Security - PHP Protection
Since PHP scripts must be unpacked to memory in order to be interpreted by the PHP runtime, it may be possible for a skilled hacker to extract portions of compiled PHP files. To make this task even more complicate and time-consuming, ExeOutput for PHP includes some security measures.
It is strongly recommended not to include private passwords, database login info or security sensitive information in applications compiled with ExeOutput for PHP and released to public. Use encryption, server authentication, HEScript calls... Or at least, use the string protection feature.
Moreover, ExeOutput for PHP provides you with additional security options for sensitive PHP scripts.
These options are global. Since they shouldn't be applied to all PHP scripts, you must mark the PHP scripts that should be protected thanks to the Protection Marks - available in File Properties (Security tab) in the File Manager:
Encode marked PHP files with internal protection system¶
ExeOutput for PHP encrypts the PHP source file so that it doesn't appear in clear in memory, though the PHP script remains functional.
Encoding is performed while ExeOutput for PHP compresses files. Original files are not replaced: files are encoded to memory and then compressed into the final EXE.
The internal protection system may not work with all PHP files. In that case, ExeOutput for PHP may fail to properly make conversions. If an error occurs, it is logged in the compilation log and ExeOutput for PHP compiles the original php source file.
Do not cache marked PHP files into memory¶
PHP scripts are unpacked to memory in order to be interpreted by the PHP runtime. Since some PHP scripts may be required several times (includes for example), the runtime module will cache them in memory. This means that they remain in memory until the cache is full or the application is closed. The application is thus more responsive, since the decompression step is skipped.
This option lets you decide which PHP scripts should not be kept in memory after execution. Note that in this case, the application will always have to decompress non-cached php scripts each time they are requested by the php runtime.