Instantly share code, notes, and snippets.

What would you like to do?
Facebook PHP Source Code from August 2007

In August 2007 a hacker found a way to expose the PHP source code on He retrieved two files and then emailed them to me, and I wrote about the issue:

It became a big deal:

The two files are index.php (the homepage) and search.php (the search page)

I don't know what ended up happening to the guy who stole the code.

I found these files today while searching for another Facebook related file. Worth preserving as part of Internet history.

-- nik

<? php
include_once $_SERVER['PHP_ROOT'].'/html/init.php';
include_once $_SERVER['PHP_ROOT'].'/lib/home.php';
include_once $_SERVER['PHP_ROOT'].'/lib/requests.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/newsfeed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/poke.php';
include_once $_SERVER['PHP_ROOT'].'/lib/share.php';
include_once $_SERVER['PHP_ROOT'].'/lib/orientation.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/newsfeed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/mobile/register.php';
include_once $_SERVER['PHP_ROOT'].'/lib/forms_lib.php';
include_once $_SERVER['PHP_ROOT'].'/lib/contact_importer/contact_importer.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/util.php';
include_once $_SERVER['PHP_ROOT'].'/lib/hiding_prefs.php';
include_once $_SERVER['PHP_ROOT'].'/lib/abtesting.php';
include_once $_SERVER['PHP_ROOT'].'/lib/friends.php';
include_once $_SERVER['PHP_ROOT'].'/lib/statusupdates.php';
// lib/display/feed.php has to be declared here for scope issues.
// This keeps display/feed.php cleaner and easier to understand.
include_once $_SERVER['PHP_ROOT'].'/lib/display/feed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/monetization_box.php';
// require login
$user = require_login();
param_request(array('react' = > $PARAM_EXISTS));
// Check and fix broken emails
// LN - disabling due to excessive can_see dirties and sets when enabled.
// migrate AIM screenname from profile to screenname table if needed
// homepage announcement variables
// redirects
if (is_sponsor_user()) {
redirect('bizhome.php', 'www');
include_once $_SERVER['PHP_ROOT'].'/lib/mesg.php';
include_once $_SERVER['PHP_ROOT'].'/lib/invitetool.php';
include_once $_SERVER['PHP_ROOT'].'/lib/grammar.php';
include_once $_SERVER['PHP_ROOT'].'/lib/securityq.php';
include_once $_SERVER['PHP_ROOT'].'/lib/events.php';
include_once $_SERVER['PHP_ROOT'].'/lib/rooster/stories.php';
// todo: password confirmation redirects here (from html/reset.php),
// do we want a confirmation message?
'feeduser' = > $PARAM_INT, //debug: gets feed for user here
'err' = > $PARAM_STRING, // returning from a failed entry on an orientation form
'error' = > $PARAM_STRING, // an error can also be here because the profile photo upload code is crazy
'ret' = > $PARAM_INT, 'success' = > $PARAM_INT, // successful profile picture upload
'jn' = > $PARAM_INT, // joined a network for orientation
'np' = > $PARAM_INT, // network pending (for work/address network)
'me' = > $PARAM_STRING, // mobile error
'mr' = > $PARAM_EXISTS, // force mobile reg view
'mobile' = > $PARAM_EXISTS, // mobile confirmation code sent
'jif' = > $PARAM_EXISTS, // just imported friends
'ied' = > $PARAM_STRING, // import email domain
'o' = > $PARAM_EXISTS, // first time orientation, passed on confirm
'verified' = > $PARAM_EXISTS)); // verified mobile phone
'leave_orientation' = > $PARAM_EXISTS,
'show_orientation' = > $PARAM_INT, // show an orientation step
'hide_orientation' = > $PARAM_INT)); // skip an orientation step
// homepage actions
if ($req_react && validate_expiring_hash($req_react, $GLOBALS['url_md5key'])) {
$show_reactivated_message = true;
} else {
$show_reactivated_message = false;
tpl_set('show_reactivated_message', $show_reactivated_message);
// upcoming events
events_check_future_events($user); // make sure big tunas haven't moved around
$upcoming_events = events_get_imminent_for_user($user);
// this is all stuff that can be fetched together!
$upcoming_events_short = array();
obj_multiget_short(array_keys($upcoming_events), true, $upcoming_events_short);
$new_pokes = 0;
//only get the next N pokes for display
//where N is set in the dbget to avoid caching issues
$poke_stats = get_num_pokes($user);
get_next_pokes($user, true, $new_pokes);
$poke_count = $poke_stats['unseen'];
$targeted_data = array();
home_get_cache_targeted_data($user, true, $targeted_data);
$announcement_data = array();
home_get_cache_announcement_data($user, true, $announcement_data);
$orientation = 0;
orientation_get_status($user, true, $orientation);
$short_profile = array();
profile_get_short($user, true, $short_profile);
// pure priming stuff
privacy_get_network_settings($user, true);
