Security - Global Protection

To view your compiled PHP website, end users have to launch the .exe file: it is not possible to unpack a compiled application using a file archiver (like Zip/Unzip tools). Ensure to make a backup of your source files because once an application is compiled, you cannot extract source files from it anymore.

Applications built with ExeOutput for PHP feature several security options that you can configure using this page.

See also additional security options and recommendations for PHP files.

Global Password

If you wish to restrict the access to your application, you can password protect it: end users will be prompted for the password before the application starts. If the password entered is incorrect, then an error message is displayed (given by SInvalidPassword resource string) and the application closes immediately.

You can also customize the behavior of the application when the password is incorrect thanks to the HEScript UserMain.OnInvalidPasswordAtStartup Boolean event. The application invokes this event if the password provided by the user is incorrect. If you set the result of this event to True, the application does not exit.

function OnInvalidPasswordAtStartup: Boolean;
Result := True;

In order to create a set of acceptable passwords that can be unique, when distributing to a set of customers, wild card characters are accepted. Thus, you can set up the following global password: 123-4**-A** (and so any character can be input for the wildcard place holder).

Allowed wild card characters

  • # digit (0..9)

  • _ single character (a..z) and (A..Z)

  • * any character.

ExeOutput for PHP comes with a password generator that lets you create lists of random passwords based on the provided mask.

password generator

Choose the number of passwords to create and click Generate.

Set a global expiration date

If you would like your application to expire after a specific date (it does not run anymore), then just select the expiration date you want. After that date, applications will display anĀ error message (given by SPublicationExpired resource string) and close immediately. Changing the system clock will not modify the expiration state.

When testing your application on your own computer, you can remove the expiration state by clicking "Clear expiration info". This function will only work if the application has expired.

Finally, you can also customize the behavior of the application when the expiration date is reached thanks to the HEScript UserMain.OnExpiredapplication Boolean event. The application invokes this event and if you set its result to True, the application does not exit.

function OnExpiredapplication: Boolean;
Result := True;

Check application size at startup

When an application is downloaded from the Internet, if the download was not successful, this may result in a truncated file. In this case, running non-complete applications may not be safe. To prevent truncated downloads or size-modified application files, you can enable this option. When turned on, it forces the application to check its size. If the size is not the same as it was when the application was built, an error message is displayed.

Note that this option is superseded by digital signatures. If you have the necessary Authenticode files a code signing certificate), then it is even better to sign your application.


The PRINT SCREEN key allows Windows users to capture the whole screen to a bitmap, called a screenshot. This screenshot is then saved to the Clipboard and users can paste the result in any word processing tool or image editor. If you would like to disable this function, just turn on "Disable Print Screen": pressing the key won't take screenshots anymore when the application is running.


  • This function, however, does NOT stop screen capture tools.

  • Some programs (such as these capture tools) may also try to override the Print Screen hotkey. In this case, there may be conflicts.

Only one instance of the application can be run at a time

Enable this option to make sure that only one instance of your application executes. If the user tries to run a second instance, it immediately exits and the previous instance gets enabled and visible.

Moreover, command-line arguments are directly passed to the running instance: this feature is useful for help files as it lets you change the current topic for instance without having to close and start another instance of the application.

Do not hide virtual files in open/save dialog boxes

By default, ExeOutput for PHP will set the hidden attribute for all virtual files in the "Data" subfolder (refer to Accessing Source Files from PHP). Thus, these files will not appear in the open/save dialog boxes invoked when you choose a file to upload for instance.

For some reason, if you want these files to appear, then enable the option "Do not hide virtual files in open/save dialog boxes". However, please note that virtual files could be copied to real folders from the open/save dialog boxes (though you can encrypt your PHP source files).

Note: you can also try the option Use an absolute path for the virtual "Data" subfolder.