A comprehensive and powerful PHP code obfuscator that provides multiple layers of obfuscation to protect your source code.
β¨ Fully compatible with PHP 8.0, 8.1, 8.2, 8.3, and 8.4
- Variable Obfuscation: Replace variable names with random names
- Function Obfuscation: Obfuscate user-defined function names
- Class Obfuscation: Obfuscate class names and their members
- Method & Property Obfuscation: Rename class methods and properties
- Constant Obfuscation: Obfuscate defined constants
- String Encoding: Encode string literals using Base64
- Comment Removal: Remove all comments from code
- Whitespace Removal: Minify code by removing unnecessary whitespace
- Base64 Wrapping: Wrap entire code in Base64 + eval() for additional layer
- Configurable Options: Fine-tune obfuscation behavior
- Collision Prevention: Smart name generation to avoid conflicts
- Error Handling: Comprehensive exception handling
- PHP 8.x Support: Full support for enums, readonly properties, named arguments, attributes, union/intersection types, and more
This obfuscator fully supports all PHP 8.x features:
- β Named arguments
- β Attributes (annotations)
- β Constructor property promotion
- β Union types
- β Match expressions
- β Nullsafe operator
- β Arrow functions (short closures)
- β Enums
- β Readonly properties
- β First-class callable syntax
- β Intersection types
- β Never return type
- β Final class constants
- β Readonly classes
- β Disjunctive Normal Form (DNF) types
- β True/false standalone types
- β Constants in traits
- β Typed class constants
- β Dynamic class constant fetch
- β Override attribute
- β Property hooks
- β Asymmetric visibility
- β New array functions
Clone this repository or download the PhpObfuscator.php and include it in your project:
git clone https://github.com/GLOBUS-studio/PhpObfuscator.gitOr download directly:
wget https://raw.githubusercontent.com/GLOBUS-studio/PhpObfuscator/main/PhpObfuscator.php<?php
require_once 'PhpObfuscator.php';
$obfuscator = new PhpObfuscator();
$obfuscated = $obfuscator->obfuscate('path/to/your/file.php', true);
$obfuscator->saveToFile($obfuscated, 'path/to/output.php');<?php
require_once 'PhpObfuscator.php';
// Example with PHP 8.x features
$code = '
<?php
enum Status: string {
case PENDING = "pending";
case APPROVED = "approved";
case REJECTED = "rejected";
}
readonly class User {
public function __construct(
private string $name,
private string $email,
private Status $status = Status::PENDING
) {}
public function getInfo(): string {
return match($this->status) {
Status::PENDING => "User {$this->name} is pending",
Status::APPROVED => "User {$this->name} is approved",
Status::REJECTED => "User {$this->name} is rejected",
};
}
}
$user = new User("John Doe", "john@example.com");
echo $user->getInfo();
';
$obfuscator = new PhpObfuscator();
$obfuscated = $obfuscator->obfuscate($code);<?php
require_once 'PhpObfuscator.php';
$obfuscator = new PhpObfuscator();
$code = '
<?php
$username = "admin";
$password = "secret123";
function authenticate($user, $pass) {
global $username, $password;
return $user === $username && $pass === $password;
}
class User {
private $name;
public function __construct($name) {
$this->name = $name;
}
public function getName() {
return $this->name;
}
}
$result = authenticate("admin", "secret123");
$user = new User("John");
echo $user->getName();
';
$obfuscatedCode = $obfuscator->obfuscate($code);
echo $obfuscatedCode;<?php
$options = [
'obfuscateVariables' => true,
'obfuscateFunctions' => true,