$presence = array();
mobile_get_presence_data($user, true, $presence);
feedback_get_event_weights($user, true);
// Determine if we want to display the feed intro message
$intro_settings = 0;
user_get_hide_intro_bitmask($user, true, $intro_settings);
$user_friend_finder = true;
contact_importer_get_used_friend_finder($user, true, $used_friend_finder);
$all_requests = requests_get_cache_data($user);
// FIXME?: is it sub-optimal to call this both in requests_get_cache_data and here?
$friends_status = statusupdates_get_recent($user, null, 3);
memcache_dispatch(); // populate cache data
// Merman's Admin profile always links to the Merman's home
if (user_has_obj_attached($user)) {
redirect('mhome.php', 'www');
if (is_array($upcoming_events)) {
foreach($upcoming_events as $event_id = > $data) {
$upcoming_events[$event_id]['name'] = txt_set($upcoming_events_short[$event_id]['name']);
tpl_set('upcoming_events', $upcoming_events);
// disabled account actions
$disabled_warning = ((IS_DEV_SITE || IS_QA_SITE) && is_disabled_user($user));
tpl_set('disabled_warning', $disabled_warning);
// new pokes (no more messages here, they are in the top nav!)
if (!user_is_guest($user)) {
tpl_set('poke_count', $poke_count);
tpl_set('pokes', $new_pokes);
// get announcement computations
tpl_set('targeted_data', $targeted_data);
tpl_set('announcement_data', $announcement_data);
// birthday notifications
tpl_set('birthdays', $birthdays = user_get_birthday_notifications($user, $short_profile));
tpl_set('show_birthdays', $show_birthdays = (count($birthdays) || !$orientation));
// user info
tpl_set('first_name', user_get_first_name(txt_set($short_profile['id'])));
tpl_set('user', $user);
// decide if there are now any requests to show
$show_requests = false;
foreach($all_requests as $request_category) {
if ($request_category) {
$show_requests = true;
tpl_set('all_requests', $show_requests ? $all_requests : null);
$permissions = privacy_get_reduced_network_permissions($user, $user);
// status
$user_info = array('user' = > $user, 'firstname' = > user_get_first_name($user), 'see_all' = > '/statusupdates/?ref=hp', 'profile_pic' = > make_profile_image_src_direct($user, 'thumb'), 'square_pic' = > make_profile_image_src_direct($user, 'square'));
if (!empty($presence) && $presence['status_time'] > (time() - 60 * 60 * 24 * 7)) {
$status = array('message' = > txt_set($presence['status']), 'time' = > $presence['status_time'], 'source' = > $presence['status_source']);
} else {
$status = array('message' = > null, 'time' = > null, 'source' = > null);
tpl_set('user_info', $user_info);
tpl_set('show_status', $show_status = !$orientation);
tpl_set('status', $status);
tpl_set('status_custom', $status_custom = mobile_get_status_custom($user));
tpl_set('friends_status', $friends_status);
// orientation
if ($orientation) {
if ($post_leave_orientation) {
orientation_update_status($user, $orientation, 2);
} else if (orientation_eligible_exit(array('uid' = > $user)) == 2) {
orientation_update_status($user, $orientation, 1);
// timezone - outside of stealth, update user's timezone if necessary
$set_time = !user_is_alpha($user, 'stealth');
tpl_set('timezone_autoset', $set_time);
if ($set_time) {
$daylight_savings = get_site_variable('DAYLIGHT_SAVINGS_ON');
tpl_set('timezone', $short_profile['timezone'] - ($daylight_savings ? 4 : 5));
// set next step if we can
if (!$orientation) {
user_set_next_step($user, $short_profile);
// note: don't make this an else with the above statement, because then no news feed stories will be fetched if they're exiting orientation
if ($orientation) {
if ($post_hide_orientation && $post_hide_orientation <= $ORIENTATION_MAX) {
$orientation['orientation_bitmask'] |= ($post_hide_orientation * $ORIENTATION_SKIPPED_MODIFIER);
orientation_update_status($user, $orientation);
} else if ($post_show_orientation && $post_show_orientation <= $ORIENTATION_MAX) {
$orientation['orientation_bitmask'] &= ~ ($post_show_orientation * $ORIENTATION_SKIPPED_MODIFIER);
orientation_update_status($user, $orientation);
$stories = orientation_get_stories($user, $orientation);
switch ($get_err) {
$temp = array(); // the affil_retval_msg needs some parameters won't be used
$stories[$ORIENTATION_NETWORK]['failed_college'] = affil_retval_msg($get_ret, $temp, $temp);
$temp = array();
// We special case the network not recognized error here, because affil_retval_msg is retarded.
$stories[$ORIENTATION_NETWORK]['failed_corp'] = ($get_ret == 70) ? 'The email you entered did not match any of our supported networks. '.'Click here to see our supported list. '.'Go here to suggest your network for the future.' : affil_retval_msg($get_ret, $temp, $temp);
// photo upload error
