… and normally (for the last few years) I have been encrypting the source code with both ioncube and zend guard.
However… I am wondering if both options are really needed?
For example, I have never seen a web server where Zend Optimizer was installed and Ioncube did not work.
On most web hosting servers, Ioncube loaders are installed as part of the standard software… but Zend Optimizer is not installed.
What do you think?
Has the time come when I don’t need to distribute my applications in both Ioncube and Zend encoded versions?
Thanks for any advice or thoughts/opinions.
(BTW - if you reply just to tell me that Zend-encoded software is hackable… please provide proof of your statement, instead of just a useless post that says you know someone who has a cousin who had their zend-encoded app hacked.)
This is not a thread to debate whether or not I should do everything within my power to protect my intellectual property (including encryption). (Yes, i realize there is always a way for hackers to get the source code. Blah blah blah…)
If you have nothing useful to add to the actual subject of the thread, then please do not bother posting.
This is not a debate about if I should encrypt my PHP code. I have already chosen to do so. I am now asking if anyone has advice on whether I should continue making the Zend version available, in addition to the Ioncube version.
I do not want to ask my clients, because they are not technical people or PHP programmers. The vast majority of my customers would respond with an answer such as, “Huh?”. I’m not going to bother my clients with geek-related questions, when that is the whole purpose of these forums.
AnthonySterling, my clients are using a mix of both encoding types. I see about 70% Ioncube and 30% Zend being used.
Since nobody has yet addressed the actual question of my original post… I will rephrase it.
Does anyone know if there are any instances where Ioncube Loaders (ioncube-encoded software) will not work, when the Zend Optimizer (zend-encoded software) will work?
Words of advice - If the code is entirely custom, AND you are willing to stay within PHP 5.2 AND you can live without create_user_function and eval, consider using HipHop. In short it converts PHP code to C++ and then compiles that code. The end result will run faster than normal PHP, let alone PHP with the overhead of a code encryption routine. And it will be true compiled code (it will be subject to decompiling, but both ioncube and zendguard can be reverse engineered).
Personally I’d only bother with encryption if the code will be deployed to machines I don’t have custody over. It sounds like this is a case where you do have custody over the machines, so I don’t see how encryption helps any. Also, if you are building on anything open source then, depending on the license you could be breaking the license by encrypting the code, as many licenses (particularly GPL) REQUIRE you to turn over the source code to the end user whether they can use it or not.
I do not have any control over my customer’s servers… which is why I am encrypting my PHP code. I realize encryption is not a guarantee against IP theft, but it will stop 99% of people looking at my PHP code.
Using HipHop is not an option, as I certainly do not want to support a strange compiled C++ code on a thousand unknown servers…
So again… I will ask my rephrased question:
Does anyone know if there are any instances where Ioncube Loaders (ioncube-encoded software) will not work, when the Zend Optimizer (zend-encoded software) will work?
You’ve made some good points Michael, but suggesting HipHop is a little “out there” isn’t it? The OP would then require users have HipHop, built, configured and installed on their server.
Right… but is Zend necessary if the customer’s server will support Ioncube?
My point is that my customer’s don’t “understand” the difference between Zend and Ioncube. They just want to download something and run it.
So I’m thinking to remove the Zend-encoded option, because it seems pointless since (this is what I am trying to confirm here) any server that supports Zend-encoded software also will support Ioncube-encoded software.
Not quite. The ioncube loaders will still need to be installed (if they aren’t already). Depending on the server this may need to be done by the hosting provider; they may not want to support ioncube.
If you can provide both you probably should. It doesn’t take long to encrypt, so what’s to loose.
Uhm, this is sounding less like a project where you are providing a service to clients with no server understanding and where you are providing a PHP product to other coders, like with phpBB or vBulletin. If that is the case, you’re shooting your project in the head and handing your business over to competitors. I don’t know of any PHP house that provides end user solutions that will willingly turn to closed source product. No matter how good your product is (for all I know it might turn lead into gold) this will be a severe strike against it in marketability.
It’s not impossible to overcome, but it is a severe problem.
Also GOPalmer pointed out, for encoders to work the client must install the decoder library. This is an extra hassle. Say your product is a CMS. Is it really so much better than Joomla and Drupal that the extra hassle of the encoder (not to mention lack of access to the code) is going to be worth it?
And trust me, I know from experience that getting Ioncube up and running on a machine can be a headache in its own right. Zend I haven’t dealt with.
Word of advice - the money isn’t in the software. The money is in the services. Joomla and Drupal are funded in time and money by teams that get their money from services provided to people who, frankly, don’t know or want to know the least about the internet. These same professionals will be your potential customers, and if you encrypt you give them strong incentive to solve the problem themselves or use a competitor’s code they can modify at will. In all likelihood your product would not be the only thing on their site, and closed source, even with the best and most well documented API’s, are still much harder to work with and debug than open source.
Uhm, this is sounding less like a project where you are providing a service to clients with no server understanding
The encoding is off my PHP software that I sell to customers who have no server understanding. In fact, my product is specifically designed FOR customers who have no server or website understanding. That’s the whole point of why they buy my product.
(It’s basically a simple website editing software for non-techie website owners.)
where you are providing a PHP product to other coders, like with phpBB or vBulletin.
This is not what I am doing. My end-user customers are totally non-technical.
I appreciate your advice, but several years ago I did sell my software without encrypting it.
It was promptly stolen and promptly resold by many “competitors”. (ie: Imagine a dozen people stealing your “open” software and then copying your entire sales website and selling your software for 1/2 the price.)
Well I’ll answer your question. We cannot answer your question. That is a business decision only you can answer. Whether or not a server has Zend or IonCube installed is up to the users hosting. If your customers lack as much understanding as you believe they are…well I don’t know but somehow I’ll doubt they will know if their server has Zend or IonCube.
Either way, it will depend on the hosting company to handle whether Zend or IonCube is installed.
Ask your clients, not a forum.