POBS - PHP Obfuscator
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



POBS is a PHP Obfuscator. This means it "compiles" your PHP files by making them unreadable to a human.

How unreadable the output is? You can see for yourself in the example.

Note! This is not meant to be bullet proof. The output code will not be re-usable for most people, but dedicated user will always be able to guess what you are doing in most single functions. In other words – re-using output code is hard, but not impossible.


Nobody was hurt during creation of this tool, but if you are accustomed to high quality, modern code, then you'd better not look under the hood ;-). AFAIK the tool started in 2001 - the time when PHP 4 was only starting to gain attention. If you don't remember those times - there were no real classes in PHP back then. Also nobody used unit tests (PHPUnit 2004, Xdebug 2002). So you get the picture. Active development by the original author ended in 2003.

Having said all that, the tool works. The configuration is easy. I've added some comments, fixed some stuff that was not working for me and that's it. I'm using this tool for one, but relatively large project (100+ PHP files, about 10000 lines of code - not counting comments).

There are commercial tools out there that might be better suited for your needs. Just be warned that you should test the tools before you buy them! Some commercial tools, especially binary ones (sold as PHP extensions), may be unstable and you will only double your problems.


Installing POBS is as easy as I could think of. Just unzip the downloaded file and put it a directory that is located under your web server. POBS is a collection of files in just 1 directory.

Before executing POBS you are advised to read the manual that is provided in the doc folder. Also check the settings in pobs-ini.inc and adjust them to suit your needs. When you run POBS for the first time you should at least adjust the $SourceDir and the $TargetDir variables.

If you have a large amount of PHP source to be POBSed, check your php.ini and see whether it runs in "Safe mode" (also, POBS warns for it). If it does, POBS can not adjust the timeout setting as indicated in pobs-ini.inc and the processing might be terminated before POBS has finished the replacement of all your PHP code files. You might need to restart your web server after adjusting the php.ini file.

After having checked everything and having adjusted the settings in pobs-ini.inc you point your browser to pobs.php and press <Enter>.

Naming conventions

In some occasions POBS might change too much. Mostly this will happen if you mix JavaScript with PHP and happen to have e.g. PHP post variable named the same as JavaScript variable. This will result in a non-working code.

You can of course ignore this and only add exceptions when it is necessary.

But to avoid this problem prematurely you should use prefixes in new projects for your PHP variables, functions and such. You can for example use below conventions.


  • standard variables: "pv_" ("$pv_someValue", instead of "$someValue")
  • GET/POST: "rv_" ("rv_kid", instead of "kid")

Functions and classes

  • functions and methods: "pf_" (pf_someFunction, instead of someFunction)
  • classes: "pc_" (pc_SomeClass, instead of SomeClass)

Changes log


  • Additional configuration variables:
$MinimumReplaceableVarLen = 4;	// all below this will not be replaced
$ReplaceVarsInTabsAndCookies = false;
$ReplaceVarsInNameField = false;
  • REMOVE COMMENTS (currently one line only)
  • Remove empty and semi-empty lines after removing comments


Additional configuration variable: $CopyrightTextFromIni.


  • removed case insensitive replace for most regexpes (PHP and JS are both mostly case sensitive)
  • auto saving log file (html output)
  • nux: do not show numbers in log (better for diffs)


txt log file


  • Additional configuration:
// if true then just run dummy parsing (will not change any files nor create directories)
$DoNotCopyOrCreateAnything = false;
  • Remove elapsed time for individual files.
  • Fixed ReplaceJS form option.


  • allow running with GET (with default options)
  • passing some extra options when running with GET
  • mild security: allow source and target paths to be relative only to current directory
  • allow changing copyright year in default text taken form copyright ini file.

Example URL:


New configuration:

$RunWithGetSecret = 'lakslkals';	// "secret" string to be passed with GET request

// things not set explicitly otherwise
$RunWithGetDefaults = array (
	'ReplaceClasses' => '1',
	'ReplaceFunctions' => '1',
	'ReplaceVariables' => '1',
	'RemoveComments' => '1',
	'KeptCommentCount' => '0',
	'RemoveIndents' => '1',
	'ReplaceNewer' => 'on',
	'RecursiveScan' => 'on',
	'CopyAllFiles' => 'on',
	'CopyrightPHP' => '1',
	'CopyrightJS' => '1',
	'OK' => 'Start processing',

// allow source and target paths to be relative only to current dir (or dir given below)
$AllowOnlySubDirs = true;
$SourceTargetDirsBase = "./io/";	// use "./" for base in pobs dir

// copyright replacement config (works only if NewCopyrightYear is passed with GET or POST)
$CopyrightYearPattern= "#(Copyright [0-9]+\-)([0-9]+)#";
$CopyrightYearReplacement= "\${1}%NewYear%";	// @note must containt "%NewYear%" for the replacement to work


  • protected, abstract... and other PHP 5 classes and methods obfuscation.
  • default timezone