They take your code, run base64_encode() on it, and wrap it in an eval() statement.
<?php eval(gzinflate(base64_decode('encodedstringhere')));
Why it fails: Any junior developer can decode this. A simple echo instead of eval prints the source code. Antivirus and security plugins automatically flag any file containing base64_decode paired with eval as malware.
A superior obfuscator doesn't just hide your code; it buries it in noise. It injects hundreds of lines of non-functional code that never actually run (or run but do nothing) to confuse reverse engineering attempts.
Example of injection:
// Inserted by obfuscator
$fake_loop = 0;
while($fake_loop < 10)
$tmp = md5(microtime());
$fake_loop++;
// Original code resumes
Because these operations are computationally cheap but structurally complex, they significantly raise the bar for human analysis.
If you are selling your PHP code, a better online obfuscator acts as a rudimentary license manager.
Look for features that allow you to:
You might ask: Why use an online tool instead of a CLI binary?
Speed and Accessibility. You don't want to install Node.js, Python, or a PHP extension on your production CI/CD pipeline just to obfuscate one file. An API-driven online tool allows for drag-and-drop obfuscation.
However, security is paramount. When you use an online PHP obfuscator, you are sending your source code to a third-party server. php obfuscator online better
How do you find a trustworthy online service?
Obfuscation makes PHP code harder to read by renaming variables/functions, stripping whitespace, encoding strings, inserting junk code, or encrypting logic.
It does not provide real security (like encryption), only mild protection against casual copying.