if ($get_error) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_PROFILE]]['upload_error'] = pic_get_error_text($get_error);
// photo upload success
else if ($get_success == 1) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_PROFILE]]['uploaded_pic'] = true;
// join network success
} else if ($get_jn) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['joined'] = array('id' = > $get_jn, 'name' = > network_get_name($get_jn));
// network join pending
} else if ($get_np) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['join_pending'] = array('id' = > $get_np, 'email' = > get_affil_email_conf($user, $get_np), 'network' = > network_get_name($get_np));
// just imported friend confirmation
} else if ($get_jif) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['just_imported_friends'] = true;
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['domain'] = $get_ied;
// Mobile web API params
if ($get_mobile) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['sent_code'] = true;
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['view'] = 'confirm';
if ($get_verified) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['verified'] = true;
if ($get_me) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['error'] = $get_me;
if ($get_mr) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['view'] = 'register';
if (orientation_eligible_exit($orientation)) {
tpl_set('orientation_show_exit', true);
tpl_set('orientation_stories', $stories);
//if in orientation, we hide all feed intros (all 1's in bitmask)
$intro_settings = -1;
tpl_set('orientation', $orientation);
// Rooster Stories
if (!$orientation && ((get_site_variable('ROOSTER_ENABLED') == 2) || (get_site_variable('ROOSTER_DEV_ENABLED') == 2))) {
$rooster_story_count = get_site_variable('ROOSTER_STORY_COUNT');
if (!isset($rooster_story_count)) {
// Set default if something is wrong with the sitevar
$rooster_story_count = 2;
$rooster_stories = rooster_get_stories($user, $rooster_story_count, $log_omissions = true);
if (!empty($rooster_stories) && !empty($rooster_stories['stories'])) {
// Do page-view level logging here
foreach($rooster_stories['stories'] as $story) {
rooster_log_action($user, $story, ROOSTER_LOG_ACTION_VIEW);
tpl_set('rooster_stories', $rooster_stories);
// set the variables for the home announcement code
$hide_announcement_tpl = ($intro_settings | $HIDE_INTRO_BITMASK) & $HIDE_ANNOUNCEMENT_BIT;
// if on qa/dev site, special rules
$HIDE_INTRO_ON_DEV = get_site_variable('HIDE_INTRO_ON_DEV');
$hide_announcement_tpl = 0;
tpl_set('hide_announcement', $hide_announcement_tpl);
if ($is_candidate = is_candidate_user($user)) {
tpl_set('hide_announcement', false);
$home_announcement_tpl = !$hide_announcement_tpl || $is_candidate ? home_get_announcement_info($user) : 0;
tpl_set('home_announcement', $home_announcement_tpl);
tpl_set('hide_announcement_bit', $HIDE_ANNOUNCEMENT_BIT);
$show_friend_finder = !$orientation && contact_importer_enabled($user) && !user_get_hiding_pref($user, 'home_friend_finder');
tpl_set('show_friend_finder', $show_friend_finder);
if ($show_friend_finder && (user_get_friend_count($user) > 20)) {
tpl_set('friend_finder_hide_options', array('text' = > 'close', 'onclick' = > "return clearFriendFinder()"));
} else {
tpl_set('friend_finder_hide_options', null);
$account_info = user_get_account_info($user);
$account_create_time = $account_info['time'];
tpl_set('show_friend_finder_top', !$used_friend_finder);
tpl_set('user', $user);
$minimize_monetization_box = user_get_hiding_pref($user, 'home_monetization');
$show_monetization_box = (!$orientation && get_site_variable('HOMEPAGE_MONETIZATION_BOX'));
tpl_set('show_monetization_box', $show_monetization_box);
tpl_set('minimize_monetization_box', $minimize_monetization_box);
if ($show_monetization_box) {
$monetization_box_data = monetization_box_user_get_data($user);
txt_set('monetization_box_data', $monetization_box_data);
if ($orientation) {
$network_ids = id_get_networks($user);
$network_names = multiget_network_name($network_ids);
$in_corp_network = in_array($GLOBALS['TYPE_CORP'], array_map('extract_network_type', $network_ids));
$show_corp_search = $in_corp_network || get_age(user_get_basic_info_attr($user, 'birthday')) >= 21;
$pending_hs = is_hs_pending_user($user);
$hs_id = null;
$hs_name = null;
if ($pending_hs) {
foreach(id_get_pending_networks($user) as $network) {
if (extract_network_type($network['network_key']) == $GLOBALS['TYPE_HS']) {
$hs_id = $network['network_key'];
$hs_name = network_get_name($hs_id);
//$orientation_people = orientation_get_friend_and_inviter_ids($user);
$orientation_people = array('friends' = > user_get_all_friends($user), 'pending' = > array_keys(user_get_friend_requests($user)), 'inviters' = > array(), // wc: don't show inviters for now
