Encrypted PHP code

 

The Problem:

            The problem arises when you are hosted on servers with shared hosts.  Other users on this server can read the code you wrote, since it has to be read-able by everyone.  These users can read the PHP code in many ways.  If PHP is running in unsafe mode on that server, they can simply use the fread() function.  As a result, if your website is using MySQL to talk to the database, they can easily grab the username and password required to login and gain full access to your database.  To fix this, hosts should always have PHP in safe mode, although this doesn’t fix the problem.   With a two-line perl script you can read any file you want on the system that is world readable. 

Another problem with allowing users on that host to view your code is copyright concerns.  If you spend a lot of time creating a very complex PHP website and you want to sell the code to companies all over the Internet and anyone hosting on that server can just copy the source.  If you have a login interface on the website, any users on that host can grab usernames and passwords from the database, or find holes in your code to let them in.

The Solution:

            PHP should have a built in encrypt setup.  This built in encryption is optional, and will scramble the code of the file.  Once the file is called, PHP will maintain a hidden list of passwords to encrypt the files with.  When the file is read in, PHP will check if it is encrypted, if that is the case, it’ll decrypt it and run it as normal.  The password is the key to decrypt it, and without it, you won’t be able to read file. 

            To encrypt the file the user would go onto the command line and type “phpencrypt [filename] [-p password]”.  The user will then be prompted to enter a password (unless they used the –p password option.  If they just hit enter, it means they want PHP to manage the password for this file (meaning the user can not decrypt the password).  If the user doesn’t have access to the command line then can download a special PHP editor client.  It would have a built in function to ftp the files automatically to the server.  Another feature of this program would be to encrypt the files automatically upon upload (if the password is left empty, then PHP keeps track of it as stated above).

            PHP would keep the passwords in a hidden location.  Each file would be designated a password, either specified by the end user, or auto generated by PHP.  If the user wishes to decrypt the PHP file, they can type in “phpdecrypt [filename] [-p password]”.  At this time they would be prompted for the password (unless they used the –p password option).  This will then decrypt the file back to the visible code version.  Much in the same way, when you are using the client and you open the file remotely, it decrypts the file for editing, and when you save the file, it save it encrypted.