In other words, if your user is not casually browsing, this will not hold up. This means that if people obtain access to your site's code they will not be able to use that for unintended purposes. As a result it protects your code from casual browsing. This format is hard for humans to read and convert back to source code. The following is taken from the Zend Guard page:Įncoding is a process where the PHP source code is converted to an intermediate machine readable format. However, whilst they're not trivial, they're not impossible to beat, either.
I am not familiar with sourceguardian, but Zend is built in the same fashion, albeit a bit more secure and harder to beat than ionCube. Why? Because it dissuades the large majority of script kiddies. It runs as a VM - and is vulnerable to all VM side-channel attacks in addition to flat-out reverse engineering (one presentation here: ).
IonCube relies on a pretty simplistic implementation - XOR from start to finish, which is hardly a 'security measure'. The answer simply reduces to: because there are dumbasses stupid enough to believe that PHP can be 'securely encoded', the same way there are people stupid enough to believe that requiring a serial code for an application automatically makes it secure.