'obfuscateClasses' => true,
'obfuscateMethods' => true,
'obfuscateProperties' => true,
'obfuscateConstants' => true,
'encodeStrings' => true,
'removeComments' => true,
'removeWhitespace' => true,
'wrapWithEval' => true,
];
$obfuscator = new PhpObfuscator($options);
// Obfuscate from string
$obfuscatedCode = $obfuscator->obfuscate($code);
// Or obfuscate from file
$obfuscatedCode = $obfuscator->obfuscate('input.php', true);
// Save to file
$obfuscator->saveToFile($obfuscatedCode, 'output.php');<?php
// Only obfuscate variables and strings, keep everything else readable
$obfuscator = new PhpObfuscator([
'obfuscateVariables' => true,
'obfuscateFunctions' => false,
'obfuscateClasses' => false,
'encodeStrings' => true,
'wrapWithEval' => false,
]);<?php
$obfuscator = new PhpObfuscator();
$obfuscatedCode = $obfuscator->obfuscate($code);
// Get the mapping of original to obfuscated names
$nameMap = $obfuscator->getNameMap();
print_r($nameMap);| Option | Type | Default | Description |
|---|---|---|---|
obfuscateVariables |
bool | true |
Obfuscate variable names |
obfuscateFunctions |
bool | true |
Obfuscate function names |
obfuscateClasses |
bool | true |
Obfuscate class names |
obfuscateMethods |
bool | true |
Obfuscate method names |
obfuscateProperties |
bool | true |
Obfuscate property names |
obfuscateConstants |
bool | true |
Obfuscate constant names |
encodeStrings |
bool | true |
Encode string literals with Base64 |
removeComments |
bool | true |
Remove all comments |
removeWhitespace |
bool | true |
Remove unnecessary whitespace |
wrapWithEval |
bool | true |
Wrap code with Base64 + eval() |
preserveLineNumbers |
bool | false |
Preserve original line numbers (future feature) |
The obfuscator automatically protects:
- PHP reserved keywords (including all PHP 8.x keywords:
enum,readonly,match,never,from, etc.) - Magic methods (
__construct,__destruct,__serialize,__unserialize, etc.) - Superglobals (
$_GET,$_POST,$_SERVER, etc.) - Built-in classes (
stdClass,Exception,DateTime,PDO,Closure, etc.) - Magic constants (
__CLASS__,__DIR__,__FILE__,__FUNCTION__, etc.)
<?php
enum Color {
case Red;
case Green;
case Blue;
public function label(): string {
return match($this) {
Color::Red => 'Red Color',
Color::Green => 'Green Color',
Color::Blue => 'Blue Color',
};
}
}After obfuscation, the enum structure is preserved while names are obfuscated.
<?php
class Product {
public function __construct(
private string $name,
private float $price,
private readonly int $id
) {}
}The obfuscator correctly handles promoted properties.
- This obfuscator provides protection against casual inspection, not cryptographic security
- Obfuscation is NOT encryption - determined attackers can reverse it with tools
- Always keep backups of your original source code
- Test thoroughly after obfuscation to ensure functionality
- Do not rely solely on obfuscation for protecting sensitive data
- Use proper security measures like:
- Server-side validation and sanitization
- Encryption for sensitive data (passwords, API keys, etc.)
- Secure authentication and authorization mechanisms
- Regular security audits and penetration testing
- Keep PHP and dependencies updated
- Always backup original code before obfuscation
- Test obfuscated code in a staging environment first
- Version control your original code (never commit obfuscated code to VCS)
- Use selective obfuscation for better performance and debugging
- Combine with other security measures (encryption, access control, etc.)