$orientation_info = array_merge($orientation_people, array('network_names' = > $network_names, 'show_corp_search' = > $show_corp_search, 'pending_hs' = > array('hs_id' = > $hs_id, 'hs_name' = > $hs_name), 'user' = > $user, ));
tpl_set('orientation_info', $orientation_info);
tpl_set('simple_orientation_first_login', $get_o); // unused right now
// Roughly determine page length for ads
// first, try page length using right-hand panel
$ads_page_length_data = 3 + // 3 for profile pic + next step
($show_friend_finder ? 1 : 0) + ($show_status ? ($status_custom ? count($friends_status) : 0) : 0) + ($show_monetization_box ? 1 : 0) + ($show_birthdays ? count($birthdays) : 0) + count($new_pokes);
// page length using feed stories
if ($orientation) {
$ads_page_length_data = max($ads_page_length_data, count($stories) * 5);
tpl_set('ads_page_length_data', $ads_page_length_data);
$feed_stories = null;
if (!$orientation) { // if they're not in orientation they get other cool stuff
// ad_insert: the ad type to try to insert for the user
// (0 if we don't want to try an insert)
$ad_insert = get_site_variable('FEED_ADS_ENABLE_INSERTS');
$feed_off = false;
if (check_super($user) && $get_feeduser) {
$feed_stories = user_get_displayable_stories($get_feeduser, 0, null, $ad_insert);
} else if (can_see($user, $user, 'feed')) {
$feed_stories = user_get_displayable_stories($user, 0, null, $ad_insert);
} else {
$feed_off = true;
// Friend's Feed Selector - Requires dev.php constant
if (is_friendfeed_user($user)) {
$friendfeed = array();
$friendfeed['feeduser'] = $get_feeduser;
$friendfeed['feeduser_name'] = user_get_name($get_feeduser);
$friendfeed['friends'] = user_get_all_friends($user);
tpl_set('friendfeed', $friendfeed);
$feed_stories = feed_adjust_timezone($user, $feed_stories);
tpl_set('feed_off', $feed_off ? redirect('privacy.php?view=feeds', null, false) : false);
tpl_set('feed_stories', $feed_stories);
* @author Mark Slee
* @package ubersearch
ini_set('memory_limit', '100M'); // to be safe we are increasing the memory limit for search
include_once $_SERVER['PHP_ROOT'].'/html/init.php'; // final lib include
include_once $_SERVER['PHP_ROOT'].'/lib/s.php';
include_once $_SERVER['PHP_ROOT'].'/lib/browse.php';
include_once $_SERVER['PHP_ROOT'].'/lib/events.php';
include_once $_SERVER['PHP_ROOT'].'/lib/websearch_classifier/websearch_classifier.php';
$user = search_require_login();
if ($_POST) {
$arr = us_flatten_checkboxes($_POST, array('ii'));
$qs = '?';
foreach($arr as $key = > $val) {
$qs. = $key.'='.urlencode($val).'&';
$qs = substr($qs, 0, (strlen($qs) - 1));
// If they performed a classmates search, these values are
// needed to pre-populate dropdowns
param_get_slashed(array('hy' = > $PARAM_STRING, 'hs' = > $PARAM_INT, 'adv' = > $PARAM_EXISTS, 'events' = > $PARAM_EXISTS, 'groups' = > $PARAM_EXISTS, 'classmate' = > $PARAM_EXISTS, 'coworker' = > $PARAM_EXISTS));
$pos = strpos($get_hy, ':');
if ($pos !== false) {
$hsid = intval(substr($get_hy, 0, $pos));
$hsyear = intval(substr($get_hy, $pos + 1));
} else {
$hsid = intval($get_hs);
$hsyear = null;
tpl_set('hs_id', $hsid);
tpl_set('hs_name', get_high_school($hsid));
tpl_set('hs_year', $hsyear);
tpl_set('is_advanced_search', $get_adv);
tpl_set('user', $user);
tpl_set('count_total', 0); // pre-set count_total for the sake of ads page length
// Events search calendar data
param_get(array('k' = > $PARAM_HEX, 'n' = > $PARAM_SINT));
if (($get_k == search_module::get_key(SEARCH_MOD_EVENT, SEARCH_TYPE_AS))) {
$events_begin = strftime("%Y%m01"); // first of the month
$events_end = strftime("%Y%m%d", strtotime(strftime("%m/01/%Y")) + (86400 * $EVENTS_CAL_DAYS_AHEAD));
$events_params = array('dy1' = > $events_begin, 'dy2' = > $events_end);
param_get(array('c1' = > $PARAM_INT, 'c2' = > $PARAM_INT), 'evt_');
if (isset($evt_c1)) {
$events_params['c1'] = $evt_c1;
if (isset($evt_c2)) {
$events_params['c2'] = $evt_c2;
$results = events_get_calendar($user, $get_n, $events_params);
tpl_set('events_date', $results['events_date']);
// Holy shit, is this the cleanest fucking frontend file you've ever seen?!
ubersearch($_GET, $embedded = false, $template = true);
// Render it
* login function for s.php
* @author Philip Fung
function search_require_login() {
//check if user is logged in
$user = require_login(true);
if($user 0 && !is_unregistered($user)) { return $user; }
// this is an unregistered user
array('k' = > $GLOBALS['PARAM_HEX'], // search key (used by rest of ubersearch code)
global $get_k;
$search_key = $get_k;
//Let user see event or group search if criteria are obeyed
if ($search_key && (search_module::get_key_type($search_key) == SEARCH_MOD_EVENT || search_module::get_key_type($search_key) == SEARCH_MOD_GROUP) //event or group search
) {
return $user;
} else {

