SitePoint Sponsor

User Tag List

Page 2 of 3 FirstFirst 123 LastLast
Results 26 to 50 of 64
  1. #26
    SitePoint Addict
    Join Date
    Jul 2001
    Location
    New Zealand
    Posts
    340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Why bother encoding when both zend and ioncube can be decoded? You are better off creating your own callbacks without encryption. Encoding loses customers

  2. #27
    SitePoint Wizard triexa's Avatar
    Join Date
    Dec 2002
    Location
    Canada
    Posts
    2,476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have heard a couple of people say they can be decoded - I have yet to seen proof.

    And not encoding loses protection.
    AskItOnline.com - Need answers? Ask it online.
    Create powerful online surveys with ease in minutes!
    Sign up for your FREE account today!
    Follow us on Twitter

  3. #28
    SitePoint Addict shaxs's Avatar
    Join Date
    Sep 2005
    Posts
    267
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by fullahimhard
    Why bother encoding when both zend and ioncube can be decoded? You are better off creating your own callbacks without encryption. Encoding loses customers
    While it is possible, it is extremely hard to do. And if you do call backs, all you have to do is edit out the call backs. Much easier than decoding.

  4. #29
    SitePoint Addict
    Join Date
    Jul 2001
    Location
    New Zealand
    Posts
    340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have seen both zend and ioncube decoded with my own eyes. Though it is not always 100% a good 95% is decoded perfectly. And it is not hard to do at all if you have the right software.

    To me, you are better encoding php scripts with sourceguardian. Though it too can be decoded it does not require any extra server software like zend/ioncube.

  5. #30
    SitePoint Wizard triexa's Avatar
    Join Date
    Dec 2002
    Location
    Canada
    Posts
    2,476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    SourceGuardian requires the loaders, no?

    Just as ionCube can run off of...
    AskItOnline.com - Need answers? Ask it online.
    Create powerful online surveys with ease in minutes!
    Sign up for your FREE account today!
    Follow us on Twitter

  6. #31
    SitePoint Wizard triexa's Avatar
    Join Date
    Dec 2002
    Location
    Canada
    Posts
    2,476
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    and I am surprised of 95% decoding..

    maybe I am being oblivious, but either the algorithm to decode it works or not. It either gets the source or it doesn't...
    AskItOnline.com - Need answers? Ask it online.
    Create powerful online surveys with ease in minutes!
    Sign up for your FREE account today!
    Follow us on Twitter

  7. #32
    SitePoint Addict
    Join Date
    Jul 2001
    Location
    New Zealand
    Posts
    340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No sourceguardian does not need loaders. I would say oblivious, there are still a few bugs to be tweaked. I really cant post examples for legal reasons,

  8. #33
    SitePoint Zealot talash's Avatar
    Join Date
    Sep 2000
    Location
    India
    Posts
    141
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hi Guys,

    If we are delivering a project, we generally do not encode.

    However if it is our product, we prefer to encode it and put it together with our in house licensing solution to make sure that we do not have un-paid users. I am pretty sure that 99% people are genuine, but we need to safegaurd against those 1% who can do more damage than the good done by the rest of the people.

    We use ionCube for encoding. I am niether very happy nor dis-satisfied with ionCube. I am happy because it works nicely and does a neat encoding. I am unhappy because many hosts still do not support run time loading and ionCube loaders. This causes problems when we get across a non-tech client, which we get a lot.

    I think the encoding and licensing technology has a long path to cover.

    Regards
    Abhishek
    My Blog - Business strategy, Usability, India and Ideas
    Submit2Please.com - Manual directory /article submission

    Design2Please.com - Hire a full time designer for $1100 /mo.

  9. #34
    SitePoint Enthusiast
    Join Date
    May 2004
    Location
    Gainesville, Florida
    Posts
    54
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I don't consider .php apps == to C or VB apps. Add ons to do what you want to do, which is essentially have a compiled version of your software, adds another tier to the application and support model.

