Basic Tutorial

Once you have decided which PHP files need to be encoded and the Obfuscation type you want to apply to the code, create a Zend Guard project and configure the project's settings according to the following questions:

  • Is the code intended for mass deployment?

  • How important is the code (i.e. is it expensive intellectual property)?

If both the answers are "yes", it is better to use all Obfuscation types to secure more code elements.

Encode Only

To encode without obfuscation, do not select any Obfuscation options.

List all code entities that will not be encoded in the Exclude List.


Encoded files which have obfuscated local variables and functions only are compatible with the Zend Loader. The Zend Loader is available free of charge, from:

Scan Feature

The Scan feature (on the Exclude Tab) scans the code in order to locate entities that should be added to the Exclude list. Among other things, it identifies strings and functions with the same name. You can discard any suggestions. However, the following situations require adding entities to the Exclude list manually. 

Situations Requiring Adding Code Entities to the Exclude List

Testing/Debugging Process

Entities that prevent the application from working properly, (after obfuscation).

These entities will generate "Function not defined", "Method not defined" and "Class not defined" message types and will list the code file name and specific line. This can be useful for tracking problems as the obfuscated name may be meaningless. Having the file name and line in code helps identify which function/class/method has been called.

Functions located during debugging

Functions located during the debugging/testing

Function not defined

Functions that generated "Function not defined" and "Class not defined" message types that appeared only after obfuscation.

Concatenating Strings into Function Names

The only instance the Suggest function cannot identify is when Concatenating Strings into Function Names. This includes instances where the code calls an indirect function name and not the function's real name. This occurs when the real function names are not identified in the code as functions, but rather as strings. The Suggest feature searches only for functions in the code.

Indirect Functions

User functions that are used indirectly or are called from un-obfuscated script.

Indirect function calls


This occurs when referencing function calls through a variable holding the function name.

Functions defined in un-obfuscated code

This includes functions that cannot be automatically identified through the setup process. These include indirect functions and concatenated functions.


Errors that occur in the code before obfuscating indicate a problem in the actual code.

Exclude List

The Exclude List contains all entities will not be obfuscated. Use the Scan feature to recommend functions to be added to the Exclude list.

The Scan feature automatically identifies most functions that should not be obfuscated. Run the Scan feature to locate functions that should not be obfuscated.

Secure the Project

Once all the settings have been configured the project can be encoded.



Instructions on how to complete a procedure

To Encode a Project

  1. Make sure all the Project settings are configured to your requirements.
  2. In the main toolbar click (Project | Encode).
    In the Overview Tab click the "Encode Project" link.

The secured files will be placed in the Output Location defined in the Overview Tab.