Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Facebook PHP Source Code from August 2007

In August 2007 a hacker found a way to expose the PHP source code on facebook.com. He retrieved two files and then emailed them to me, and I wrote about the issue:

http://techcrunch.com/2007/08/11/facebook-source-code-leaked/

It became a big deal:

http://www.techmeme.com/070812/p1#a070812p1

The two files are index.php (the homepage) and search.php (the search page)

I don't know what ended up happening to the guy who stole the code.

I found these files today while searching for another Facebook related file. Worth preserving as part of Internet history.

-- nik

<? php
include_once $_SERVER['PHP_ROOT'].'/html/init.php';
include_once $_SERVER['PHP_ROOT'].'/lib/home.php';
include_once $_SERVER['PHP_ROOT'].'/lib/requests.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/newsfeed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/poke.php';
include_once $_SERVER['PHP_ROOT'].'/lib/share.php';
include_once $_SERVER['PHP_ROOT'].'/lib/orientation.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/newsfeed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/mobile/register.php';
include_once $_SERVER['PHP_ROOT'].'/lib/forms_lib.php';
include_once $_SERVER['PHP_ROOT'].'/lib/contact_importer/contact_importer.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/util.php';
include_once $_SERVER['PHP_ROOT'].'/lib/hiding_prefs.php';
include_once $_SERVER['PHP_ROOT'].'/lib/abtesting.php';
include_once $_SERVER['PHP_ROOT'].'/lib/friends.php';
include_once $_SERVER['PHP_ROOT'].'/lib/statusupdates.php';
// lib/display/feed.php has to be declared here for scope issues.
// This keeps display/feed.php cleaner and easier to understand.
include_once $_SERVER['PHP_ROOT'].'/lib/display/feed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/monetization_box.php';
// require login
$user = require_login();
print_time('require_login');
param_request(array('react' = > $PARAM_EXISTS));
// Check and fix broken emails
// LN - disabling due to excessive can_see dirties and sets when enabled.
//check_and_fix_broken_emails($user);
// migrate AIM screenname from profile to screenname table if needed
migrate_screenname($user);
// homepage announcement variables
$HIDE_ANNOUNCEMENT_BIT = get_site_variable('HIDE_ANNOUNCEMENT_BIT');
$HIDE_INTRO_BITMASK = get_site_variable('HIDE_INTRO_BITMASK');
// redirects
if (is_sponsor_user()) {
redirect('bizhome.php', 'www');
}
include_once $_SERVER['PHP_ROOT'].'/lib/mesg.php';
include_once $_SERVER['PHP_ROOT'].'/lib/invitetool.php';
include_once $_SERVER['PHP_ROOT'].'/lib/grammar.php';
include_once $_SERVER['PHP_ROOT'].'/lib/securityq.php';
include_once $_SERVER['PHP_ROOT'].'/lib/events.php';
include_once $_SERVER['PHP_ROOT'].'/lib/rooster/stories.php';
// todo: password confirmation redirects here (from html/reset.php),
// do we want a confirmation message?
param_get_slashed(array(
'feeduser' = > $PARAM_INT, //debug: gets feed for user here
'err' = > $PARAM_STRING, // returning from a failed entry on an orientation form
'error' = > $PARAM_STRING, // an error can also be here because the profile photo upload code is crazy
'ret' = > $PARAM_INT, 'success' = > $PARAM_INT, // successful profile picture upload
'jn' = > $PARAM_INT, // joined a network for orientation
'np' = > $PARAM_INT, // network pending (for work/address network)
'me' = > $PARAM_STRING, // mobile error
'mr' = > $PARAM_EXISTS, // force mobile reg view
'mobile' = > $PARAM_EXISTS, // mobile confirmation code sent
'jif' = > $PARAM_EXISTS, // just imported friends
'ied' = > $PARAM_STRING, // import email domain
'o' = > $PARAM_EXISTS, // first time orientation, passed on confirm
'verified' = > $PARAM_EXISTS)); // verified mobile phone
param_post(array(
'leave_orientation' = > $PARAM_EXISTS,
