FAQ

Do you use POBS yourself?
Yes I do. I have about 300 Kb of PHP code. After adjusting the software for POBS, I now know what POBS likes and doesn't like and every update of the software can be POBSed without a hitch.

Why wouldn't I use Zend Encoder instead?
Price
I can tell you about my own considerations. I seriously considered Zend Encoder and downloaded it together with the manuals since I thought they where the only option for deploying your application safely. I found the price quite high but that alone it didn't deter me. Also, installation didn't seem easy to me.

Works with other programs
On top of that I already used APC as a cacher. And as far as I know APC and Zend Encoder don't operate in concert. So I would have to install Zend Cache too. (And Zend Optimizer). Obviously, if you already use APC, Zend Encoder or Zend Cache, you can continue doing so with POBS.

Can not be reverse-engineered by a computer
Another consideration is that Zend Encoder doesn't remove information. As far as I understand (correct me if I'm wrong) you can adjust the PHP Engine (not for the everyday coder maybe) and restore the complete sourcecode even if you use an Encoder and/or a Cacher. The kind of encoding Zend Encoder does is reversible. The encoding POBS does is not reversible since the meaning is thrown away. The meaning of the code is only know after spending a lot of time studying it. One would have to give every variable, constant and function a meaningful name which can only be done after finding out the working of every function.

Deployment at ISP without trouble
If you want to deploy a PHP application at an ISP and you want to protect your sourcecode for whatever reason , normally you can't ask them to install something like Zend Encoder for you. In that case, POBS can do the job and you can sleep tight.


Why would I favor Zend Encoder over POBS?
Since I try to be objective and do not claim that POBS is the greatest invention since sliced bread, I guess there certainly are advantages to an encoder like Zend Encoder or Microcode (see "Links").

If the machine, and not just a directory, that runs your program is controlled by you, you can install an encoder. The advantage of an encoder is that it obfuscates everything. It may be compared to zipping your PHP files with a password on top of it.
POBS obfuscates user-defined variables, functions and constants. Not standard PHP functions, variables or constants. Also, POBS does not obfuscate database passwords or encryption methods that are used inside your PHP program. And it doesn't obfuscate standard text.

Also, Zend or Microcode do not require your code to be adjusted. And you know it will work as intended.

How much work would it be to adjust my code?
Difficult question. The last thing I want is to disappoint you and have you put a lot of work in it without proper results. It all depends on:

The size of your application
Obviously, the larger your application, the more work you have to put in it.

The way you program
I myself made the mistake of naming constants after HTML tags. Also, I didn't start them with a lowercase "c" or something to set them apart from tags or other stuff. Replacement was relatively easy since you can easily scan your code for "define".
Another thing is that you might declare a lot of variable variables in your code with "parse_str" or $$Var. These give POBS troubles and you have to put in more work if you use a lot of it.

The level of security you want
With a scripting language like PHP, variables pose the greatest threat. Variables can be declared on runtime so you never know which ones will be there. If you only replace functionnames and constantnames you have a lower level of obfuscation but you need to make far fewer adjustments. Anyway, I would advise anyone to start off and replace only functionnames and constants and see if you code works. If it does, proceed and replace variablenames also.

What does obfuscate mean?
Good question. I had never heard of it before talking to people about my program to obscure PHP code. I always talked of obscuring and couldn't find similar programs (which do not exist anyway) until someone told me it goes under the name of "obfuscator".

This is what Merriam Webster dictionary has to say about it:

Main Entry: ob·fus·cate
Pronunciation: 'äb-f&-"skAt; äb-'f&s-"kAt, &b-
Function: transitive verb
Inflected Form(s): -cat·ed; -cat·ing
Etymology: Late Latin obfuscatus, past participle of obfuscare, from
Latin ob- in the way + fuscus dark brown -- more at OB-, DUSK
Date: 1577
1 a : DARKEN b : to make obscure
2 : CONFUSE

With what has POBS been tested?
POBS has only been tested with PHP 4.0.4 on Linux and Win32. It will probably work on other PHP versions as well since I can't imagine why it wouldn't work. But this is certainly not a guarantee.

What about $$Var?
Variable variables pose a problem for POBS. But they can easily be overcome.

