https://stackoverflow.com/questions/16678277
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianThe answer simply reduces to: because there are dumbasses stupid enough to believe that PHP can be "securely encoded", the same way there are people stupid enough to believe that requiring a serial code for an application automatically makes it secure.
ionCube relies on a pretty simplistic implementation - XOR from start to finish, which is hardly a "security measure". It runs as a VM - and is vulnerable to all VM side-channel attacks in addition to flat-out reverse engineering (one presentation here: https://media.blackhat.com/ad-12/Saher/bh-ad-12-stealing-from-thieves-Saher-slides.pdf ). Will ionCube say so? No. Why? Because it dissuades the large majority of script kiddies.
I am not familiar with sourceguardian, but Zend is built in the same fashion, albeit a bit more secure and harder to beat than ionCube. However, whilst they're not trivial, they're not impossible to beat, either.
The following is taken from the Zend Guard page:
Encoding is a process where the PHP source code is converted to an intermediate machine readable format. This format is hard for humans to read and convert back to source code. As a result it protects your code from casual browsing. This means that if people obtain access to your site's code they will not be able to use that for unintended purposes.
In other words, if your user is not casually browsing, this will not hold up. I don't know about you, but I do not know a single non-dev who casually browses source code without the purpose of understanding it, and often, breaking it.
The same thing is true of every single DRM method around. However, they're still on the market. Why? Because, whilst they are not perfect, they're good enough to dissuade the large majority of people.
The law and final word of this is: if you build it, expect it to be broken and plan for it.
