A dedicated web server running PHP scripts is vulnerable if the scripts are stored on the server in plain text format. Since scripts are often designed to access critical areas of your business operations such as a product order database which often includes sensitive financial information, it is vital that these scripts are protected so information such as login and passwords cannot be easily retrieved if a server is compromised or when the server file system is exposed to your hosting provider's support persons during a maintenance session.

PHP scripts can be compiled into a binary format known as bytecode either by commercial or open source products. Once compiled, the structure and execution flow of the scripts are stored in binary form and are no longer human readable. Data and text messages may still be visible but with a little extra programming or encryption effort, it is safe to say that it is impossible to decipher or reverse engineer a compiled script in bytecode form.

Zend Guard (formerly Zend Encoder) is a Windows-based commercial product that protects your applications from reverse engineering and unauthorized customization by providing encoding and obfuscation. It further protects from unlicensed use and redistribution by providing comprehensive licensing support. If you want to convert all your PHP scripts into bytecodes, consider that Zend Guard offers the following major features.

  • Widely known PHP encryption product for over 7 years.

  • Most stable and robust encoder on the market.

  • Full support for object oriented programs created with PHP 4 or PHP 5.

  • Up to 30% execution speed gain in most cases.

  • For more technical information, visit the publisher's website.

    Zend Guard needs Zend Optimizer to be installed as an Apache extension so that the bytecode files can be interpreted properly. This is a freely downloadable product.

    There are several major disadvantages encountered when deploying Zend Guard to protect your PHP scripts.

  • Zend Optimizer at this writing does not do bytecode caching so converting scripts into bytecode may actually slow down the performance of your server.

  • Once installed, it is not easy to uninstall the product. The process requires renaming the PHP initialization file /etc/php.ini since Zend Guard moves this file to its own directory at /usr/local/Zend/etc, or having to comment out the Zend section added to the original php.ini file.

  • Zend Optimizer is not compatible with other bytecode compilers and may cause system instability.

  • Zend Guard offers a simple and straighforward user interface to convert one or more PHP script files to their equivalent bytecodes. You can add a group of files or choose an entire directory as illustrated above. Major output options include PHP 4 or 5 compatibility, choice of file extensions, choice of output directory, and the level of obfuscation. The bytecode files are generally smaller in size compared to the original text file. If your PHP files are smaller than 1 K, the bytecode files may be larger than the original text file.

    If you just want to see how PHP performs in binary format with bytecode caching and without shelling out a lot of money, the open source product bcompiler discussed in the next section can be very attractive.