Avoid developers to see included plain text code.

Question

I made some classes having a lot of methods documented properly using PHP (something like a library).

Now, what the other developers will do is just require the PHP library I made in their code and use the predefined functions in it.

Is it possible to hide the PHP code (of the library I made) from the other PHP developers (requiring the file) and just show them the function name, parameters and its documentation without showing the code inside it? I'm not talking about obfuscation, which can be reversible, I'm talking about preventing users to actually see any code.

eg.

/**
 * 
 * CREATE A NEW THREAD
 * @param unknown_type $uid User ID of person who is creating the thread
 * @param unknown_type $participant An array having collection of UID of people who are participating in this conversation 
 * @param unknown_type $msgtype Message Type Flags (1-normal, 2-chat, 3-sent as email, 4-profile post, 5-group post, 6-customer support)
 * @param unknown_type $subject Subject of the thread
 * @param unknown_type $tname Thread Name
 * @param unknown_type $tpic Thread Cover Picture (Defaults to "")
 * @param unknown_type $tflag Thread Flag (1-allowed,2-under review,3-blocked) (Defaults to 1)
 * @return string|Ambigous <string, unknown> Thread ID on success, "" on failure
 */
public function createthread($uid,$participant,$msgtype,$subject,$tname,$tpic="",$tflag="1")
{
    $randobj=new uifriend();
    $tid=$randobj->randomstring(30,DB_MESSAGE,MSG_OUTLINE,msgoutline_tid);
    $socialobj=new socialoperations();
    $listid=$socialobj->createlist("threadlist_".$tid, "2",$msgtype,"1",$uid);
    if($socialobj->addtolist($participant, $listid, $uid)!="SUCCESS")
    {
        return "";
    }
    if($listid=="")
    {
        $lasterror="An error occured in creating thread! Unable to Create Lists!";return "";
    }
    $dbobj=new dboperations();
    $res=$dbobj->dbinsert("INSERT INTO ".MSG_OUTLINE." (".msgoutline_tid.",".msgoutline_subject.",".msgoutline_fid.",".msgoutline_participantid.",".msgoutline_msgtype.",".msgoutline_threadpic.",".msgoutline_threadflag.") VALUES
            ('$tid','$subject','$uid',$listid,'$msgtype','$tpic','$tflag')",DB_MESSAGE);
    if($res=="SUCCESS")
    {
        return $tid;
    }
    else
    {
        $lasterror="Unable to create Thread!";return "";
    }
}

The other developers must only be able to see the documentation I wrote above the function with the function name and parameters, but the code must not be accessible to them in any way.

Why I want this: I have a lot of secure code in my PHP file which I don't want to show to the other developers, but still allow them to call the functions and read the returned values.

Answer 1

Because I had a meta post so this was reopened and another meta post for formatting this question, I'll do my best to properly answer this question. Note that this is only a way of doing this, with its limitations stated at the end of the post.

The API

The remote server

You could create a web API in a different domain and access it from your main domain. I think the best way for explaining how it works is with a practical example. Imagine that your library includes the function 'joinstrings()', which takes 2 arguments. Then you have it in your separated web:

http://apiweb.com/functions.php

<?php
// Your API. I hope the real one is more complex than this (;
function joinstrings($s1, $s2)
  {
  return $s1 . $s2;
  }
// More functions

The remote server access point

This is the public (but key-required) accessible page.

http://apiweb.com/joinstrings/index.php

<?php
// Check if the key is valid and if $v1 and $v2 aren't empty. Else, 'exit;'
include '../validate.php';
// Your API
include '../functions.php';
// The called function
echo joinstrings(urldecode($_GET['v1']), urldecode($_GET['v2']));

The wrapper

Now you can require all your programmers to learn how to use this API. Or, if you prefer to do it right, you'd make a wrapper that makes their life easier. You'd have a class with all the methods that you want to be accessible. You could do this wrapper with functions, but I think it's easier and better with an object and methods:

htpp://web.com/library.php

<?php
class DevelopersLibrary
  {
  private $Url = "http://apiweb.com/";
  // Press your hand against the keyboard. A-Z0-9. Copy it in http://apiweb.com/validate.php
  private $Key = "g139h0854g76dqfdbgng";

  // Accesible method
  public joinstrings($v1, $v2)
    {
    // Encode only the user input. You don't want to encode '?' nor '&'
    if ($Return = file_get_contents($this->Url . 'joinstring'
                                    '?key=' . $this->Key .
                                    '&v1=' . urlencode($v1) .
                                    '&v2=' . urlencode($v2)))
      {
      return $Return;
      }
    }
  }

Developer's code

Finally, what your developers would do:

http://web.com/index.php

<?php
include './library.php';
$Lib = new DevelopersLibrary();
echo $Lib->joinstrings("Are you sure this is better", "than giving your developers access to the code?");

None of the code is tested, so you should expect some some typos.

Limitations

I can think of solutions for most limitations, but not to extend (more) this post I won't write them here. Ask for a solution to a limitation if you need it in the comments and I'll do my best. In normal case use, none of these limitations are THAT important.

• Parameters passed. Using this method as described above, you can only pass numbers or strings as function parameters. Check out json_encoding() for passing other types.

• Wrong returned values when there are bugs in the API or parameters passed. If there's a bug in the API, the developers cannot fix it and the returned value might be wrong. Now that might seem trivial, but what if they are trying to retrieve the join of 2 strings and retrieve another [wrong] string with the error text in it? Note: consider returning valid XML and then parsing it in your wrapper.

• There's only a unique key which is there for preventing random users from using your API, not to be hidden from developers.

• Slower speed. I don't think this even needs explanation.

• Developer's extra work. This is solved this with the implementation of the wrapper.

• Url length. There's a url length limitation for most browsers of 2000 characters, although I didn't find anything in the PHP manual for file_get_contents(). Read this SO question for more info about GET.

• Sure there are more but these are the main ones I could think of.

I hope this long long answer is useful for you or someone.

Answer 2

You can't hide your code from other developers if you want to allow them call your functions directly. What you can do is to make a Web Service and give it's documentation to other developers.