Encrypted PHP scripts are a nightmare

Posted by BeepStar in The Whole Dot Com Thing on 08 28th, 2006 | one response

PHP Script Encryption Just as the PHP programming language is gaining significant momentum as a solid platform to launch highly interactive and commerce-enabled applications, a huge threat is mounting against the initial spirit of community that helped PHP emerge so quickly: encryption.

The problem isn’t encrypted passwords with an MD5 hash functions, it’s the multiplication of affordable software-based or script-based solutions to fully encrypt the PHP code in every page, in free or commercial scripts.

At first, it may look like a good idea but after a while, you start to realize it’s a nightmare.

Let’s look at the issues.

On the upside, encrypting the PHP source code in web pages helps the developer protect his intellectual property, which is fine. This added protection for the publisher means the final user of this same “encrypted” script will -never- be able to modify a single bit of code!

Would you buy a PHP script if you knew that none of it can be modified to your liking? Unless you’re absolutely certain that you’ll never change a single pixel of a given script, buying an encrypted script is a losing proposition, for any sane buyer.

Furthermore, an encrypted script is -very dangerous- for any buyer because there’s no way to see what the script does, exactly. Does it secretly send information to third parties? Is there a private “backdoor” entrance? An encrypted script can hide anything and that’s a major security issue.

In the same line of thought, using an encrypted PHP script for any application where third parties can eventually be “abused” (in any way) leaves you open to a wide range of legal actions which could cost you multiples of whatever you thought you saved buying an “affordable” (because it was sold encrypted) PHP script.

Encryption profits to one party and only one: the seller (or publisher).

Buyers always loose so they should -never- buy encrypted PHP scripts.

In fact, it should be a standard request from buyers that no encryption be included in the script before any money is exchanged. If the seller prefers not to tell, you can assume “hidden code” or worse, encrypted code is included in his script.

Countless PHP enthusiasts and business users alike are being ripped off right now by encrypted PHP script sellers. By hiding the code, it’s also easier for the sellers to ship sloppy code that will never be properly updated.

Encrypting every bit of code also means the buyer can’t learn new way to code simple or complex queries using the PHP language, thus seriouly hindering the “community” effect from which, ironically, even the PHP script seller have vastly benefited from.

As a rule of thumb, any PHP script seller that encrypts his work doesn’t deserve your business because he’s putting his personal interests before yours, in every way.

PHP script encryption should be banned but until that happens, PHP script buyers worldwide should restrain from purchasing them and ask immediate reimbursements from the shady script sellers who included potential Trojan horses in the scripts they marketed as “secured”… which is another lie, until proven otherwise by a neutral third party (which -never- happens, anyway).

If encrypters are just too anxious to encrypt something, let them encrypt, for instance, Oracle query codes (being a commercial and somewhat already restrictive language) but not PHP, an open source programming language which is clearly “community oriented”.

Tags: encrypted php, encrypted php scripts, hash functions, md5, php encryption, php scripts