It shouldn't matter that the user has control over the code encryption technique, you only need control the magic. When your filter is called it can encrypt a special string (magic cookie) by any means it wishes. Now, it can test the incoming code to see if that encrypted string is at the beginning: if(index($_,$cookie) == 0). If it is then the file is encrypted, so strip it off and then decrypt the rest using the user's specified parameters. If it isn't there, encrypt the code via the user's parameters, prepend your encrypted magic cookie, overwrite the source file and exit. You have control over the cookie, you can create it, test for it, add it or strip it as required.