'show_orientation' = > $PARAM_INT, // show an orientation step
'hide_orientation' = > $PARAM_INT)); // skip an orientation step
// homepage actions
if ($req_react && validate_expiring_hash($req_react, $GLOBALS['url_md5key'])) {
$show_reactivated_message = true;
} else {
$show_reactivated_message = false;
}
tpl_set('show_reactivated_message', $show_reactivated_message);
// upcoming events
events_check_future_events($user); // make sure big tunas haven't moved around
$upcoming_events = events_get_imminent_for_user($user);
// this is all stuff that can be fetched together!
$upcoming_events_short = array();
obj_multiget_short(array_keys($upcoming_events), true, $upcoming_events_short);
$new_pokes = 0;
//only get the next N pokes for display
//where N is set in the dbget to avoid caching issues
$poke_stats = get_num_pokes($user);
get_next_pokes($user, true, $new_pokes);
$poke_count = $poke_stats['unseen'];
$targeted_data = array();
home_get_cache_targeted_data($user, true, $targeted_data);
$announcement_data = array();
home_get_cache_announcement_data($user, true, $announcement_data);
$orientation = 0;
orientation_get_status($user, true, $orientation);
$short_profile = array();
profile_get_short($user, true, $short_profile);
// pure priming stuff
privacy_get_network_settings($user, true);
$presence = array();
mobile_get_presence_data($user, true, $presence);
feedback_get_event_weights($user, true);
// Determine if we want to display the feed intro message
$intro_settings = 0;
user_get_hide_intro_bitmask($user, true, $intro_settings);
$user_friend_finder = true;
contact_importer_get_used_friend_finder($user, true, $used_friend_finder);
$all_requests = requests_get_cache_data($user);
// FIXME?: is it sub-optimal to call this both in requests_get_cache_data and here?
$friends_status = statusupdates_get_recent($user, null, 3);
memcache_dispatch(); // populate cache data
// Merman's Admin profile always links to the Merman's home
if (user_has_obj_attached($user)) {
redirect('mhome.php', 'www');
}
if (is_array($upcoming_events)) {
foreach($upcoming_events as $event_id = > $data) {
$upcoming_events[$event_id]['name'] = txt_set($upcoming_events_short[$event_id]['name']);
}
}
tpl_set('upcoming_events', $upcoming_events);
// disabled account actions
$disabled_warning = ((IS_DEV_SITE || IS_QA_SITE) && is_disabled_user($user));
tpl_set('disabled_warning', $disabled_warning);
// new pokes (no more messages here, they are in the top nav!)
if (!user_is_guest($user)) {
tpl_set('poke_count', $poke_count);
tpl_set('pokes', $new_pokes);
}
// get announcement computations
tpl_set('targeted_data', $targeted_data);
tpl_set('announcement_data', $announcement_data);
// birthday notifications
tpl_set('birthdays', $birthdays = user_get_birthday_notifications($user, $short_profile));
tpl_set('show_birthdays', $show_birthdays = (count($birthdays) || !$orientation));
// user info
tpl_set('first_name', user_get_first_name(txt_set($short_profile['id'])));
tpl_set('user', $user);
// decide if there are now any requests to show
$show_requests = false;
foreach($all_requests as $request_category) {
if ($request_category) {
$show_requests = true;
break;
}
}
tpl_set('all_requests', $show_requests ? $all_requests : null);
$permissions = privacy_get_reduced_network_permissions($user, $user);
// status
$user_info = array('user' = > $user, 'firstname' = > user_get_first_name($user), 'see_all' = > '/statusupdates/?ref=hp', 'profile_pic' = > make_profile_image_src_direct($user, 'thumb'), 'square_pic' = > make_profile_image_src_direct($user, 'square'));
if (!empty($presence) && $presence['status_time'] > (time() - 60 * 60 * 24 * 7)) {
$status = array('message' = > txt_set($presence['status']), 'time' = > $presence['status_time'], 'source' = > $presence['status_source']);
} else {
$status = array('message' = > null, 'time' = > null, 'source' = > null);
