
Facebook PHP Source Code from August 2007 - patrickdevivo
https://gist.github.com/nikcub/3833406
======
thrusong
It wasn't actually stolen as it says in the README. It was a misconfigured
Apache server which leaked raw, unprocessed PHP code. I received the code to
home.php and profile.php but I didn't save it at the time (I was very very new
to learning PHP and didn't realize the significance of what I was looking at).

Still really cool to see.

~~~
ChristianBundy
I want to be clear: I don't care, and I doubt Facebook cares.

But legally, I think this code was stolen. Facebook owns the copyright to the
source code, so copying and distributing is theft in the same way that copying
and distributing database contents is theft.

But again:

~~~
jaywalk
Your definition of theft is wrong. Legally, this was not stolen.

~~~
shawnz
Are you a lawyer?

~~~
disconnected
You don't have to be a lawyer to understand that subtraction and
multiplication are two completely different operations.

~~~
LeifCarrotson
If you're a mathematician and not a lawyer you might think those are different
operations. But lawyers, judges, and juries have a unique capacity to argue
that you're guilty of subtraction even if you only multiplied.

To a lawyer, bits have color:
[https://ansuz.sooke.bc.ca/entry/23](https://ansuz.sooke.bc.ca/entry/23).

~~~
naniwaduni
You can totally find a mathematician to convince you that those are the same
operation! Probably easier than the lawyer, even.

------
alexandercrohde
One way to look at this is to say "Hah, how shameful."

The other way to look at this is to say "Hah, clearly business success isn't a
function of code quality"

~~~
krapp
>"Hah, clearly business success isn't a function of code quality"

They aren't nearly as strongly correlated as many developers might like to
believe.

~~~
danbolt
I work as a programmer in the games industry and I’ve noticed that frequently
as well. Commercially successful games aren’t always a strong indicator of
code quality and often it tends to be that the bad code “luckily didn’t
matter” in cases of success.

------
aruggirello
> is line 89 of search.php valid?? "$user 0 && ..." ? aren't we missing an
> comparison operator?

Good job. And perhaps that's the culprit. Everybody assumed it was a plain
syntax error, but I don't think it's possible. Rather, it seems me that:

    
    
        if ($user <something else ... ) {
            was written here
            but we'll never know because
            the browser mistook it for an HTML tag,
            and the user probably copied page contents
            instead of saving it.
        };
    
        if (user_was_working_at_facebook_in_2007())
            possibly_confirm('?');
    
        /* lots of missing code may follow... until */
    
        if (who knows what > 0 && ...

~~~
earenndil
Maybe. I think that's less likely than syntax error, for two reasons.

#1, if you look in index.php, there's a < on line 228 and a > on line 258,
correctly rendered. Granted, the < is part of a <=, which weakens that
argument.

#2, if you look at the surrounding code, $user > 0 makes logical sense given
what the code is doing (and assuming 0 represents an invalid/nonexistent
userid, which I believe it does given that facebook userids increase
monotonically).

~~~
aruggirello
Except that a syntax error isn't likely at all - this was production code.

BTW just running "php -l" would have nailed this error - PHP refuses to run a
script that cannot pass the tokenization step, resulting in a blank page (and
the error being logged), so such a macroscopic error would probably be short-
lived even in their test environment.

------
shimylining
Amazing that they initially wrote this code and now to join FB you need to
answer questions based on backtracking and dynamic programming. :) I wonder if
they could do the questions themselves back then.

~~~
angf
Dynamic programming questions are explicitly not used in current Facebook
interviews.

From time to time, Facebook and other companies study the effectiveness of
their hiring process by comparing employee performance and interview
performance. I believe dynamic programming questions were removed because
there was not a strong link between success in this question and future
performance.

~~~
fkfaduc
This sounds very counter-intuitive! Did you hear this from someone working at
Facebook or did you read it online? If it's the latter it'd be great if you
could share a link!

~~~
objektif
What is counterintuitive about this? That best dynamic programmers are the
absolute best programmers? I mean come on man..

~~~
SegFaultx64
Seems like pretty clearly GP isn't familiar with the definition of dynamic
programming in this context:
[https://en.wikipedia.org/wiki/Dynamic_programming](https://en.wikipedia.org/wiki/Dynamic_programming)

~~~
naniwaduni
Key takeaway:

> It also has a very interesting property as an adjective, and that is it's
> impossible to use the word dynamic in a pejorative sense. Try thinking of
> some combination that will possibly give it a pejorative meaning. It's
> impossible.

How times have changed!

------
iudqnolq
Can someone explain to a newbie why this code is so bad? Reading through it it
seemed to generally make sense and not be too complicated.

~~~
munk-a
The lack of `chroot`[1] makes me sad off the bat - for some reason that
function seems like a secret, everyone actually wants to use it (or wanted to
before autoloading became as easy as it is) but nobody did.

Additionally I'd love to see that file split up into smaller chunks simply to
lower the scope of thought.

It looks like nearly all of those function calls are modifying variables
passed by reference instead of resolving the value out via `return` this isn't
bad and is indistinguishable at a technical level in terms of functionality,
but it's a kind of horrible approach from expressability.

They're doing things with datetime that are unsafe and wrong (like assuming 24
_60_ 60 is the number of seconds in a day) but people getting datetime logic
wrong is as old as... well time.

Oh, and you've got some pretty bizarre looking function signatures - I'm sure
there is a reason for this but I'd want to ask some questions about this
one...

