Secure Your PHP Code with Zephir: Build a Custom Encryption Extension
Learn how to protect PHP source code by creating a custom Zephir‑based encryption extension, covering repository setup, directory structure, licensing logic, abstract and live modules, compilation steps, php.ini configuration, and testing with example authorization codes.
Overview
PHP source code is often compiled and encrypted to protect intellectual property, prevent leakage, and avoid unauthorized modification. Encryption requires a matching runtime extension; otherwise the code cannot run. This article focuses on using Zephir to write a dynamic extension for code protection.
Zephir compiles PHP code into a binary .so file, hiding implementation details; the compiled extension can be distributed without further encryption.
What is Zephir?
Zephir is an open‑source high‑level language designed to simplify the creation and maintenance of native PHP extensions. It provides strong typing and memory‑safety, combining dynamic and static typing to ease development for PHP developers.
Application Example
The example uses the GitHub repository https://github.com/Tinywan/zephir-lang-php-extension to implement a simple business‑code authentication and encryption extension.
Clone the repository
git clone https://github.com/Tinywan/zephir-lang-php-extension.gitDirectory layout
.
├── zephirencrypt # encryption extension source
│ ├── Auth
│ │ └── License.zep # license verification
│ ├── Common
│ │ └── AbstractModule.zep # abstract business module
│ └── Module
│ └── LiveModule.zep # concrete live‑stream module
├── config.json # build configuration
└── ext # generated .so filesLicense.zep (authorization check)
namespace ZephirEncrypt\Auth;
class License
{
public static function check(string service_uuid, string auth_license, int uid = 0, int rand = 0)
{
var private_key = "tinywan2024";
var expire_time = substr(auth_license, 0, 10);
var current_time = time();
var sequest_hash_value = substr(auth_license, -32);
var res_hash_value = md5(service_uuid . "-" . expire_time . "-" . rand . "-" . uid . "-" . private_key);
if expire_time < current_time {
return -1; // expired
}
if sequest_hash_value != res_hash_value {
return 0; // invalid
}
return 1; // valid
}
}AbstractModule.zep (base class)
namespace ZephirEncrypt\Common;
use ZephirEncrypt\Auth\License;
abstract class AbstractModule
{
protected service_uuid;
protected auth_license;
public auth_status = 0;
public function __construct(string service_uuid, string auth_license)
{
let this->service_uuid = service_uuid;
let this->auth_license = auth_license;
var checkRes = License::check(this->service_uuid, this->auth_license);
if checkRes == -1 { let this->auth_status = -1; }
if checkRes == 0 { let this->auth_status = 0; }
if checkRes == 1 { let this->auth_status = 1; }
}
abstract public function getAuthStatus();
}LiveModule.zep (concrete module)
namespace ZephirEncrypt\Module;
use ZephirEncrypt\Common\AbstractModule;
class LiveModule extends AbstractModule
{
final public function __construct(string service_uuid, string auth_license)
{
parent::__construct(service_uuid, auth_license);
}
public function getAuthStatus()
{
return $this->auth_status;
}
public function start()
{
var res = [];
if this->auth_status != 1 {
let res = ["code": this->auth_status, "msg": "no permission to access"];
return json_encode(res);
}
echo "直播开始成功..............";
echo "这里开始写你的业务代码.....";
echo "这里开始写你的业务代码.....";
echo "这里开始写你的业务代码.....";
}
}Build and install the extension
cd zephir-lang-php-extension/
cd zephirencrypt
zephir buildWhen the build succeeds, the output ends with messages indicating that the zephirencrypt.so extension has been installed and should be added to php.ini:
extension=zephirencrypt.soYou can also load it for a single CLI request with -d extension=zephirencrypt.so , but adding it to php.ini ensures it is loaded for every request.
Test the installation
php -mThe list of PHP modules should contain zephirencrypt, confirming the extension is active.
Usage Example
Create a test file zephir.php:
<?php
declare(strict_types=1);
$serviceUuid = "13c7c8e1-3ac2-41a6-95dc-ff954b431bbf";
$authLicense = "1728869954-0-0-eabfb0fb52c429d4fa037585f7afd512";
$liveModule = new \ZephirEncrypt\Module\LiveModule($serviceUuid, $authLicense);
print_r($liveModule);
$res = $liveModule->start();
var_dump($res);The provided license encodes the timestamp 1528869954 (2018‑06‑13 14:05:54), which is already expired. Running the script yields an object with auth_status = -1, indicating expiration.
Changing the timestamp to a future value, e.g. 1788689954 (2026‑09‑06 18:19:14), results in auth_status = 0 (invalid hash). Supplying a correct future license such as 178909089954-0-0‑eabfb0fb52c429d4fa037585f7afd512 produces auth_status = 1 and the script prints the success messages defined in LiveModule::start().
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Open Source Tech Hub
Sharing cutting-edge internet technologies and practical AI resources.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.