Академический Документы
Профессиональный Документы
Культура Документы
Version 7.0
17 May 2014
Table of Contents
1
INTRODUCTION ................................................................................................................. 3
1.1
1.2
1.3
1.4
Page 2 of 21
Introduction
1.1
PHPshadow is software that enables you to protect your PHP code by encrypting it in
such a way that it cannot be read by others, but that it still functions properly on a web
server. This is achieved by using a PHP server extension to decrypt the contents onthe-fly when a page is requested.
It is designed to work fast and to have a minimal impact on the server.
1.2
Background
Traditionally there were very few options available to PHP developers wishing to hide
their source code. One of the common approaches was to obfuscate the code. This is a
process whereby the code is made more difficult to read, using tricks like renaming
variables to nonsense names and using Base-64 encoding. Obfuscated code is a weak
protection mechanism because it is not encrypted and it can be easily reversed.
PHPshadow uses encryption to scramble the source code into an unreadable string of
characters. Now PHP developers need not worry about releasing their application to
customers, or publishing it on a shared hosting environment. PHPshadow aims to
provide a low-cost yet strong protection mechanism.
1.3
Whats Included
All items are available from the Download section of the PHPshadow website
(www.phpshadow.com).
!
Encoder Tool
This is the command-line tool that encrypts your PHP scripts.
User Guide
The document you are reading now.
Page 3 of 21
1.4
Note: The Encoder Tool can be used without a licence (i.e. as a free trial), but a 10-second delay
will be introduced when your code is executed. It is otherwise fully functional.
Both options are available through Purchase section of the PHPshadow website
(www.phpshadow.com).
Page 4 of 21
Quick-Start Guide
2.1
Purpose
The purpose of the quick-start guide is for advanced users to install and begin using
the product as quickly as possible. Quick-start instructions are not detailed for this
very reason; however more detailed instructions are given in subsequent sections.
2.2
Instructions
Step 1:
Copy your encrypted project to the appropriate directory on the web server.
Page 5 of 21
Obtaining PHPshadow
3.1
The latest copy of PHPshadow (comprising the PHP Server Extension and the Encoder
Tool) can be downloaded from the Download section of the PHPshadow website
(www.phpshadow.com).
Page 6 of 21
Installing PHPshadow
4.1
This section provides installation instructions for both types of server environments:
!
You have access to your own server, or you lease a virtual private server (VPS)
4.1.1
Follow these instructions if your web site is hosted on your own server, or on a virtual
private server.
Step 1:
!
Step 2:
!
If you are not sure where to locate the php.ini configuration file, refer to Determining the
Location of the php.ini Configuration File on page 19.
Page 7 of 21
4.1.2
Note: It is assumed your hosting provider allows use of .htaccess. If you are not sure whether
this is the case, you can still attempt the installation below.
!
Create a file called .htaccess (note the leading dot) with the following content, and
upload it to the document root (the root directory of your web site):
SetEnv PHPRC " path"
Note: Replace path with the full path to the document root. If you are not sure of the path,
refer to Determining the Document Root Path on page 19.
For example:
SetEnv PHPRC "/home/john/www"
!
Take a copy the php.ini configuration file and copy it to the document root.
Note: If you are not sure how to take a copy of the php.ini file, refer to Taking a Copy of
the php.ini Configuration File on page 20.
Change the line in the php.ini file that enables the dl() function to:
enable_dl = On
Change the line in the php.ini file that defines the extension directory to:
extension_dir = " path"
Note: Replace path with the full path to the document root. Also, if the line begins with a
semi-colon make sure you remove it. The line should only contain what is shown above.
For example:
extension_dir = "/home/john/www"
!
extension=phpshadow.so
Step 2:
!
Take copies of all the system extensions and copy them into the document root.
Note: If you are not sure how to take copies of the system extensions, refer to Taking
Copies of System Extensions on page 21.
Step 3:
Page 9 of 21
4.2
4.3
If you are using the Encoder Tool to encrypt your files (as opposed to encryption
through our cloud service), you will first need to purchase a licence.
You will be sent a licence file called phpshadow.licence. Place this file in either
/etc/phpshadow or your home directory.
Page 10 of 21
5.1
5.1.1
Page 11 of 21
5.1.2
Example 1
This example is the simplest and most common way to encrypt your PHP project. To
encrypt a project located in /home/myproject and with the licence file located in
/home, the command would be:
phpshadow-encoder -l /home/phpshadow.licence /home/myproject
5.1.3
Example 2
The same example as above but with the licence file located in /etc/phpshadow you can
omit the l flag. The command would be:
phpshadow-encoder /home/myproject
5.1.4
Example 3
The same example as above but using the d flag to leave out the dynamic extension
loader. The command would be:
phpshadow-encoder -d /home/myproject
5.1.5
Example 4
Example 5
You can choose to encrypt only part of your project. To encrypt only the files db.php
and priv.php located in /home/myproject, the command would be:
phpshadow-encoder /home/myproject/db.php /home/myproject/priv.php
Note that when encrypting only part of your project without the o parameter, copies
of the original (unencrypted) files and directories will kept in the same directory as the
encrypted files. You will probably want to move these before publishing your project.