}
tpl_set('user_info', $user_info);
tpl_set('show_status', $show_status = !$orientation);
tpl_set('status', $status);
tpl_set('status_custom', $status_custom = mobile_get_status_custom($user));
tpl_set('friends_status', $friends_status);
// orientation
if ($orientation) {
if ($post_leave_orientation) {
orientation_update_status($user, $orientation, 2);
notification_notify_exit_orientation($user);
dirty_user($user);
redirect('home.php');
} else if (orientation_eligible_exit(array('uid' = > $user)) == 2) {
orientation_update_status($user, $orientation, 1);
notification_notify_exit_orientation($user);
dirty_user($user);
redirect('home.php');
}
}
// timezone - outside of stealth, update user's timezone if necessary
$set_time = !user_is_alpha($user, 'stealth');
tpl_set('timezone_autoset', $set_time);
if ($set_time) {
$daylight_savings = get_site_variable('DAYLIGHT_SAVINGS_ON');
tpl_set('timezone', $short_profile['timezone'] - ($daylight_savings ? 4 : 5));
}
// set next step if we can
if (!$orientation) {
user_set_next_step($user, $short_profile);
}
// note: don't make this an else with the above statement, because then no news feed stories will be fetched if they're exiting orientation
if ($orientation) {
extract(orientation_get_const());
require_js('js/dynamic_dialog.js');
require_js('js/suggest.js');
require_js('js/typeahead_ns.js');
require_js('js/suggest.js');
require_js('js/editregion.js');
require_js('js/orientation.js');
require_css('css/typeahead.css');
require_css('css/editor.css');
if ($post_hide_orientation && $post_hide_orientation <= $ORIENTATION_MAX) {
$orientation['orientation_bitmask'] |= ($post_hide_orientation * $ORIENTATION_SKIPPED_MODIFIER);
orientation_update_status($user, $orientation);
} else if ($post_show_orientation && $post_show_orientation <= $ORIENTATION_MAX) {
$orientation['orientation_bitmask'] &= ~ ($post_show_orientation * $ORIENTATION_SKIPPED_MODIFIER);
orientation_update_status($user, $orientation);
}
$stories = orientation_get_stories($user, $orientation);
switch ($get_err) {
case $ORIENTATION_ERR_COLLEGE:
$temp = array(); // the affil_retval_msg needs some parameters won't be used
$stories[$ORIENTATION_NETWORK]['failed_college'] = affil_retval_msg($get_ret, $temp, $temp);
break;
case $ORIENTATION_ERR_CORP:
$temp = array();
// We special case the network not recognized error here, because affil_retval_msg is retarded.
$stories[$ORIENTATION_NETWORK]['failed_corp'] = ($get_ret == 70) ? 'The email you entered did not match any of our supported networks. '.'Click here to see our supported list. '.'Go here to suggest your network for the future.' : affil_retval_msg($get_ret, $temp, $temp);
break;
}
// photo upload error
if ($get_error) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_PROFILE]]['upload_error'] = pic_get_error_text($get_error);
}
// photo upload success
else if ($get_success == 1) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_PROFILE]]['uploaded_pic'] = true;
// join network success
} else if ($get_jn) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['joined'] = array('id' = > $get_jn, 'name' = > network_get_name($get_jn));
// network join pending
} else if ($get_np) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['join_pending'] = array('id' = > $get_np, 'email' = > get_affil_email_conf($user, $get_np), 'network' = > network_get_name($get_np));
// just imported friend confirmation
} else if ($get_jif) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['just_imported_friends'] = true;
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['domain'] = $get_ied;
}
// Mobile web API params
if ($get_mobile) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['sent_code'] = true;
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['view'] = 'confirm';
}
