A dedicated web server running PHP scripts is vulnerable if the scripts are
stored on the server in plain text format. Since scripts are often designed to access critical
areas of your business operations such as a product order database which often includes sensitive
financial information, it is vital that these scripts are protected so information such as
login and passwords cannot be easily retrieved if a server is compromised or when the server
file system is exposed to your hosting provider's support persons during a maintenance session.
PHP scripts can be compiled into a binary format known as bytecode either by commercial or open
source products. Once compiled, the structure and execution flow of the scripts are stored in
binary form and are no longer human readable. Data and text messages may still be visible but
with a little extra programming or encryption effort, it is safe to say that it is impossible
to decipher or reverse engineer a compiled script in bytecode form.
Zend Guard (formerly Zend Encoder) is a Windows-based commercial product that protects your
applications from reverse engineering and unauthorized customization by providing encoding and
obfuscation. It further protects from unlicensed use and redistribution by providing comprehensive
licensing support. If you want to convert all your PHP scripts into bytecodes, consider that
Zend Guard offers the following major features.
Widely known PHP encryption product for over 7 years.
Most stable and robust encoder on the market.
Full support for object oriented programs created with PHP 4 or PHP 5.
Up to 30% execution speed gain in most cases.
For more technical information, visit the publisher's website
Zend Guard needs Zend Optimizer to be installed as an Apache extension so that the bytecode
files can be interpreted properly. This is a freely downloadable product
There are several major disadvantages encountered when deploying Zend Guard to protect
your PHP scripts.
Zend Optimizer at this writing does not do bytecode caching so converting scripts into bytecode
may actually slow down the performance of your server.
Once installed, it is not easy to uninstall the product. The process requires renaming the PHP
initialization file /etc/php.ini since Zend Guard moves this file to its own directory at /usr/local/Zend/etc,
or having to comment out the Zend section added to the original php.ini file.
Zend Optimizer is not compatible with other bytecode compilers and may cause system instability.
Zend Guard offers a simple and straighforward user interface to convert one or more PHP script files to
their equivalent bytecodes. You can add a group of files or choose an entire directory as illustrated above.
Major output options include PHP 4 or 5 compatibility, choice of file extensions, choice of output directory,
and the level of obfuscation. The bytecode files are generally smaller in size compared to the original
text file. If your PHP files are smaller than 1 K, the bytecode files may be larger than the original text file.
If you just want to see how PHP performs in binary format with bytecode caching and without shelling out
a lot of money, the open source product bcompiler discussed in the next section can be very attractive.