This comment has been minimized.

tj commented Oct 12, 2013

ah I remember this :) I happened to refresh the page juuust as it was exposed


This comment has been minimized.

Mparaiso commented Oct 12, 2013

see, what you can achieve with a bunch of spaghetti code? the hell with these JEE design patterns !!!
PHP for fun and profit.


This comment has been minimized.

sergiotapia commented Oct 12, 2013

Absolutely disgusting! Imagine having to maintain this beast!


This comment has been minimized.

antonmaju commented Oct 12, 2013

My eyes hurt ...


This comment has been minimized.

Hengjie commented Oct 12, 2013

I feel sorry for Facebook engineers


This comment has been minimized.

michaelmcmillan commented Oct 12, 2013

You just gotta love PHP.


This comment has been minimized.

vierbergenlars commented Oct 12, 2013

Does that even compile? What's going on there search.php:89


This comment has been minimized.

scravy commented Oct 12, 2013

I think that's far from spaghetti code.


This comment has been minimized.

andy-morris commented Oct 12, 2013

@vierbergenlars I think there must have been something before the 0, before some messed up reformatting attempt or something; all the =>s have turned into = > as well for some reason.


This comment has been minimized.

davycheung commented Oct 12, 2013

Honestly it's not that bad. At least they were using templates.


This comment has been minimized.

kdauzickas commented Oct 12, 2013

To all the 'spaghetti' screamers: you have no context and a bunch of lines that have evolved into what you see to serve billions of requests. Just because you do not understand what and why is something happening you do not get to declare that the code is spaghetti.