if ($get_verified) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['verified'] = true;
}
if ($get_me) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['error'] = $get_me;
}
if ($get_mr) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['view'] = 'register';
}
if (orientation_eligible_exit($orientation)) {
tpl_set('orientation_show_exit', true);
}
tpl_set('orientation_stories', $stories);
//if in orientation, we hide all feed intros (all 1's in bitmask)
$intro_settings = -1;
}
tpl_set('orientation', $orientation);
// Rooster Stories
if (!$orientation && ((get_site_variable('ROOSTER_ENABLED') == 2) || (get_site_variable('ROOSTER_DEV_ENABLED') == 2))) {
$rooster_story_count = get_site_variable('ROOSTER_STORY_COUNT');
if (!isset($rooster_story_count)) {
// Set default if something is wrong with the sitevar
$rooster_story_count = 2;
}
$rooster_stories = rooster_get_stories($user, $rooster_story_count, $log_omissions = true);
if (!empty($rooster_stories) && !empty($rooster_stories['stories'])) {
// Do page-view level logging here
foreach($rooster_stories['stories'] as $story) {
rooster_log_action($user, $story, ROOSTER_LOG_ACTION_VIEW);
}
tpl_set('rooster_stories', $rooster_stories);
}
}
// set the variables for the home announcement code
$hide_announcement_tpl = ($intro_settings | $HIDE_INTRO_BITMASK) & $HIDE_ANNOUNCEMENT_BIT;
// if on qa/dev site, special rules
$HIDE_INTRO_ON_DEV = get_site_variable('HIDE_INTRO_ON_DEV');
if ((IS_QA_SITE || IS_DEV_SITE) && !$HIDE_INTRO_ON_DEV) {
$hide_announcement_tpl = 0;
}
tpl_set('hide_announcement', $hide_announcement_tpl);
if ($is_candidate = is_candidate_user($user)) {
tpl_set('hide_announcement', false);
}
$home_announcement_tpl = !$hide_announcement_tpl || $is_candidate ? home_get_announcement_info($user) : 0;
tpl_set('home_announcement', $home_announcement_tpl);
tpl_set('hide_announcement_bit', $HIDE_ANNOUNCEMENT_BIT);
$show_friend_finder = !$orientation && contact_importer_enabled($user) && !user_get_hiding_pref($user, 'home_friend_finder');
tpl_set('show_friend_finder', $show_friend_finder);
if ($show_friend_finder && (user_get_friend_count($user) > 20)) {
tpl_set('friend_finder_hide_options', array('text' = > 'close', 'onclick' = > "return clearFriendFinder()"));
} else {
tpl_set('friend_finder_hide_options', null);
}
$account_info = user_get_account_info($user);
$account_create_time = $account_info['time'];
tpl_set('show_friend_finder_top', !$used_friend_finder);
tpl_set('user', $user);
// MONETIZATION BOX
$minimize_monetization_box = user_get_hiding_pref($user, 'home_monetization');
$show_monetization_box = (!$orientation && get_site_variable('HOMEPAGE_MONETIZATION_BOX'));
tpl_set('show_monetization_box', $show_monetization_box);
tpl_set('minimize_monetization_box', $minimize_monetization_box);
if ($show_monetization_box) {
$monetization_box_data = monetization_box_user_get_data($user);
txt_set('monetization_box_data', $monetization_box_data);
}
// ORIENTATION
if ($orientation) {
$network_ids = id_get_networks($user);
$network_names = multiget_network_name($network_ids);
$in_corp_network = in_array($GLOBALS['TYPE_CORP'], array_map('extract_network_type', $network_ids));
$show_corp_search = $in_corp_network || get_age(user_get_basic_info_attr($user, 'birthday')) >= 21;
$pending_hs = is_hs_pending_user($user);
$hs_id = null;
$hs_name = null;
if ($pending_hs) {
foreach(id_get_pending_networks($user) as $network) {
if (extract_network_type($network['network_key']) == $GLOBALS['TYPE_HS']) {
$hs_id = $network['network_key'];
$hs_name = network_get_name($hs_id);
break;
}
}
}
//$orientation_people = orientation_get_friend_and_inviter_ids($user);
$orientation_people = array('friends' = > user_get_all_friends($user), 'pending' = > array_keys(user_get_friend_requests($user)), 'inviters' = > array(), // wc: don't show inviters for now
);
