Previous | Next | Up | Table of Contents

5.6. Obfuscation

The following shows the Obfuscation tab of the Project Settings dialog:

Some strings remain in the PHP bytecode stream after encoding. For example, local variable names are present after compilation. To prevent these strings from appearing in encoded files, the Encoder features an optional obfuscation processor that is used after the PHP source has been encoded to compiled bytecode.

Obfuscation options

The checked boxes determine which aspects of the compiled PHP bytecode will be obfuscated. Currently class and method names, line numbers, global function names and local variable names can be obfuscated. The Obfuscation key should contain a secret phrase to be used when obfuscating strings. A random obfuscation key can be created by clicking on the Generate random key button. The obfuscation algorithm is a one way process that would require a brute force attack and knowledge of the key to reverse.

Note: If local variable obfuscation is used, variable variable assignment may not work as expected (e.g. $$keyName = $value).

Obfuscation exclusions

While it can be desirable to obfuscate names, it is sometimes necessary to prevent specific class, method and function names from being obfuscated. Such cases include elements in non-obfuscated code that are to be referenced from obfuscated code, elements in obfuscated scripts that are to be called by unencoded scripts, and functions in obfuscated code used as callbacks to builtin functions.

To specify these exceptions, a text file should be created with the required elements. The text file can contain sections identified with [classes], [methods] and [functions], followed by the names of the classes, methods and functions occurring one per line in the relevant section. Namespaces should be used where relevant. The absolute path to this file should be entered in the Exclusion file field.

An example of an exclusion file is below:

[classes]
# Exclude our GlobalModule class for introspection purposes
GlobalModule 
Provider\Module
[methods]
getName
[functions]
fn1 # used with preg_replace so we mustn't obfuscate 
fn2 

Blank lines and text appearing after a # character in an exclusion file are ignored.

Notes:

  1. excluding a function will also disable obfuscation of any local variables within that function.
  2. excluding a class name will exclude just the name of the class from being obfuscated and not any contents of the class such as methods.
  3. for security reasons, excluding a method name will exclude it from being obfuscated in all classes having a method of the same name, which avoids needing a reversible obfuscation technique.
  4. variable variable assignment (e.g. $$keyName = $value) may not work as expected if local variable obfuscation is used. Excluding the function from being obfuscated where such assignments are used will handle this case.