This comment has been minimized.

rhtyd commented Oct 12, 2013

Wasn't that fake?


This comment has been minimized.

umarana commented Oct 12, 2013



This comment has been minimized.

MattLoyeD commented Oct 12, 2013

Well it's just 7 years ago PHP, Object was less implemented, now it couldn't be that way.
It's a bit of MVC, that's not so horrible, just a primitive controller (search.php).


This comment has been minimized.

mbjordan commented Oct 12, 2013

I think its important to note the many syntactical errors throughout the file...


This comment has been minimized.

mafellows commented Oct 12, 2013

// Holy shit, is this the cleanest fucking frontend file you've ever seen?!


This comment has been minimized.

jeremysmitherman commented Oct 12, 2013

So many edgy comments here.


This comment has been minimized.

tubbo commented Oct 12, 2013

Meh. Nothin special.


This comment has been minimized.

awdng commented Oct 12, 2013

given the fact its 6-7 years old, its not that bad...thats one giant controller though


This comment has been minimized.

chrisabrams commented Oct 12, 2013

I should have saved the profile page when this happened..


This comment has been minimized.

integricho commented Oct 12, 2013

I've never seen nice looking php code.


This comment has been minimized.

riston commented Oct 12, 2013

All love php spaghetti code :)


This comment has been minimized.

piksel commented Oct 12, 2013

@alexreidy, yes, and syntax errors is an important part of return statements.


This comment has been minimized.

Syerram commented Oct 12, 2013

@kdauzickas the concern is maintainability not performance. Its apples and oranges. I could cache the shit outta hit, which I presume they did, and get good performance without hitting any DB. But it doesn't mean the code should be written in one giant controller.


This comment has been minimized.

joakimberg commented Oct 12, 2013

Hmm from what I remember, this didn't happen because Facebook was hacked, but because of sysadmins who failed to install PHP correctly and so the files were exposed as-is.


This comment has been minimized.

mmmpop commented Oct 12, 2013

I'd be interested to see how many of the armchair engineers in this thread could get a job writing code at Facebook.


This comment has been minimized.

panique commented Oct 12, 2013

Has Facebook confirmed this in any way ? Facebook was always one of the most intense and cutting-edge applications in the world, they had big influence on extremely modern PHP things (like pre-compiling etc.); they even use software and hardware that is totally experimental, so it's hard to believe that they DO NOT write extremely modern, clean and maintainable code.

By the way, if you want to bash, then bash WORDPRESS. It is open-source but still has horrible code, even after years. Wordpress's code does not fit ANY modern coding standards.


This comment has been minimized.

jpalawaga commented Oct 12, 2013

@panique no, but this is also allegedly from 2007.


This comment has been minimized.

akira28 commented Oct 12, 2013

It's not odd for some php code from 2007 to be procedural and "spaghetti". Keep in mind that symfony (born in 2007) and zend framework (born in 2006) became mainstream just recently. Anyway I've seen much much worse code in companies larger than facebook in 2007


This comment has been minimized.

modsrm commented Oct 12, 2013

Always interesting to have a peak at what something worth billions look like...
Not sure why there is a lot of harsh comments here...Someone's even feeling sorry about facebook's engineers...Sorry about what, the millions who wrote this code now has in his bank account?


This comment has been minimized.

monokrome commented Oct 12, 2013

@modsrm You must be confused. Let me help: Some people actually care about code as opposed to only the money that producing it provides.

I hope that is understandable.


This comment has been minimized.

bsandrow commented Oct 12, 2013

@modsrm Are you under the impression that every Facebook engineer that ever has/had to deal with this code is a millionaire? This seems like a false premise.


This comment has been minimized.

ghost commented Oct 12, 2013

How many of you here have facebook account ? ROFL


This comment has been minimized.

chriswbarrett commented Oct 12, 2013

If this is written in 2007 it probably wasn't written with the current size of facebook in mind. No doubt this is long outdated and it isn't that horrible either


This comment has been minimized.

Link- commented Oct 12, 2013

It's actually cleaner than I expected!


This comment has been minimized.

georg78sf commented Oct 12, 2013

this is not bad code


This comment has been minimized.


nikcub commented Oct 12, 2013

@panique yes they confirmed it to me at the time that a server was misconfigured and the two files were real.

for a good few years you could access the entire facebook source just by iterating .svn directories, since they were exposed (svn checkout vs svn export)

and I actually don't think the code is that bad, considering when it is from and that almost everybody at Facebook in those days learned PHP on the job (they didn't hire PHP developers, they hired compsci and other smart people - Dustin Moskovitz was an econ grad who learned PHP on the job).


