When using the Exclude List (in the Project Area Exclude List Tab) there are several code related issues that should be considered.
The following describes the instances where it is recommended to add different entities to the Exclude List and how to optimize your selections.
Contents:
Functions Referenced via a Variable
Functions Passed via Arguments
Functions Implementing External Interfaces
Functions Used as Object Callbacks
Obfuscate Function and Class APIs
Functions that are referenced by a variable that holds their name, should be added to the Exclude List.
function do_mysql_query($query)
{ ... }
function do_sqlite_query($query) {
... }
if($db == "mysql")
{
$query_function = "do_mysql_query"
}
else
{
$query_function = "do_sqlite_squery";
}
$result = $query_function ("SELECT * FROM TABLE");
The functions do_mysql_query and do_sqlite_query should be added to the exclude list so their names will stay intact.
Functions that their name is passed to other functions through arguments (callbacks), should be added to the Exclude List. In the code example below, the functions myerror and myfunc are callback functions and should be added to the Exclude List.
function myerror() {
... }
set_error_handler('myerror');
- or -
function myfunc($data)
{ ... }
array_walk($array, 'myfunc');
Functions that implement an external interface (in this example: rewind, valid, current, next and key) should be added to the Exclude List otherwise the c_iter will no longer implement the iterator interface.
class c_iter implements Iterator {
function rewind() { ... }
function valid() { ... }
function current() { ... }
function next() { ... }
function key() { ... }
}
Functions and classes that are related to object callbacks should be added to the Exclude List.
class VariableStream {
function stream_open(...) {}
function stream_read($count)
{}
...
}
stream_wrapper_register("var", "VariableStream");
In this example, the class name VariableStream and its methods (i.e. stream_open, stream_read) must be added to the Exclude List. (See http://www.php.net/manual/en/function.stream-wrapper-register.php for a complete list of callback names, classes and other such functions).
When the code refers to class names (or methods) through strings, the class name (or method name) must stay the same. Therefore the class name must be added to the exclude list (to avoid obfuscation).
Example:
<?php
class MyClass
{
public function printName()
{
echo "John";
}
public function printLastName()
{
echo "Doe";
}
}
$className = "MyClass";
// runtime error: after obfuscation MyClass is no longer the class name
$obj = new $className();
$obj->printName();
// runtime error: after obfuscation MyClass is no longer the class name
$clazz = new ReflectionClass("MyClass");
$obj2 = $clazz->newInstance();
// runtime error: after obfuscation printLastName is no longer the method name
$method = $clazz->getMethod("printLastName");
$method->invoke($obj2);
?>
Autoloading classes will not work since the filename on the disk would not match the obfuscated class name. The classes that are loaded through autoloading must be added to the Exclude List.
Classes, methods and functions that are part of an application API and typically called by a 3rd party cannot be obfuscated (as the obfuscated name cannot be predicted) and must be added to the Exclude list.
These APIs should be used to obfuscate function names or class names that require coordination between functions and called functions or classes that are in use.
zend_obfuscate_function_name
string obfuscate_function_name(string function_name)
Returns an obfuscated name for given function name.
zend_obfuscate_class_name
string obfuscate_class_name(string class_name)
Returns an obfuscated name for given class name.
Note:
Developer discretion should be used when implementing the obfuscate_function_name API. Use the API only in code that will be entirely obfuscated. Using this API with un-obfuscated code will generate a compatibility problem between the obfuscated code and un-obfuscated code.