Consider the following code snippet:

$Var1="Var2";
$$Var1="Amsterdam";
echo $Var2; // "Amsterdam"

$Var2 will have the value "Amsterdam"

POBS makes the following code of it:

$V31bff649="Var2";
$$31bff649="Amsterdam";
echo $V8c4e34d5; // empty

As you see POBS has replaced all occurences of $Var2 but not Var2. Therefore this little program will not work as intended. To get it working you need to add Var2 to the $UdExcVarArray in pobs-ini.inc.

Will execution of the scripts be slower?
Probably not. I haven't noticed nor measured. According to one user execution time was 9% faster after obfuscating. Also, the sourcefiles were about 10% smaller in size.

Will it increase the size of the PHP script files?
That depends. But generally not. (Au contraire). If you remove comments and indents and have the lines concatenated your files will, on average lose about 10% of their size. If you only have the variables, constants and functions replaced it will probably result in a slight increase in filesize since the average length of variables and functionames is slightly smaller than 9 (First letter + MD5 of 8 characters).

Can I process selected files of my application?
Yes, you can! From version 0.91 on, POBS automatically checks if the sourcefile is newer than the targetfilet. It then only rewrites the new ones.

But remember, although POBS can replace selectively, POBS needs to scan all the files of your application. It must, to be sure it knows all the userdefined functions, variables and constants in your application.

How long does it all take?
Depending on the total size of your sourcefiles and the number of functions, constants and variables used it might take POBS quite a long time to process them. This has also to do with the incomplete functions that PHP offers and is a major disadvantage to PHP in my opinion. In my case, processing 250 Kb of source in about 40 files takes about 600 seconds on a 300 Mhz machine. If you have suggestions as to how it can be made speedier please let me know.

If you made adjustments to the code in certain files, you can instruct POBS to just replace those files to speed up processing.

Standard timeout for PHP is 30 seconds or something. This is probably not enough. In the pobs-ini.inc file you can adjust the timeout. POBS will set it when it is started up. It is necessary though that PHP does not run in "Safe mode". In php.ini you can set "Safe mode" off.

Doesn't APC provide enough security?
Depending on the security you need, it very well might do so. APC provides a mode (mmap) in which only "compiled" PHP files are stored on the server. These are pretty hard to read and might discourage many hackers from trying to decode them. But it's quite possible to reverse the compiling process by way of another program (that you need to write yourself probably). So, if you need to deploy an application and want to feel really safe and secure, I don't think a cacher like APC is the way to go. But of course, APC was never intended for such purposes.
  • APC does not encrypt or throw away information. Machine reversible.
  • Zend Encoder does encrypt but doesn't throw away information. Machine reversible.
  • POBS encrypts by way of throwing away information. Never completely reversible. Only partly reversible by intensely studying the code.

Shouldn't all software be free and open?
For me that's like saying: "Shouldn't everyone on earth be peaceful, loving and working together". I rather work with reality than project my ideals on it.
If everyone works for free I will do likewise. But that isn't the case yet. Contrary to Richard Stallman I don't think all software should be free and open. Open and closed software both have their advantages and disadvantages. The one who writes software (or the owner) should decide what he wants to share. In my opinion the same goes for money and property, which is called Capitalism or libertarianism . Dutch readers might want to visit the Dutch libertarian site Meervrijheid.nl (More Freedom).

Can I obfuscate part of my PHP application?
Nope. For obvious reasons.
Many PHP applications consist of many separate files that can be included at will. If you replace a functionname in file A you have to replace all occurences of that function in every other PHP program.

BUT, POBS allows you to select the files you want to obfuscate to make processing faster. If you POBSed everything already but made adjustments to just a few files you can instruct POBS to replace just these.

Are there any other PHP Obfuscators?
I would wish there were many, so I wouldn't have to write my own. But there's only one at
http://www.hotscripts.com/Detailed/10841.html which is rather limited and not very secure. It deals with variables only. I downloaded the source and concluded it didn't suit my needs. Too bad.

Do I need a decoder?
No, luckily it doesn't. POBS doesn't work that way. What it does is irreversible.

Do you offer a money-back guarantee?
Of course. If, for any reason, POBS does not live up to your expectations, you can send it back and receive every penny you paid for it.

Can I exclude too many variables, functions or constants?
No, not really. Only too few. But, of course, the more you exclude the less obfuscated it becomes.

But why obfuscate, since PHP code is never seen by the person at the end of the browser?
Hard to understand why people don't understand the uses of something like POBS. POBS can be specifically helpful when you need to deploy your application at an ISP or customer. Also, even if an hacker breaks in to your own machine he couldn't do much with your code.



Walhalla Publicaties (c) 2001