This comment has been minimized.

joshribakoff commented Oct 13, 2013

Horrible code. PHP not having objects is an excuse? Nope. They still could have used functions, instead of declaring variables in the global scope. This gives PHP a bad name. There is in fact good PHP code out there


This comment has been minimized.

zhyq0826 commented Oct 13, 2013



This comment has been minimized.

xingrz commented Oct 13, 2013



This comment has been minimized.

wjason commented Oct 13, 2013



This comment has been minimized.

wakerman commented Oct 13, 2013



This comment has been minimized.

autodidacticon commented Oct 13, 2013

I certainly wouldn't want to write unit tests for this.

This code should inspire anyone who is alone with an idea; _code it and just make it work_. Maintainability can be addressed after you've scaled up your team.


This comment has been minimized.

mmmpop commented Oct 13, 2013


I would imagine most engineers in 2007 had stock in the company and are indeed millionaires thanks to the IPO.

Anyways, PHP as we all know and love didn't really come to any form of maturation until 2009 when version 5.3 was released and thanks largely to namespaces, type hinting/casting and mediocre support for some functional programming techniques, we're now able to replicate workflows similar to that of Java or .NET without too much hassle (re: Symfony2). Before that though, a typical front controller for any high-volume site running PHP probably looked very similar to this one so keep that in mind before dragging out your college CS books to comb the code for "underengineering". You're smart and innovative too, congrats! Isn't your golden ticket to economic affluence enough for your ego yet or must you belittle people that are likely more successful than you could hope to be?

Moving away from procedural logic and primitive objects over to a full framework is/was obviously the right direction for web applications but I think it tends to be abused a good bit and applied to situations that could get away with far less complexity.


This comment has been minimized.

mmmpop commented Oct 13, 2013


Me neither! With the tools available to PHP developers in 2007, writing unit tests would be quite tedious. For reasons that I'm uncertain of (not claiming they aren't public knowledge), Facebook went with PHP at a time when there certainly seemed to be better choices. In fact, I wouldn't be surprised if their adoption of the language helped shape it to become what it is today on more than just a philosophic level... money, bugfixes, heavy testing.


This comment has been minimized.

darasion commented Oct 13, 2013



This comment has been minimized.

bredfern commented Oct 13, 2013

Now you know why MVC frameworks took off in popularity, this is similar to working with the media wiki codebase, that's a typical "bootstrap" pattern used in PHP. Now that we have nodejs running rings around php/apache/mysql this code seems very quaint lol.


This comment has been minimized.

ah26 commented Oct 13, 2013

You guys are clueless if you think this code isn't clean. Don't hate on php. It works. When developing, you go with what you know, build, ship. Love how github users are telling FB how to write code. Too funny.


This comment has been minimized.

idning commented Oct 13, 2013

木有面向对象 啊


This comment has been minimized.

lukaseder commented Oct 13, 2013

Well, this seems quite alright compared to what stubbornella claims to have fixed in Facebook's early CSS code. Talk about 500 shades / distinct hexcodes of Facebook blue!


This comment has been minimized.

eriksank commented Oct 13, 2013

This code definitely looks easy enough to debug with a few echo and die() statements here and there. Furthermore, their approach also looks consistent all across. (Inherited) code is not bad just because it is not buzzword-heavy, but because it would be difficult to debug and test ...


This comment has been minimized.

gamehelp16 commented Oct 13, 2013

if (is_sponsor_user()) {
redirect('bizhome.php', 'www');



This comment has been minimized.

hemanth commented Oct 13, 2013

Roughly determine page length for ads L384


This comment has been minimized.

deloz commented Oct 13, 2013

not too bad.


This comment has been minimized.

jkobus commented Oct 13, 2013

this is the worst-written and the most-worth code i've ever seen.


This comment has been minimized.

gotomypc commented Oct 14, 2013

mvc generally, tpl_set to set variables, render_template at last.


This comment has been minimized.

4tj commented Oct 14, 2013



This comment has been minimized.

Morawski commented Oct 14, 2013

Cpt. Obvious commenting style for life

// redirects
if (is_sponsor_user()) {
redirect('bizhome.php', 'www');

So it redirects, you don't say

// orientation
if ($orientation) {

Ah it concerns orientation, yup I think I follow


This comment has been minimized.

