The Clever Geek

While editing the source for a webpage that was using some open(ish)-source sode, I began searching for a particular bit of code that I couldn't find.  After scouring the source I discovered the function combo eval(gzinflate(base64_decode('random_gibberish'))); The first thing I did after finding it was change "eval" to "echo" to see if it would spit the code out... No such luck. It was done recursively so it just echo'd the same functions with a shorter line of encoded text. After doing that about 10 times I decided to see if anyone had a program to decode it. Everyone and their brother on the internet had methods it so I didn't have to reinvent the wheel.

Luckily all that was contained in the code was some simple html claiming credit to the people who made the code and some goofy design stuff, which is what I was after.

How do I encode my files like that?

The short answer is you don't because anyone with 5 minutes and access to Google can circumvent it. If you REALLY want to try it though, a few calls to eval(base64_encode()); will do the trick.

So we know it is NOT effective in obfuscating code, why use it?

The simple fact is that people just want credit where it's deserved but that's what licensing and copyrights are for. Microsoft knows that "Do not make illegal copies of this disc" isn't going to physically stop people from burning their CD's, but it's illegal no matter how much protection you put into it.

Why shouldn't I run this code?

Until you run it, you can't read through the code and find out what it does. Hopefully the people that encoded the php to be run on your webserver don't have ulterior motives (e.g. using your site as part of DDoS's, or turning it into a warez server).

If I want to protect my code what should I do?

Use something that obfuscates your files by converting them to bytecode like Zend Guard or ionCube PHP Encoder.