>1. Zend does not have a way to decode a php file that was encoded >using Zend Encoder. > (For those of you paying attention to details, note the word "decode", > not "decrypt". Zend Encoder does not encrypt. US gov't lawyers, please take note :)
Are you not allowed, according to US laws, to encrypt files using something like the Zend Encoder, if that was a feature?
No, it was more of a joke :) The reason the Zend Encoder does not use encryption is that it would be quite useless, as the file would have to be decrypted when it's loaded. It would then be relatively easy for a malicious hacker to take a look at the decrypted data.
Instead, the contents of encoded files is simply not very meaningful to anything but the Zend Engine and Optimizer, so even if you get a hold of the data, you would still be far away from the source code.
>2. Even the inherent knowledge that Zend has about our own product >would not enable us to access encoded software. At most, we >theoretically could develop code that could access some of the string >elements in a script, but definitely not any actual code. (As a comparison, >it would be like looking at a .EXE file in Windows, but even more convoluted.) >Needless to say, even this minor capability has never and will never be >developed or utilized by Zend.
So, an encoded script does not decode to plain text and then execute?
It certainly does not. There are products in the market in which the data does get restored to the original plain text in runtime, but they are inherently insecure. With Zend encoded files, the original plain text is gone for good.
>3. Zend Encoder is the most secure way to deliver php code. That said, no protection scheme is absolutely 100% protected.
What is the acual difference between Zend Encoder and say ioncube (http://www.ioncube.com), security-wise?
I'm not familiar with the internals of the ioncube products, so I can't really answer that. I do know Zend pretty well, and nobody knows the engine as well as the ones who wrote it, so I stand behind Brad's statement :)
Zeev
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
