Hello Steve, Saturday, February 01, 2003, 6:54:09 PM, you wrote:
SM> I have also developed a small application, written in php4 on linux/apache, SM> that I hope to license as well. However, my first concern is how easy is it SM> for someone to "see" my server-side code if given use of it? How would a SM> knowledgeable hacker go about exposing my code, and how do I prevent it? Anyone who has access to web server can see your php code. You see, in order for PHP scripts to execute Apache must have a permission to read them. And using simple fopen() I can open *any* file on the server. safe-mode helps a bit, restricting the use of some functions and trying to lock you in your home directory, but it also makes PHP scripting really hard. About a year ago I messed with some local forums, getting admin priveleges and deleting my IP address from the base, for a mere cost of getting simplest PHP enabled account on the same host as a forum. You can really *hide* your code by using Zend Encoder. It will also optimize your scripts so they will run MUCH faster. But it is not free, though. Scripts, optimized by Encoder, will run only if you have Zend Optimizer installed on server. It's free. You can also try to obfuscate your scripts by using non-meaningful var names, like $v1, $v2, $v3 instead of $username, $password, $page, by using complex constructs. The advanced programmer will still understand the logic, but to advanced programmer it will probably be a lot easier to write his own script, than try to understand yours :-) (BTW, never seen PHP obfuscator scripts, maybe I should write one) -- Best regards, German mailto:[EMAIL PROTECTED] ICQ:48533867 ____ • The WDVL Discussion List from WDVL.COM • ____ To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED] Send Your Posts To: [EMAIL PROTECTED] To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED]
