Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:74432
Return-Path: <johannes@schlueters.de>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89586 invoked from network); 22 May 2014 15:17:33 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 22 May 2014 15:17:33 -0000
Authentication-Results: pb1.pair.com smtp.mail=johannes@schlueters.de; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=johannes@schlueters.de; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain schlueters.de from 217.114.215.10 cause and error)
X-PHP-List-Original-Sender: johannes@schlueters.de
X-Host-Fingerprint: 217.114.215.10 mail.experimentalworks.net  
Received: from [217.114.215.10] ([217.114.215.10:57375] helo=mail.experimentalworks.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id B0/D2-63132-C051E735 for <internals@lists.php.net>; Thu, 22 May 2014 11:17:33 -0400
Received: from [192.168.2.31] (ppp-93-104-9-29.dynamic.mnet-online.de [93.104.9.29])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	(Authenticated sender: johannes@schlueters.de)
	by mail.experimentalworks.net (Postfix) with ESMTPSA id B47ED4666D;
	Thu, 22 May 2014 17:18:29 +0200 (CEST)
To: Bas van Beek <bas@tobin.nl>
Cc: internals@lists.php.net
In-Reply-To: <537E0F97.40301@tobin.nl>
References:
	 <CAOg_pRQxKsJPgFaZ6_y7Rf1i4Bfkbx+FhCxuBtE9PWu58uOfOQ@mail.gmail.com>
	 <537DA268.1000801@tobin.nl>
	 <416063C7-D802-4AD1-938C-035F0EBC373D@googlemail.com>
	 <1400768948.2870.9057.camel@guybrush>  <537E0F97.40301@tobin.nl>
Content-Type: text/plain; charset="UTF-8"
Date: Thu, 22 May 2014 17:17:18 +0200
Message-ID: <1400771839.2870.9200.camel@guybrush>
Mime-Version: 1.0
X-Mailer: Evolution 2.30.3 
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] encode php scripts with opcache compatibility
From: johannes@schlueters.de (Johannes =?ISO-8859-1?Q?Schl=FCter?=)

On Thu, 2014-05-22 at 16:54 +0200, Bas van Beek wrote:
> > Mind that a user could simply do something like this in an
> > auto_append_file to get all scripts:
> >
> >     <?php
> >     foreach (get_included_files() as $filename) {
> >         $sourcecode[$filename] = file_get_contents($filename);
> >     }
> >     ?>
> >
> > So this ains little over using a phar file.
> Maybe I'm missing something but I don't see that happen if PHP is 
> embedded in the C++ application through its own SAPI handler which will 
> not pick up any ini directives from external php.ini files.

If you are not giving scripting access to the user so they can't execute
(well, they might attach a debugger and call zend_eval_string() etc.)
PHP code than this is ok. My response was mostly to Kevin, whom I
understood in a way as we was up to making this a general purpose
"source code hiding extension" for "normal" deployments.

johannes