    Now I don't have any problems with PHP programmers, since I am one of them, to do this since it is our rights as author. However, I would never buy PHP software that was encoded since the apache/IIS php model is can differ from version to version or server admin to server admin.

    The best place to use these techniques, imho, is working for a private company who runs their servers in house and wants to be as secure as possible.

    .NET and J2EE on the otherhand have positioned their libraries and code from the start to be == to their desktop client counterparts.

  10. #35
    Ribbit... Eric.Coleman's Avatar
    Join Date
    Jun 2001
    Location
    In your basement
    Posts
    1,268
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by fullahimhard
    I have seen both zend and ioncube decoded with my own eyes. Though it is not always 100% a good 95% is decoded perfectly. And it is not hard to do at all if you have the right software.

    To me, you are better encoding php scripts with sourceguardian. Though it too can be decoded it does not require any extra server software like zend/ioncube.
    I honestly don't believe you. Prove it.
    Eric Coleman
    We're consentratin' on fallin' apart
    We were contenders, now throwin' the fight
    I just wanna believe, I just wanna believe in us

  11. #36
    SitePoint Addict
    Join Date
    Dec 2005
    Posts
    262
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by CapitalWebHost
    Guess you don't use any kind of client based software then? Not a Windows user?

    While encode scripts can be a pain in some cases, if developed correctly where the author leaves exits and configuration options un-encoded, I have no problems. Authors have every right to protect their work.
    Actually I'm a linux user. I do use client based software but it is easy enough to fix any problems that end up on your computer with a system wipe. However there is no way to recover lost revenue if a website or server crashes or is "hacked" because of an inept or corrupt programmer.
    Authors do have a right to protect their work, but I won't risk it.

  12. #37
    Non-Member
    Join Date
    Jan 2003
    Posts
    5,748
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I would say oblivious, there are still a few bugs to be tweaked.
    Exactly what are you talking about when there are still a few bugs to be tweaked? A few bugs to be tweaked in what software, specifically?

    I'm not clear on that point, and at this moment, I may have the wrong impression of what your talking about, or what you are doing, just so I'm clear about what you are referring to, can you clear this up?

  13. #38
    SitePoint Addict Adam A Flynn's Avatar
    Join Date
    Jul 2004
    Location
    Canada
    Posts
    251
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    From a compatability standpoint, what is the best encoder to use? Zend, IonCube, and SourceGuardian all require PHP extensions as loaders, no?

    Also, how risky is it to release an unencoded "developer" version for a higher price for those who REALLY want the sources?

    I'm facing the same issues as others in this thread are as I am about to release a few commercial applications myself. Ideally, I would want my work encoded, but, as I'm just starting to get into the field of application sales, I can't really afford to loose large chunks of business. At the same time, is the risk of loosing larger chunks of business from copies hitting p2p networks is even greater...?

  14. #39
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Location
    UK
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by fullahimhard
    I have seen both zend and ioncube decoded with my own eyes. Though it is not always 100% a good 95% is decoded perfectly. And it is not hard to do at all if you have the right software.

    To me, you are better encoding php scripts with sourceguardian. Though it too can be decoded it does not require any extra server software like zend/ioncube.
    SourceGuardian works exactly like ionCube/ionCube works exactly like SourceGuardian. ionCube has its runtime loaders, SourceGuardian has it's ixed runtime loaders. With either encoder, you have to upload a folder (/ioncube/ or /ixed/) along with the encoded product. In the vast majority of cases that's all that needs to be done and the loaders are dynamically loaded when the encoded scripts are run allowing them to run. In the event of safe mode being on or other configuration options, you sometimes have to add the loaders to the php.ini.

