I was asked recently by someone to investigate the security offered by obfuscation scripts such as the one at http://www.rightscripts.com/phpencode (also available as a paid-for download)

Obviously anything which relies on PHP itself to ‘encode’ the script, must have the means of decryption built into the script - if it doesn’t then it wouldn’t run.

Around 5 lines of code later, and you have this … http://www.iross.net/phpdecode … a simple proof of concept which reverses the code generated by http://www.rightscripts.com/phpencode (and one or two other sites that work in a similar way)

So is there any way to really secure your PHP code? Yes, systems such as IonCube or the ByteCode encoder which require a ‘loader’ to be installed on the server are substantially more secure as the code is compiled rather than just obfuscated - these provide a secure option

Of course, all my own freelance web development clients get the source code without any sort of obfuscation - since they have paid for it!