5.1.7
Example 6
You can encrypt a project leaving a configuration file unencrypted. Assuming your
project is located in /home/myproject and the configuration file is config.php, you
would issue the following command:
phpshadow-encoder -s config.php /home/myproject
5.1.8
Example 7
You can encrypt a project saved with the file extension .php3. Assuming your project
is located in /home/myproject, you can encrypt it using the following command:
phpshadow-encoder -x php3 /home/myproject
Page 12 of 21
5.2
5.2.1
The cloud encryption service is a mechanism to encrypt your PHP source code by
uploading your PHP files to the PHPshadow website. It does away with the need to
use the Encoder Tool.
All you need is a web browser.
This option is quick, easy, and the most cost effective. Whats more, you can try it
FREE of charge.
5.2.2
Instructions
Page 13 of 21
Advanced Functions
6.1
Publish the file to the web server and view it through a web browser (i.e. navigate to its
URL).
It will show the version of PHPshadow and the release date of that version.
Page 14 of 21
7.1
Test first
Before you encrypt your entire project and publish it, run a test with a few standalone
PHP scripts to make sure your server configuration is fine, and that PHPshadow is
compatible with your operating system and with your PHP installation.
7.2
Many PHP configurations allow error messages to show inline on the page. On a
public website you should suppress error messages from displaying on the page and
instead redirect them to a log file, which you should service regularly.
You can do this by adding the following lines to your php.ini file (or amending them if
they already exist):
display_errors = Off
log_errors = On
error_log = "path_to_log_file"
(Replace path_to_log_file with the full path to the log file, e.g. /home/logs/php.txt)
Keep the following points in mind:
!
The log file should not be inside a directory from which web files are served.
7.3
Never publish raw source code to the server. All your development files should
remain either on your workstation, or better still, on a file server on your internal
network.
When you are ready to publish, first encrypt the PHP files using the encoder tool, then
upload them to the web server.
7.4
Avoid using the o parameter with the Encoder Tool because you risk losing your
original source files if you have not saved a copy elsewhere beforehand.
Page 15 of 21
7.5
Use the d parameter with the Encoder Tool if the PHP server extension has been fully
installed on your web server.
Using this parameter will omit the dynamic extension loader from your encoded files,
resulting in slightly better performance.
Page 16 of 21
Web Hosting
8.1
The best option is a virtual private server. You are given full access to the server (i.e.
root access) and therefore installation of software such as PHPshadow is much simpler.
This option is typically more expensive than shared hosting.
8.2
Shared Hosting
Shared hosting costs less than a virtual private server, but because you do not have full
access to the server the method of installing PHPshadow is more complex. Depending
on your hosting provider, it may not be possible to install PHPshadow.
PHPshadow is certified to work with all GlowHost shared hosting plans. Visit
http://www.glowhost.com for more information.
Page 17 of 21
10
Support
10.1
We have published a list of frequently asked questions under the Support section of
the PHPshadow website.
10.2
PHPshadow comes with free email-based support. See the Support section of the
PHPshadow website to contact us.
Page 18 of 21
11
Appendices
11.1
Upload the following PHP script to your web server and browse to its URL:
<?php
header('Content-type: text/plain');
echo ini_get('extension_dir');
?>
11.2
Upload the following PHP script to your web server and browse to its URL:
<?php
header('Content-type: text/plain');
echo php_ini_loaded_file();
?>
11.3
Upload the following PHP script to your web server and browse to its URL:
<?php
header('Content-type: text/plain');
echo $_SERVER['DOCUMENT_ROOT'];
?>
Page 19 of 21
11.4
Upload the following PHP script to your web server and browse to its URL:
<?php
if (isset($_REQUEST['submit'])) {
$header = 'Content-disposition: attachment; ';
$header .= 'filename="php.ini"';
header($header);
header('Content-Type: application/octet-stream');
echo file_get_contents(php_ini_loaded_file());
}
else {
echo '<form method="post">';
echo '<input name="submit" type="submit" ';
echo 'value="Download php.ini">';
echo '</form>';
}
?>
Click the button labelled Download php.ini . Once downloaded, you can upload the
php.ini file to your web servers document root.
Page 20 of 21
11.5
Upload the following PHP script to your web server and browse to its URL:
<?php
if (isset($_REQUEST['filename'])) {
$header = 'Content-disposition: attachment; filename=';
$header .= '"'.urlencode($_REQUEST['filename']).'"';
header($header);
header('Content-Type: application/octet-stream');
$filename = ini_get('extension_dir');
$filename .= '/';
$filename .= $_REQUEST['filename'];
echo file_get_contents($filename);
} else {
if ($handle = opendir(ini_get('extension_dir'))) {
while (false !== ($filename = readdir($handle))) {
if ($filename != "." && $filename != "..") {
echo '<form method="post">';
echo '<input type="hidden" name="filename" ';
echo 'value="'.htmlspecialchars($filename).'">';
echo '<input type="submit" value="Download ';
echo htmlspecialchars($filename).'">';
echo '</form>';
}
}
closedir($handle);
}
}
?>
It will display a download button for each extension file. Once you have downloaded
all of the extension files, you can upload them to your web servers document root.
Page 21 of 21