    SourceGuardian loader installation guide: http://www.sourceguardian.com/ixeds/...tall_ixed.html
    ionCube installation guide: http://www.ioncube.com/loader_installation.php

    You'll notice both are remarkable similar

    In terms of security, Nick from ionCube has some pretty convincing arguments on why SourceGuardian isn’t as secure as ionCube or Zend due to it’s lack of a “closed source execution engine” - http://www.sitepoint.com/forums/show...54&postcount=4. While ionCube, Zend and SourceGuardian could all be decoded, all 3 software companies have introduced new measures to counter the exploits – SourceGuardian v5.5 with obfuscation, ionCube v6.5 with obfuscation and other security improvements, and Zend have v4 in beta also with obfuscation and other improvements. It is an ongoing battle between the encoding companies, software companies trying to stop piracy, and people trying to break the protection.
    Alasdair Stewart
    PHPAudit - Securely License & Distribute your PHP product now!
    21% ionCube encoder discount!

  15. #40
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Location
    UK
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Adam A Flynn
    From a compatibility standpoint, what is the best encoder to use? Zend, IonCube, and SourceGuardian all require PHP extensions as loaders, no?
    Zend encoded products require the Zend Optimiser installed; ionCube and SourceGuardian in most cases only require a folder containing loaders uploaded (but for certain configurations - e.g. safe mode/dl() restrictions - require them installed in the php.ini). The chances are someone's server will either have the Zend Optimiser installed or support dynamic loader support for ionCube/SourceGuardian - it's rare from my experience a server doesn’t support either. No one encoder is going to offer you total compatibility, but it’s likely ionCube/SourceGuardian have the edge from simply requiring a folder uploaded for most cases.

    It's for reasons like that a lot of popular products usually come available in Zend encoded and ionCube encoded versions - it’s nearly 100% certain one or the other will work. If you have the cash to get both the Zend SafeGuard Suite ($960/yr) and ionCube ($199 perpetual with $99/yr for support + upgrades) then I’d go for that as you’ll cover yourself against any issues, otherwise, get ionCube first and then offer a Zend version when you’ve grown your business and can afford it.

    Also, how risky is it to release an unencoded "developer" version for a higher price for those who REALLY want the sources?

    I'm facing the same issues as others in this thread are as I am about to release a few commercial applications myself. Ideally, I would want my work encoded, but, as I'm just starting to get into the field of application sales, I can't really afford to loose large chunks of business. At the same time, is the risk of loosing larger chunks of business from copies hitting p2p networks is even greater...?
    I posted about this earlier in the thread - http://www.sitepoint.com/forums/show...0&postcount=23. Having a 'developer' version with full source at any point opens the way for a purchase, chargeback, and the source landing on P2P sites; which defeats the entire point of encoding the standard version in the first place. In my opinion you'd be much better off offering a 90-99% unencoded 'developer' version where you still encode enough of the product to implement some licensing functions to prevent piracy/illegal distribution, or, simply only ever encoding the key files needed to license your product(s) and leave the rest of the source open for everyone to customise and change at their leisure.
    Alasdair Stewart
    PHPAudit - Securely License & Distribute your PHP product now!
    21% ionCube encoder discount!

  16. #41
    SitePoint Addict
    Join Date
    Jul 2001
    Location
    New Zealand
    Posts
    340
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok sorry I must have gotten it wrong about sourceguardian. Regardless, zend/ioncube can be decoded. Care to put $50 on the line and I will prove it to you.

    You send me a encoded php script of say 250 charactors max, If i can decode it to perfect/almost perfect to the original i get the cash if not, you can make me out to be a liar

  17. #42
    SitePoint Addict
    Join Date
    Mar 2005
    Posts
    314
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Is this some kind of joke?

    I'm not prepared to lose $50, but I'm definately interested in the outcome. All I know is the new version of Zend will not be as simple as they completely change function names, variables, classes, etc. The old version has been released for YEARS so of course someone / group has accomplished this.. but for real? I've heard talk, but I've seen no action.

  18. #43
    SitePoint Evangelist
    Join Date
    Apr 2004
    Location
    Boston
    Posts
    482
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I have used PHP Shield and after a pretty simple setup it seems to work pretty well. Although, the people who are using my code aren't tech people so I am really the only one that needs to see the code and I have the original anyway.