- Document your obfuscation strategy for your team
- Monitor obfuscated code for any runtime errors
- Keep obfuscated files separate from source files
- May not work correctly with:
- Code using variable variables (e.g.,
$$varname) - Dynamic function/method calls (
call_user_func, etc.) - Reflection API intensive code
- Code that reads its own source (
__FILE__,get_defined_functions(), etc.) - Heredoc/Nowdoc strings (limited support)
- Complex namespace aliases
- Code using variable variables (e.g.,
- Performance overhead due to Base64 decoding when
wrapWithEvalis enabled - Slightly increased file size
- Debugging obfuscated code is extremely difficult
<?php
// Obfuscate everything except specific classes
$obfuscator = new PhpObfuscator([
'obfuscateClasses' => true,
'wrapWithEval' => false,
]);
// You can manually exclude classes by pre-processing
$code = str_replace('class MyImportantClass', '/*KEEP*/class MyImportantClass', $code);
$obfuscated = $obfuscator->obfuscate($code);
$obfuscated = str_replace('/*KEEP*/', '', $obfuscated);For better performance, disable features you don't need:
<?php
$obfuscator = new PhpObfuscator([
'encodeStrings' => false, // Faster execution
'removeWhitespace' => false, // Better debugging
'wrapWithEval' => false, // No eval() overhead
]);Code not working after obfuscation?
- Disable
wrapWithEvaloption and check for syntax errors - Try selective obfuscation (disable specific options one by one)
- Check for dynamic code patterns (variable variables,
eval(), etc.) - Verify that you're not using Reflection API
- Check error logs for specific issues
Fatal errors after obfuscation?
- Ensure you're not using reserved PHP keywords as identifiers
- Check for variable variables or dynamic function calls
- Look for namespace conflicts
- Verify class autoloading still works
Strings not encoded correctly?
- URLs and file paths are automatically excluded from encoding
- Check for escaped quotes in strings
- Try disabling
encodeStringsfor debugging
Performance issues?
- Disable
wrapWithEval(biggest performance impact) - Consider selective obfuscation
- Cache obfuscated files (don't obfuscate on every request)
Check out the example.php file for comprehensive examples:
php example.phpThis will demonstrate:
- Basic obfuscation
- PHP 8.x features support
- Selective obfuscation
- Name mapping
- File obfuscation
- Maximum obfuscation
- Testing obfuscated code
- PHP 8.0 or higher (recommended: PHP 8.2+)
- Tokenizer extension (usually enabled by default)
- No other external dependencies
- Works with all PHP 8.x versions (8.0, 8.1, 8.2, 8.3, 8.4)
- Attributes: Attribute class names are preserved to maintain functionality
- Enums: Enum names and case names may need to be preserved for external APIs
- Named Arguments: Will not work correctly after parameter obfuscation
- Reflection: Code using
ReflectionClass,ReflectionMethod, etc. will break - Fibers: Not tested with PHP 8.1+ Fibers
- Property Hooks (PHP 8.4): Limited support, may need manual adjustment
Contributions are welcome! Please:
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Please ensure your code:
- Follows PSR-12 coding standards
- Includes PHPDoc comments
- Has test cases for new features
- Doesn't break existing functionality
This project is licensed under the MIT License. See the LICENSE file for more details.
- Issues: GitHub Issues
- Discussions: GitHub Discussions
- π Fixed duplicate entries in
$magicNames - π Fixed
yield fromin reserved words (split intoyieldandfrom) - π Fixed
readonlymodifier incorrectly applied to methods - β¨ Improved string encoding with escape handling
- β¨ Better comment removal using PHP tokenizer
- β¨ Enhanced constant obfuscation to avoid over-replacement
- β¨ Added built-in PHP classes to protected names
- β¨ Improved regex patterns for better accuracy
- β¨ Added comprehensive
example.phpwith 7 use cases - π Updated documentation with troubleshooting and best practices
- π Better handling of URLs and file paths in strings
- Full compatibility with PHP 8.0-8.4
- Support for enums, readonly properties, match expressions
- Complete list of PHP 8.x reserved words
- Improved handling of typed properties and promoted constructors
- Better support for union and intersection types
- Protection of magic methods including
__serializeand__unserialize
- Added comprehensive obfuscation for functions, classes, methods, properties, and constants
- Improved string encoding
- Added configuration options
- Enhanced error handling
- Better collision prevention
- Support for superglobals and magic methods
- Initial release
- Basic variable and string obfuscation