How do I protect central PHP code, while still allowing it to be included from client directories

Question

We have several different client directories (each it's own domain) that include/require the central app from a different location on the server. Basically each domain is an extension of the centralized code, but very lean because all the main code doesn't need to be duplicated.

If we wanted to give clients/resellers access to editing their own PHP codes, how would we prevent them from reading the central code that we wish to protect?

Basically we want to prevent them from creating some code that opens, reads, TARs, or somehow outputs the source code, but we must still allow the include.

open_basedir() does almost this; it prevents the opening of the code, but in doing so it also prevents the include.

Are code encryption solutions (e.g. Zend Guard) our only options, or is there a way like open_basedir() that allows includes? I've also though about disabling all the read functions and writing my own that checks the source.

Thoughts?

Answer 1

I ended up using Smarty to give limited capabilities to clients (templating), while keeping the PHP secure.

Answer 2

The answer is no, you cannot give the "read" permission and prevent them from reading... If they can "include" the code they can also write a simple php script that reads your central app files and print the content to screen, for example.

Answer 3

I believe you cannot restrict reading if you allow reading globally however you could filter the access of your site in .htaccess file with %{REMOTE_HOST} or similar. Basically if you are able to identify your clients from their remote locations by IP or url than I believe you can restrict reading specific directories based on who is accessing the site. Can you give me an example of your PHP code for the reseller access to your side?