  19. #44
    SitePoint Enthusiast
    Join Date
    Mar 2005
    Location
    UK
    Posts
    82
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The decoding of Zend version 3.6 and under files is rampent these days and I'm not disputing that - a quick Google for the correct keywords shows up numerous sites offering to decode zend files for $5-200 (depending on the number of files). Some sites also offering the decoding of SourceGuardian files fairly cheaply, along with ionCube encoded files (but it seems these are harder or they haven't automated it yet as they tend to charge a lot more for them).

    Quote Originally Posted by Rmazin
    I have used PHP Shield and after a pretty simple setup it seems to work pretty well. Although, the people who are using my code aren't tech people so I am really the only one that needs to see the code and I have the original anyway.
    In terms of phpShield it's simply a version of SourceGuardian without the licensing components (SourceGuardian went v1, v2, v4, v5 and v5.5... phpShield sits in there at v3 ). If they haven't updated it recently then it's probably quite insecure, although possibly not targetted all that much as its fairly new and doesn't have a huge chunk of the market.
    Alasdair Stewart
    PHPAudit - Securely License & Distribute your PHP product now!
    21% ionCube encoder discount!

  20. #45
    PHP/Rails Developer Czaries's Avatar
    Join Date
    May 2004
    Location
    Central USA
    Posts
    806
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by fullahimhard
    I have seen both zend and ioncube decoded with my own eyes. Though it is not always 100% a good 95% is decoded perfectly. And it is not hard to do at all if you have the right software.

    To me, you are better encoding php scripts with sourceguardian. Though it too can be decoded it does not require any extra server software like zend/ioncube.
    I think what he means by the 95% is that when the script is Zend encoded (I am not sure about ionCube encoding), all comments and whitespace are removed to reduce the file size and because they are not necessary for script execution.

    So if your file is ever decoded, the structure, whitespace, and comments will not be intact, and you technically cannot say you have "100%" of the original.

  21. #46
    SitePoint Zealot
    Join Date
    Jan 2005
    Location
    NY
    Posts
    140
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I had a client who recently bought a SourceGuardian encoded script for a payment processor. I was having problems integrating the script with the current system he had in place, so I took a look at the encoded .php file.

    If you have _ANY_ knowledge about PHP, you can get the source code to the 'encoded' php file in a matter of MINUTES!

    They throw in a bunch of stuff meant to distract people.. but the real string is right there in the file. all you have to do is change some variables, and call the decode function, dump it to a file, and you have the fully unencoded source.

    Why did anyone even mention sourceguardian? I think it's a joke.

  22. #47
    SitePoint Enthusiast duckax's Avatar
    Join Date
    Aug 2005
    Posts
    94
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by confined
    I had a client who recently bought a SourceGuardian encoded script for a payment processor. I was having problems integrating the script with the current system he had in place, so I took a look at the encoded .php file.

    If you have _ANY_ knowledge about PHP, you can get the source code to the 'encoded' php file in a matter of MINUTES!

    They throw in a bunch of stuff meant to distract people.. but the real string is right there in the file. all you have to do is change some variables, and call the decode function, dump it to a file, and you have the fully unencoded source.

    Why did anyone even mention sourceguardian? I think it's a joke.
    Are you sure he is using sourceguardian? IMHO, he is probably using some other crap. Do a google search and most product listed for under $80 can be reversed in less then 30sec.

  23. #48
    SitePoint Addict Olate's Avatar
    Join Date
    Apr 2003
    Location
    UK
    Posts
    252
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    To encode or not to encode is a difficult question. The philosophy behind PHP is open and usable by all, but that doesn't always go alongside commercial goals. When releasing a product, you have to decide how much you want to allow the customer to do with your product. If you encode 100% of your source code, although you will be protecting your work, the customer will not be able to make any changes to adapt the product, which is something that I do often. However if you compare PHP applications to those written in VB or C++, for example, you usually do not get any access to the VB/C++ source so why should it be any different for PHP products?

