Boycott Ioncube

November 19, 2005     

IonCube is a company that provides security to your PHP product. Since PHP is usually run as a raw interpretted language, ioncube products provide a way to compile your PHP code into an obfuscated and (supposedly) optimized bytecode format. They also have a license generator and several other peripheral tools. Basically everything needed to sell your PHP product securely.

I’m sure there’s a large market for this kind of thing. If piracy is a significant problem for your company, ioncube can offer some peace of mind to restless CEOs. If a product is a standalone, install-and-forget type of web application then maybe they can even get away with it. But for products expected to interoperate with other PHP code on a website, using ioncube is a big business risk.

I recently had the displeasure of integrating an ioncube-protected shopping cart system into an existing client website. Keep in mind that the purpose of this particular shopping cart was to be integrated with another website. As a result, 99% of the PHP code is unencrypted, but the whole engine is locked down via a central protected security class which is nefariously woven throughout the rest of the code base.

Ioncube works by means of a loader extension that can be dynamically included in the PHP runtime environment by means of the dl() function. If that’s not available (eg. due to safe_mode), then it has to be added to the php.ini file.

When I ran the install script several bizarre bugs surfaced. The most obvious being that all variables were suddenly wrapped in arrays! Needless to say the code did not work in the least, worse yet, the error messages were useless. Fortunately I had installed server-wide so when my own code stopped working too it was obvious what had happened. Without this lucky circumstance I could have spent hours tracking down the problem.

How could such an egregious bug go unnoticed? The loader is specific to PHP version and server platform. This bug happened to exist in the PHP 4.3 Mac OS X version of the ioncube loader. Fortunately ioncube had an updated loader that fixed the problem, but you wouldn’t expect to have to patch commercial software’s third-party components.

Once I got the software working came the troubling task of customization. Working with PHP I’m accustomed to looking at code to figure out how it works, but in this case all code led back to the mysterious encrypted kernel class. Usually blackbox code comes with some sort of documentation or at least a well-defined API. In this case it was more of a grey box approach with unlabeled wires sticking in and out all over the place; the worst of both worlds. Now, some 40 hours of painful experimentation and tweaking I have a customized shopping cart, but was it worth it?

It’s a shame, because the software I bought had a lot going for it:

  • Clean architecture, good codebase.
  • Comprehensive skinning via Flexy templates.
  • Understandable database schema.
  • Easy installer.
  • Helpful tech support.
  • Good end-user documentation.
  • A wide range of add-on modules.

Unfortunately none of this matters in a product built for customization if the code can not be understood. The choice to include ioncube encryption alone is what makes me unable to recommend this product. The question is, would they lose more from piracy than they are losing from crippling their software?

cliffclof says…
February 1, 2011 at 4:43PM

I agree, IONCUBE BLOWS! Never support anything that uses it. Blease boycott IonCube Loader.