I might be talking to a wall right now, although I figure someone like Val might chip in with an opinion....


What do you guys think about the slow movement of more and more PHP scripts becoming encoded and the source files protected? Do you feel this is a good movement, or is it bad for the development of a script?

Both are good. We can not decide. :)

Open Source
It is available free and you are allowed to edit the source code to customize the applications. Due to open source nature, a lot of developers can contribute to customizing it. However, some bad developers may develop malware plugins or themes that may harm the application installations and visitors' computers. Open source are just good if you use latest versions + install the addons and themes only from the trusted community members.

Encoded
It is equally necesary to encode the high end PHP applications so that they can not be modified or reversed engineered. As vendor company may have utitized a massive developer hours to build the application. So, they need to keep the logic propritery so that other companies can not use, modify or reditribute it.


Good points, but you point out exactly why I do not use encoded software. You cannot modify or extend it. I like to build powerful tools and extensively modify scripts that I buy, encoding prevents this, and keeps every website looking exactly the same.

Good points, but you point out exactly why I do not use encoded software. You cannot modify or extend it. I like to build powerful tools and extensively modify scripts that I buy, encoding prevents this, and keeps every website looking exactly the same.

This is a limitation of the application you are using. Usually a script would be encoded if it is a commercial one and even then, most of the files should be left unchanged (an example would be vBulletin), but the very file which checks the license and possibly the file(s) which includes some of the most important functions and classes. If the script is fully encrypted it is really unusable by a developer/designer, since one will most probably want to tweak it a little bit to fit their exact needs.

On the other hand, as noted by thewebhostingdir, open source code is not really secure. Should you make the smallest mistake, someone is bound to find it sooner or later and eventually exploit it.

If you are developing a script yourself and you are wondering should you encrypt it or not -- I would vote for not. It's cheaper and it does not require any additional software installed on the hosting machine.

This is a limitation of the application you are using. Usually a script would be encoded if it is a commercial one and even then, most of the files should be left unchanged (an example would be vBulletin), but the very file which checks the license and possibly the file(s) which includes some of the most important functions and classes. If the script is fully encrypted it is really unusable by a developer/designer, since one will most probably want to tweak it a little bit to fit their exact needs.
Yes, this is what most scripts have always done, but there are still a few scripts I have used at times that just encode the entire thing.




On the other hand, as noted by thewebhostingdir, open source code is not really secure. Should you make the smallest mistake, someone is bound to find it sooner or later and eventually exploit it.
I agree and disagree on that. Having your code being open does allow others to see where your exploits are, but it also allows them to be patched faster. If your code is protected, and an exploit is found, it takes repackaging the entire thing and making everyone re-download it. The development cycle is much slower than how a company like IPS does their security fixes, by posting the code change.





If you are developing a script yourself and you are wondering should you encrypt it or not -- I would vote for not. It's cheaper and it does not require any additional software installed on the hosting machine.
Yes, I have developed a script that is in the middle of a basic CMS and a WYSIWYG file editor. It allows users to upload photos, edit files, manage user accounts, etc etc. I want to protect it from being "stolen" so to speak, I just have not figured out how I will go about doing that. Unlike companies like Jelsoft, I do not have the resources to police piracy.

Visitors only see the output of your code and not the files themselves. If you don't want them to investigate your code, then simply don't provide it to them. On the other hand, if they can access it this means that you have written it bad and there are security issues in it.

In addition, if you provide encoded application to a customer/visitor s/he will have to use the same encoding engine on his/hers hosting account as yours in order to run the application. In my opinion that's inconvenient.

Last but not least, encoding your code makes it more difficult for someone else rather than you to troubleshoot a potential bug.

In conclusion whether encoding should be used or not depends on the particular script. Unfortunately there is no straight forward answer to this question.