I have to put a proprietary PHP script on an enemy server in which I know it is going to be copied and used against our company.

Maybe I'm the only one... but this just seems outright nonsense.

PHP is a "scripting language", and hence its source code must always be available for "interpretation". You can get around this "source code being available" in other languages simply by compiling the application. You don't get this in PHP. The best hope you have at making the script "grossly unusable" (from a human perspective) would be to use a script like you're mentioned in your post... one that changes function/variable/class/etc names. It obscures the "logic". A better one would also remove all comments from the code, and perhaps (if possible) reduce the script to a single line of code. Someone would still be able to "read" the code, but it would be headache making sense of it.

Your idea of using encryption+eval is initially appealing; but flawed. Consider if you put your entire source code into a single string that is "encrypted". Then, to run the code... it is merely "decrypted" and sent to "eval". This won't make it anymore secure because the code will eventually become "decrypted", negating your entire purpose.

PS: I believe PHP now has options for compiling? Perhaps this is something you can consider if your PHP scripting is a "stand alone" application/script. Compiling takes the source code and turns it into machine code (such as with C++; or something similar/proprietary such as with Java). Once you have "machine code", you can't turn it back into its source code.

Regardless, best of luck.

Ugh I don't want to compile anything...

Did some research and it appears eval(gzinflate(base64_decode("asfsfad"))) is popular albeit as you mentioned not foolproof as you just simple reverse the progress. I guess I wouldn't need something super fool proof (hey they have zend decompilers) but it needs to hide the hardcoded string values and not just the string variable names (which I'm particularly worried about).

It would be nice if there were scripts out there that would make either A create so much dummy code (especially dummy scavenger hunt functions) the real code gets camouflaged (the Where's Waldo effect). Crackable, but a pain to do.

That or a script identifies the string literals in your code, and replaces them with a function that regenerates them using some fancy mathematical formula to grab letters out of an array.

Anybody heard of anything like that?

>> I have to put a proprietary PHP script on an enemy server in which I know it is going to be copied and used against our company.

I think the problem is not how you are going to prevent them from stealing your script, but rather why you are giving it to them in the first place.

There is really only one foolproof way to achieve something like this without them having access to the code, however, depending on the type of application this might not be possible. If it were a "input/output" type of application, then the solution is simple. Keep the script on your server, then allow them to make requests to it and send the response back in any format they would like (XML, JSON, plain-text, etc). If it's not a simple input/output type deal then I think you might be stuck here, as any attempts to obfuscate the code can just be broken.

If it's really proprietary stuff you either have to keep it on your own servers and let them make requests/use it from your server. Otherwise you're stuck, and can't do much about it.

Copyright may provide some protecting, but you'd have to be sure that they copied anything from the source to be used elsewhere which may provide to be tricky in this situation.