hide web-app source on a second server

Question

I made a web based program for a customer, and I want to install the app on a local server of him.

I don't want to give him all the source until he has paid for it, so my idea was to store most of the core code on an external server, and only have a kind of include on his server, so he would not be able to see / copy / change the actual PHP code.

I know I can use include() with a URL as soon as I have changed the corresponding entry in the PHP.ini file, but is there a more secure way of doing this?

Also, what configuration should my server have so that the PHP code on his local server would be able to read the PHP on mine? Wouldn't that pose a huge security risk if I allow other servers to "load" my PHP code?

(Notice that I use a free Web hosting service as the "second server" and I don't have any access to the conf files.)

I hope I've explained my situation well enough.

Answer 1

Including your php remotely is a) yes a huge security risk and b) not accomplishing much, since your customer can also "see" that remote code, copy/paste it, and have it all in his possession.

Option 1: Don't give away the app!

If your customer wants to test the app, deploy it to a server that you control. Let him see/use/test the app, without access to the source code.

Option 2: Encode it

If you absolutely have to give your app to the customer and yet need to protect it, look at encoding solutions. We use http://www.ioncube.com/ to encode/protect PHP code that we deploy to a customer's server.