Skip to content

Security - PHP Protection

During the compilation stage, ExeOutput for PHP compresses and encodes source files into the final executable file. The EXE file cannot be unpacked with an archiver like WinRar or 7-Zip. When you run the compiled website, files such as PHP, HTML pages, images, JavaScript... are never unpacked to the hard disk: therefore, it is not possible to copy them for the average end user.

Since PHP scripts must be unpacked to memory in order to be interpreted by the PHP runtime, it may be possible for a skilled hacker to extract portions of compiled PHP files. To make this task even more complicate and time-consuming, ExeOutput for PHP includes some security measures.


It is strongly recommended not to include private passwords, database login info or security sensitive information in applications compiled with ExeOutput for PHP and released to public. Use encryption, server authentication, HEScript calls... Or at least, use the string protection feature.

Moreover, ExeOutput for PHP provides you with additional security options for sensitive PHP scripts.

These options are global. Since they shouldn't be applied to all PHP scripts, you must mark the PHP scripts that should be protected thanks to the Protection Marks - available in File Properties (Security tab) in the File Manager:

PHP Mark Files

Encode marked PHP files with internal protection system

ExeOutput for PHP encrypts the PHP source file so that it doesn't appear in clear in memory, though the PHP script remains functional.

Encoding is performed while ExeOutput for PHP compresses files. Original files are not replaced: files are encoded to memory and then compressed into the final EXE.


The internal protection system may not work with all PHP files. In that case, ExeOutput for PHP may fail to properly make conversions. If an error occurs, it is logged in the compilation log and ExeOutput for PHP compiles the original php source file.

Do not cache marked PHP files into memory

PHP scripts are unpacked to memory in order to be interpreted by the PHP runtime. Since some PHP scripts may be required several times (includes for example), the runtime module will cache them in memory. This means that they remain in memory until the cache is full or the application is closed. The application is thus more responsive, since the decompression step is skipped.

This option lets you decide which PHP scripts should not be kept in memory after execution. Note that in this case, the application will always have to decompress non-cached php scripts each time they are requested by the php runtime.