    
    
        $permissions = privacy_get_reduced_network_permissions($user, $user);
    

It's possible to go through this and nitpick a bunch of stuff, it looks like
it's mostly just an older style though. The big problems aren't here though...
I'm not seeing any reads into $_POST (and `param_get_slashed` looks like a
nice function for sanitizing input) - additionally, I'm not seeing a single
line of SQL nor am I seeing any memcached calls, so the data access layer may
already be well isolated architecturally.

1\.
[https://www.php.net/manual/en/function.chroot.php](https://www.php.net/manual/en/function.chroot.php)

~~~
duskwuff
`chroot()` has no place in a web application. The system call requires the
process to be running as root.

~~~
voltagex_
Can you call that and then drop permissions?

~~~
duskwuff
In theory, yes. But that's still bad, because it means that a nontrivial
amount of your application code (as well as whatever is launching it, like the
PHP-FPM server or the web server) is running as root.

------
jszymborski
Some interesting comments:

> // Holy shit, is this the cleanest fucking frontend file you've ever seen?!

[https://gist.github.com/nikcub/3833406#file-search-
php-L72](https://gist.github.com/nikcub/3833406#file-search-php-L72)

------
wonderment
I always liked Nik's comments and was wondering why he had stopped posting
here.

[https://news.ycombinator.com/threads?id=nikcub](https://news.ycombinator.com/threads?id=nikcub)

[https://www.zdnet.com/article/security-consultant-granted-
ba...](https://www.zdnet.com/article/security-consultant-granted-bail-after-
hacking-goget-systems/)

[https://www.zdnet.com/article/goget-hacker-sentenced-
to-400-...](https://www.zdnet.com/article/goget-hacker-sentenced-to-400-hours-
of-community-service/)

~~~
Supermancho
I always find this kind of stuff interesting. Albert Gonzales broke into a
bunch of my work's servers (for years) at my first job, after a customer of
ours pissed him off. I had some AIM coversations and lurked/logged in one of
his advertised IRC hangouts. Most of the transcripts went to the secret
service, which was very interested in his Credit Card fraud activities (as
advertised on IRC).

[https://usa.kaspersky.com/resource-center/threats/top-ten-
gr...](https://usa.kaspersky.com/resource-center/threats/top-ten-greatest-
hackers)

------
rahuldottech
2013 HN discussion:
[https://news.ycombinator.com/item?id=6538270](https://news.ycombinator.com/item?id=6538270)

------
tmpz22
From index.php, an if statement for one particular user

    
    
        // Merman's Admin profile always links to the Merman's home
        if (user_has_obj_attached($user)) {
              redirect('mhome.php', 'www');
        }

~~~
epriest
"Merman" was an internal project codename, not an individual user. I think it
was a very early version of the feature that eventually became "Pages".

------
jabyess
From the article linked in the gist:

> This leak is not good news for Facebook, as it raises the question of how
> secure a Facebook users private data really is.

I don't even think I need to comment on how poorly this has aged.

~~~
trustfundbaby
Could you elaborate? I thought it was an amazing foreboding of exactly how
poor Facebook turned out to be with handling user privacy

~~~
jabyess
That's basically what I meant, sorry. It's an insight into what could have
been a problem back then, and clearly became a serious problem.

------
joeblau
> Worth preserving as part of Internet history.

Can't Facebook just issue a takedown request and have these files removed?

~~~
riffraff
what for? It's not like it would be particularly dangerous to see code which
is 13 year old.

~~~
ocdtrekkie
It’s worth noting that Windows occasionally is inflicted by discovered
vulnerabilities that are over twenty years old.

Not sure how applicable that would be to Facebook’s codebase over this much
time. But worth noting.

~~~
giarc
Just look at Swift and all the Cocoa classes. Many are prefixed with NS, which
comes from the NeXTSTEP days.

------
hyggemonster
Reminds me that they had the poke feature.

~~~
ifaxmycodetok8s
they still have the poke feature

------
tdevito
I know it's just two of the files, but taking into account the rest of the
pages for the FB app in 2007, it does not seem like a lot of code. One or two
people could have written and maintained a project that size. What were all
the new hires doing from 2005-2007?

~~~
ahupp
The company wasn't very large at that time. Probably less than 100 engineers
in 2007. One person could understand the bulk of the codebase in a a
reasonable amount of time.

There was way more code than you're seeing here though, note all the includes
at the top.

------
zxcvbn4038
What always strikes me is how sloppy and poorly written commercial code is
when it is leaked - esp compared to open source projects. Looks like someone’s
CS200 project a lot of the time.

------
Lavomk
Looking at this makes me not missing php but somehow it's like back in time.

------
sideproject
Is this Mark Z's code? Wonder why he didn't use a framework and went with pure
PHP.

~~~
lubujackson
I would assume the answer was speed.

I was also writing some spaghetti PHP code around 2007 and remember making
choices that were the benefit of reducing server stress while making my life
harder. No framework was a big one.

Remember, Friendster died due to crashing and Facebook, for all its spaghetti
code at the time, was remarkably solid and rarely crashed. It is easy to
forget how hard the sysadmin side was for a growing startups before we could
spin up infinite cloud servers and VC wasn't just an open spigot for anything
with growth.

Remember the fail whale on Twitter?

------
sandes
I think NipAlert of big head had better code.

