I'm trying to make a simple PHP encoder.

Here's what I got so far:
EDIT: See below

It doesn't really do much, just uses base64 and gzdeflate to 'encode' chunks of code.
I'm wondering, what else could I do to improve the encoding process? I've seen some other encoders (http://www.rightscripts.com/phpencode/index.php), and they seem to generate some extra code to confuse you.

I'm also thinking of using tokens to possibly obfuscate some code, and optimize it at the same time. I don't have much experience using tokens, maybe somebody could give me some tips/warnings?


Updated code:

<?php
$compressed = stripslashes($_POST['code']);

$newline = array("\r\n", "\n", "\r");
$replace = ' ';

$compressed = str_replace($newline, $replace, $compressed);


$code = token_get_all($compressed);
$new_code = "";


foreach($code as $token)
{
if ($token == ";")
{
$new_code .= $token;
}
else
{
$name = token_name(intval($token[0]));
if ($name != "T_COMMENT" &&
$name != "T_ML_COMMENT" &&
$name != "T_OPEN_TAG" &&
$name != "T_CLOSE_TAG")
{
$new_code .= $token[1];
}
else
{
//echo $name . " thrown away.
";
}
}
}

for ($i = 1; $i <= 10; $i++) {
$compressed = gzdeflate($new_code, 9);
$compressed = chunk_split(base64_encode($compressed));
$compressed = "eval(gzinflate(base64_decode('" . $compressed . "')));";
}
?>

<form method="post" action="encode.php">
<textarea style="width: 900px; height: 600px;" name="code"><?=$compressed?></textarea>


<input type="submit" value="Encode!" />
</form>

I added some code to remove comments, php open/close tags (since they don't belong in an eval expression) and new lines.

Encoding is generally considered a rather poor mechanism for protection, as any half decent programmer will quickly understand the decoding process, however it can prevent casual access to scripts.

Ideally, using PHP extensions (.so, or .dll) such as the zend encoder is far superior, however there are known problems here as well. For instance, certain zend encoder techniques have been known to fail on certain snippets of source. Plus you have the complexity of ensuring the target servers have all the correct extension(s).

Obfuscation, whilst I detest, is functional, (I once lost the original and vowed never to obfuscate my code again). However again, any half decent programmer can reverse engineer a fair bit if not all the original source with a bit of time.

Not sure of a good solution here Zeggy, personally I have extended both MySQL and PHP with hand written C functions meaning that my scripts require the extensions running on my boxes to run, but it is really up to you as to what level of protection you require.

Yes, there are of course much better solutions.
To be honest, this isn't a product I am creating, or even a free service. It's more of a programming exercise. :) Personally, I don't have any use for this, but it's interesting for me. Plus I'll learn something new!

I made also a PHP obfuscator in PHP some time ago:
http://membres.lycos.fr/robotcode/obfuscate.php
sources:
http://players.nowhere-else.org/garg/obfuscate.php.txt

To get an explanation of how it works:
http://membres.lycos.fr/robotcode/obfus ... p?HELP=YES (http://membres.lycos.fr/robotcode/obfuscate.php?HELP=YES)