    With our commercial products, we decided to take the route of providing access to certain parts of the source (the payment gateway modules and templates for example) but also offering a "Developer Version" which provides 99% source code. This means that some of the important parts of our products can be customised by any license holder, but there is also a way for those who want to really customise the source to do so. With our developer license, the only file encoded is the one which handles the licensing of the product (which cannot be removed otherwise the admin panel stops working!).

    Another option that we use is to provide source code documentation (using phpDoc) and two APIs. This means that application functions can be used without seeing the source code and seems to have been a good selling point for our software.

    On the same note, providing source code is a good selling point. Quite a few of our customers like the fact that we provide (or at least provide the option) to get the source code should they need it. We're also very flexible when it comes to customers who didn't purchase the developer version asking for access to specific files - something which I would find useful if I needed to customise an encoded application.

    When we released our first product, and up until very recently, we have only used the ionCube encoder. We only just started offering the Zend Encoded version because a customer requested it. And although some people are using the Zend encoded version now it is available, we haven't noticed any increase in sales as a result. In fact, I really dislike the Zend encoder, as charmedlover pointed out my blog post!

    Quote Originally Posted by charmedlover
    Read this as well:

    http://www.mytton.net/recursive-encoding-nope

    It has a downside to the Zend encoder.
    Ignoring the fact that the ionCube Encoder is cheaper, it is just so much better than the Zend Encoder. The encoder itself is very good - the interface is clean and easy to use (a major factor I consider with any application) and there are plenty of options for customising the encoding procedure. One problem that existed in the past was the need to upload encoded files in binary. This is still necessary with Zend but ionCube offers ASCII encoded files which means they are less likely to become corrupted by FTP or compression (e.g. in Winzip). The run time loading that was mentioned several times in this thread is also a major consideration. But not least, the support from ionCube themselves is excellent - they are very good at quick replies and do not appeat to be a "faceless corporation" like I feel Zend is. Notice how they are participating in this discussion yet you see nobody (as far as I can tell) from Zend.

    So in conclusion, encoding has worked for us. It protects our source, but we give a reasonable amount of freedom to our customers.

  24. #49
    SitePoint Member
    Join Date
    May 2005
    Posts
    15
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well. I purchase alot of php scripts, and if i find that one is encoded before i buy it (and there asking the world for it!) i will not purchase it. I love to be able to learn from the code and edit the code so it suits my needs even better. If your going to offer an encoded version, make sure for double the price of the encoded version you offer an unencoded version, that sometimes helps.

  25. #50
    SitePoint Enthusiast
    Join Date
    Apr 2004
    Location
    London
    Posts
    77
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    More interesting posts in this thread from everyone. To clarify:

    SG, Zend and ionCube all require components on the server. This is the only way to get security, so if you care about that, it's really worth any inconvenience when and if it occurs. Not that this is likely anyway, but even a lost sale because someone couldn't install a decoder engine is preferable to a lost sale because someone downloaded your product off edonkey. For the sellers of more expensive systems, the end users are likely to have dedicated servers, and then installation of decoding engines is a non issue.

    SG and ionCube can have the loader engine installed either in php.ini, or from user space if the server supports it. Many do, some don't. Zend only works with a php.ini install that some will have already and some won't.

    Whereas in the past, any compiled code solution was a good bet for security, the emergence of decompiler services from Chinese and Indoniesians looking to profit and attack the PHP developer community has increased the threat to encoded scripts. This has also created a division between "strong" compiled code systems and "weak" compiled code systems. A strong solution uses a closed source executor, and this is essential.

    ionCube and Zend have closed source executors, and as far as we know, are the only ones at the moment. Other solutions rely on passing compiled code to the standard executor, and as PHP is opensource, this is easily intercepted for feeding into a decompiler.

    We released a new solution a few weeks ago that as well as new features such as encryption for any files, e.g. XML or templates, adds extra security to opcodes, capitalises further on the execution engine in the Loader, and includes new features that may defeat reconstruction of working code even if valid opcodes were discovered. No system claiming code recovery can recreate source from the latest generation ionCube enoded files. Zend are working on a similar solution.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •