IonCube extra layer of security ?

Question

I am now working on a php project(Internet Shop) that will possibly deal with storing locally customer credit card information. So I was thinking among other things about encrypting php files with IonCube, especially those containing settings(encryption/decryption key, IV) for symmetric encryption algorythm. So I'm not sure if it will add an extra layer of security or not, since it appears IonCube-encrypted files and similar solutions can be decryped. Thank you!

Answer 1

IonCube is not a suitable solution here. If you encode a file which contains something along the lines of:

<?php $SecretValue = "xyzzy"; ?>

It's still trivial to recover the secret value:

<?php require("encoded.secrets.php"); print $SecretValue; ?>

So the IonCube encoding is basically worthless here.

Answer 2

ionCube and Zend are fine for code protection, and even if some decompilation service produced usable code from an encoded file, this would typically do little if anything to diminish the benefits from encoding and license enforcement, and may even result in increased revenue in the longer term for the software provider.

Data hiding, however, is entirely different. Keep in mind that PHP and all of the associated library wrappers, plus the libraries themselves, are opensource and therefore easily modified. Data sent into and returned from any PHP function can be easily exposed by simple changes to the PHP internals. Want to see the database password to MySQL? Just modify the mysql_connect() wrapper or the underlying MySQL library and log the details. Some encoding systems, for example ionCube, can encrypt non-PHP files and then decrypt at runtime via closed source routines in their runtime component, which may in some cases provide some benefits over the opensource PHP routines such as mcrypt.

duskwuff is not entirely incorrect with the example cited as in some systems, ionCube for example, it is possible to protect files from being included by non-encoded files, or files encoded by a different copy of the Encoder through a mechanism called "include attack protection". None the less, storing sensitive data in variables, particularly globals is a poor approach, and it would be better to have such data returned by a function with a misleading name and that perhaps performs differently unless called in a particular way. e.g. a function called mytime() that does return the time unless called with a "magic" value.

Answer 3

If you're going to encode/encrypt your files, Zend Guard is supposed to be one of the best, but as others have said, if they can get to your files that's the least of your worries.