ArkeologeN commented Oct 14, 2013



This comment has been minimized.

lightningspirit commented Oct 14, 2013

Unfortunately, this is very common in proprietary software...


This comment has been minimized.

nathilen commented Oct 14, 2013

Guessing the comments are supposed to make the code easier to follow


This comment has been minimized.

cbergau commented Oct 15, 2013

Which programmar did not start like that? Hey, at least, the variable names and method names are understandable ;D you could almost write unit tests for that code too!


This comment has been minimized.

adityamenon commented Oct 20, 2013

Considering this stuff was written by 1 guy and maybe a couple interns, giddy with excitement and under the heady rush of fast success - it's not that bad. Once they could afford people with a passion for Clean Code, I'm sure a lot of it changed. I'm pretty damn sure today they've probably got one of the best PHP frameworks they only use internally - something as clean as Laravel but having lots more power thanks to their evolved DSL.


This comment has been minimized.

philfreo commented Oct 31, 2013

I posted some additional source code I got from in 2005:


This comment has been minimized.

starsea commented Nov 15, 2013



This comment has been minimized.

lazyphp commented Nov 17, 2013



This comment has been minimized.

qaisjp commented Jan 16, 2014


This comment has been minimized.

mazeltov7 commented Feb 26, 2014



This comment has been minimized.

Zeokat commented Mar 1, 2014

Zeokat says, a piece of internet history here ;)


This comment has been minimized.

Jahak commented Mar 13, 2014

Probably already copied code


This comment has been minimized.

MohamedFawzy commented Nov 20, 2014

Wow init memory with 100 MB instead optimize code for memory leaks however back to 2007 this good seriously very well engineered


This comment has been minimized.

yanismohadaram commented Nov 24, 2014



This comment has been minimized.

isseu commented Mar 19, 2015

not that bad..


This comment has been minimized.

aligajani commented May 15, 2015

Ahh, somethings don't ever change:


This comment has been minimized.

Joey95 commented Jun 28, 2015

Just wanna state something obvious, SWEDISH ARE THE BEST CODERS IN THE WORLD. Its just that they are not Evil like the Chinese!


This comment has been minimized.

Committing commented Sep 24, 2015

if ($_POST) {
// Already looking bad...


This comment has been minimized.

Mahmoudz commented Nov 23, 2015

See that's why I didn't accept Facebook's job offer :D


This comment has been minimized.

noc2spam commented Dec 4, 2015

Gosh :O WHat did I just see!! :O


This comment has been minimized.

john-crossley commented Feb 25, 2016

I think it reads like a poem 😍


This comment has been minimized.

LasseRafn commented Dec 4, 2016

For 2007, this is quite decent TBH. Yeah its nasty today, but PHP in 2007 had barely anything to help make this beast prettier.


This comment has been minimized.

rahuladream commented Mar 30, 2017

You are stupid man
Your code is just a piece of garbage.
Thank You ->


This comment has been minimized.

getl0st commented May 14, 2017

gotta love those comments <<3


This comment has been minimized.

Vyygir commented May 19, 2017

@rahuladream Unsure if troll, or genuinely doesn't understand if this is a segment of Facebook's source code from 2007..


This comment has been minimized.

BlueScriptures commented Jun 23, 2017

echo "hey how did you get the codes";
exit ()


This comment has been minimized.

santiago-elustondo commented Dec 12, 2017

is line 89 of search.php valid?? "$user 0 && ..." ? aren't we missing an comparison operator?


This comment has been minimized.

Globik commented Dec 24, 2017

Ну и что, что в один гигантский контролер всё засунули? Зато всё ,блеать, перед глазами - не надо как сейчас используя react.js кучу файлов в редакторе открывать и прыгать как мандавошка с директории на директорию с вложенность до десяти поддиректорий ради одной какой-то функции. Я, беать, сам люблю простыню писать. Так гораздо удобнее.


This comment has been minimized.

ryonagana commented Apr 13, 2018

@santiago-elustondo PHP doesnt care about operators


This comment has been minimized.

drashtishah30 commented May 4, 2018

can anyone plz share a code of LIKE, COMMENT and SHARE....

please... i need it on urgent base for my new website


This comment has been minimized.

igor-gawrys commented May 27, 2018

This code is bad.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment