realy usefull for you. Now... this is not myth, it's reality :)
When the code is 'obfuscated' (not 'encoded') then things are rather different. You can never return the original flow and structure of the code. Properly obfuscated php code is genuine scrambled in its "heart", not simply an encoded string of your original code (like encoders do). With obfuscation you can still return the string literals, but you can't actually get the code logic readable for humans. If you need to read/understand to add/change something in obfuscated code and/or copy/reuse it (with changes) elsewhere, you will need to put much more effort to make sense of the obfuscated code in order to make the change, than to write the needed stuff completely on your own. It becomes unworthy reverse-engeneering endeavour. That's exactly what matches the listed cases of usefulness above, when obfuscation can get usefull, and is not myth. Many people think that they can hide strings of passwords or other credentials in .php files by obfuscating or encoding them. This is one of the myths about obfuscators and encoders :) This is totally misleading. You can NEVER hide string literals when 'give-away' your .php to others. Other people can always decipher the string literals. In any case! Does not matter how sophisticated encoding or obfuscation algorithm you use on that .php - the true value of the strings can ALWAYS be extrapolated even though with a little effort.
When you decide to obfuscate PHP code, the first thing you need to choose is which method of obfuscation to use upon the level of complexity and interactions are present between your different .php files in project.
1. First method is by CHANGING IRREVERSIBLY the names of the variables and functions in your script(s).
There are obfuscators that effectively change the names of all variables in entire project, and do it irreversibly! The best such obfuscator that I came across is called: Obfusc. It's commercial, but you can download a demo version from their website: http://www.obfusc.com/ Obfusc has realy comprehensive array of settings and the most intuitive interactive variables/functions management user interface. Hmmm... so far so good, but you need to know something about this method of obfuscation. When you rename irreversibly all variables, most of the times this brakes the functionality of the obfuscated code, especially if it has many variable interactions between the different .php scripts. In other words: your obfuscated scripts will most likely not work :) In this case, to fix this problem, it is necessary to obfuscate the entire project. Yes, it is possible to obfuscate an entire project, that's exactly what Obfusc is designed to do, but it is still a difficult, time-consuming, non-automatic operation. You've got to know in details your project's variables interactions between scripts and form inputs, and again it can take you up from one day to one month (for large projects that use many external modules) to obfuscate your entire project successfully by using this method, and the most crucial: to get it working obfuscated :)
2. The second method of obfuscation is by ONLY OBSCURING the names of the variables and functions in your script(s), not changing them irreversibly, but by doing so, also scramble the order of the instructions flow. PHP because of its non-strictness, actually permits such kind of obfuscation to occurre. That is yet the most compatible, fast & easy to perform and in the same time effective, type of PHP protection you can get. If you need to protect your single .php, or entire project, to make it not worth trying to be understood by others, and you need to do it fast & easy, then this is your method of choice. You can obfuscate one or several .php files at a time, or you can also obfuscate the entire project in an instant. Unlike the first method there are no additional tunnings, no settings. By using this method you can even obfuscate the HTML code that is embedded in .php files. There are very few such obfuscators available, and they are usually online obfuscators. The best I've came across recently is called Best PHP Obfuscator :))) It can be found on address: http://www.pipsomania.com/best_php_obfuscator.do - it is the fastest and the most 'bug free' obfuscator that I've ever encountered on the internet. In contrast with all other obfuscators, Best PHP Obfuscator is actually re-arranging the instructions inside the program flow in random patterns, in such a way, that even if you manage to de-obscure the variable names, you still get bunch of nonsense code, that is impractical for read and change. There is also one more popular obfuscator on the internet. It's called Code Eclipse. It is also good, and is also online service. Can be found on address: http://www.codeeclipse.com/
Well, I hope this article was usefull for those who was wondering about whether to obfuscate or not to obfuscate their code, and if so, how to do it using the optimal solution, depending on their particular needs of code protection.
author: PatlaDJ (patladj aaat gmail)