PHP Settings - String Protection

Since PHP scripts must be unpacked to memory in order to be interpreted by the PHP runtime, it may be possible for a skilled hacker to extract portions of compiled PHP files, and gain access to any string available in PHP code, especially private passwords, database login info, etc... stored in plain text. To make this task more complicate and time-consuming, ExeOutput for PHP includes a string protection feature.

The String Protection feature allows you to hide string constants used throughout your application by replacing them in your PHP code by a call to a custom PHP function. Thus, strings do not appear in plain text in your PHP code.

To use this feature, you define the strings you want to protect in the PHP Settings -> String Protection page. Each string gets a unique identifier. After that, replace all strings with a call to the PHP function and the corresponding identifier.

The prototype of the PHP function to be called is:

string exo_get_protstring ( string $stringid );

For instance, we have a password "My Secret Password" whose identifier is "str1". The PHP function name is exo_get_protstring.

String protection

Instead of using this php code that contains the password in plain text:


$pass = 'My Secret Password';

echo ("The password is: $pass");

we use the following code:


$pass = exo_get_protstring('str1');

echo ("The password is: $pass");


Advice: you should use meaningless identifiers for strings.

The Comments button lets you associate an optional comment to the selected string. It is not compiled into your application.