What to use to protect php code security? screw plus can!

https://github.com/del-xiong/screw-plus

http://git.oschina.net/splot/php-screw-plus

screw plus is an open source PHP extension, which is used to encrypt PHP files. There are many PHP encryption services on the Internet, but most of them are only obfuscated level encryption. If someone gets the encrypted file and asks if you have enough patience, you can crack it. The difference is that screw plus uses extensions to encrypt and decrypt, and it is a high-strength AES256 encryption popular in the global financial industry. Unless it is cracked server, otherwise the encrypted file will be just a bunch of garbled code if the hacker gets it.

The same encryption level includes ioncube and the official zend guard, but both of them are charged. The cost of at least several thousand yuan a year is not It's worth trying for ordinary developers, and with screw plus, you don't need to spend a penny more.

The following uses the LNMP one-click installation environment as an example to demonstrate the configuration of screw plus

First clone a copy of the code to the server

git clone https://git .oschina.net/splot/php-screw-plus.git

Enter the project directory, and then execute the phpize file of php. phpize is an officially provided executable file for Dynamically generated extension development environment, generally found in the bin directory of PHP. lnmp's phpize is in /usr/local/php/bin/phpize

/usr/local/php/bin/phpize

Configuring for :

PHP Api Version: 20100412

Zend Module Api No: 20100525

Zend Extension Api No: 220100525

After successful execution, you can see the current php api version, extended api version, etc. The next step is to start configuration. The configuration command is ./configure --with-php-config=[php-config], [php-config] is usually also in the bin directory of php, just write the absolute path.

./configure --with-php-config=/usr/local/php/bin/php-config

If no error is reported, explain the configuration If successful, you can start the next step of compilation.

Before compiling, we can modify the encrypted key. Open php_screw_plus.h and you can see that the beginning is #define CAKEY "..." and change the value inside to a complex enough one. key, preferably more than 16 digits, for example: 9mqss6q7WsBpTMOZ

vi php_screw_plus.h

After the modification is completed, start compiling directly and execute the make command. If the last Build complete is displayed. It means that the compilation is successful and the extension is in modules. If an error is reported, please fix it according to the prompts, then make clean and recompile.

make

...

Build complete.

What we compiled above is the decryption program, and the encryption The program also needs to be compiled manually. Just enter the tools directory and execute the make command. If no errors are reported, the extension is completely compiled.

cd tools/

make

Then you need to add the extension path to php.ini. You can copy modules/php_screw_plus.so You can also directly add the absolute path to the ini when you go to the PHP extension directory. I generally prefer the absolute path so that after modifying and compiling the extension, there is no need to copy it again.

vi php/etc/php.ini

Add absolute path for example

extension=/home/php_screw_plus-1.0/modules/php_screw_plus.so

Then restart the php service. At this time, you can put a php file to output the phpinfo information. If you see the following prompt, the extension has taken effect.

The last step is the encryption process.

In the extended tools directory, execute ./screw [path]. [path] can be a single file or a folder, and then encryption can be achieved.

#After the encryption is completed, check the source code. You can find that except for the first few English characters, the rest are garbled.

But when I open the website, php runs normally, as if there is no encryption. After testing, the decryption speed is about 100M per second, and the performance loss to PHP itself is very small, generally less than 20 milliseconds.

Screw plus also has a function that prevents the execution of unauthorized php files, so that even if the hacker uploads the code, he will still be vulnerable.

Similarly modify in php_screw_plus.h, change the value after STRICT_MODE to 1, then make clean && makerecompile and restart php, and then open the previously encrypted website, the execution is normal, but if we upload a clear text php file at will, the result is blank.

The reason is that the unencrypted php file header does not contain the identification key, and the extension will return empty content. Even if a hacker obtains the key and adds it, it will be useless. The content will be decrypted into garbled code and still cannot be executed. With the protection of screw plus, even if the entire website is downloaded or malicious code is uploaded, it will not cause damage to the website.

Recommended learning: "PHP Video Tutorial"

The above is the detailed content of What to use to protect php code security? screw plus can!. For more information, please follow other related articles on the PHP Chinese website!