AFAIK to prevent a competitor from having access to code.
Well it's inevitable that a company might look (especially if they outsource) to another company to take over code and maintenance. That you can't prevent. What you can do is deliver a great service with a great framework/code-base (which is usually difficult to adopt, especially if the rival is a ****ing idiot, which they usually are if they win the contract in an under-bid to get the business)
Other than that I don't really care and you can't really stop them from choosing someone else. If they paid you for the code, then the code is theirs to do with whatever they want.
If it's a licensing issue, ie, they didn't pay him to develop the code, but he licenses it to them on a monthly/yearly basis, then a combination of obfuscation and zend encryption might be enough to protect himself from anyone who might have access to the client servers etc.
Otherwise, being a web app, I'd make it so that the application is hosted on my server with a "white label" ability whereby many clients can use the same web app that looks like their company owns it and then you're in total control of where the code goes to and who has access to it.
However, again, you can't really stop anyone from choosing a different service provider, regardless. So best your friend concentrates on delivering a great service (note, not product, service) and make himself invaluable that way, and just come to terms with it that, if they paid him for the source, it's unencrypted source and it belongs to them and if they want to choose someone else, they can.
It's like trying to force your girlfriend to stay with you when they're busy flirting/wanting with someone else and fallen out of love with you. Encrypting her won't stop her from going elsewhere
Happens to the best of us at times.