$orientation_info = array_merge($orientation_people, array('network_names' = > $network_names, 'show_corp_search' = > $show_corp_search, 'pending_hs' = > array('hs_id' = > $hs_id, 'hs_name' = > $hs_name), 'user' = > $user, ));
tpl_set('orientation_info', $orientation_info);
tpl_set('simple_orientation_first_login', $get_o); // unused right now
}
// Roughly determine page length for ads
// first, try page length using right-hand panel
$ads_page_length_data = 3 + // 3 for profile pic + next step
($show_friend_finder ? 1 : 0) + ($show_status ? ($status_custom ? count($friends_status) : 0) : 0) + ($show_monetization_box ? 1 : 0) + ($show_birthdays ? count($birthdays) : 0) + count($new_pokes);
// page length using feed stories
if ($orientation) {
$ads_page_length_data = max($ads_page_length_data, count($stories) * 5);
}
tpl_set('ads_page_length_data', $ads_page_length_data);
$feed_stories = null;
if (!$orientation) { // if they're not in orientation they get other cool stuff
// ad_insert: the ad type to try to insert for the user
// (0 if we don't want to try an insert)
$ad_insert = get_site_variable('FEED_ADS_ENABLE_INSERTS');
$feed_off = false;
if (check_super($user) && $get_feeduser) {
$feed_stories = user_get_displayable_stories($get_feeduser, 0, null, $ad_insert);
} else if (can_see($user, $user, 'feed')) {
$feed_stories = user_get_displayable_stories($user, 0, null, $ad_insert);
} else {
$feed_off = true;
}
// Friend's Feed Selector - Requires dev.php constant
if (is_friendfeed_user($user)) {
$friendfeed = array();
$friendfeed['feeduser'] = $get_feeduser;
$friendfeed['feeduser_name'] = user_get_name($get_feeduser);
$friendfeed['friends'] = user_get_all_friends($user);
tpl_set('friendfeed', $friendfeed);
}
$feed_stories = feed_adjust_timezone($user, $feed_stories);
tpl_set('feed_off', $feed_off ? redirect('privacy.php?view=feeds', null, false) : false);
}
tpl_set('feed_stories', $feed_stories);
render_template($_SERVER['PHP_ROOT'].'/html/home.phpt');
<?php
/*
* @author Mark Slee
*
* @package ubersearch
*/
ini_set('memory_limit', '100M'); // to be safe we are increasing the memory limit for search
include_once $_SERVER['PHP_ROOT'].'/html/init.php'; // final lib include
include_once $_SERVER['PHP_ROOT'].'/lib/s.php';
include_once $_SERVER['PHP_ROOT'].'/lib/browse.php';
include_once $_SERVER['PHP_ROOT'].'/lib/events.php';
include_once $_SERVER['PHP_ROOT'].'/lib/websearch_classifier/websearch_classifier.php';
flag_allow_guest();
$user = search_require_login();
if ($_POST) {
$arr = us_flatten_checkboxes($_POST, array('ii'));
$qs = '?';
foreach($arr as $key = > $val) {
$qs. = $key.'='.urlencode($val).'&';
}
$qs = substr($qs, 0, (strlen($qs) - 1));
redirect($_SERVER['PHP_SELF'].$qs);
}
// If they performed a classmates search, these values are
// needed to pre-populate dropdowns
param_get_slashed(array('hy' = > $PARAM_STRING, 'hs' = > $PARAM_INT, 'adv' = > $PARAM_EXISTS, 'events' = > $PARAM_EXISTS, 'groups' = > $PARAM_EXISTS, 'classmate' = > $PARAM_EXISTS, 'coworker' = > $PARAM_EXISTS));
$pos = strpos($get_hy, ':');
if ($pos !== false) {
$hsid = intval(substr($get_hy, 0, $pos));
$hsyear = intval(substr($get_hy, $pos + 1));
} else {
$hsid = intval($get_hs);
$hsyear = null;
}
tpl_set('hs_id', $hsid);
tpl_set('hs_name', get_high_school($hsid));
tpl_set('hs_year', $hsyear);
tpl_set('is_advanced_search', $get_adv);
tpl_set('user', $user);
tpl_set('count_total', 0); // pre-set count_total for the sake of ads page length
// Events search calendar data
param_get(array('k' = > $PARAM_HEX, 'n' = > $PARAM_SINT));
if (($get_k == search_module::get_key(SEARCH_MOD_EVENT, SEARCH_TYPE_AS))) {
$EVENTS_CAL_DAYS_AHEAD = 60;
$events_begin = strftime("%Y%m01"); // first of the month
$events_end = strftime("%Y%m%d", strtotime(strftime("%m/01/%Y")) + (86400 * $EVENTS_CAL_DAYS_AHEAD));
$events_params = array('dy1' = > $events_begin, 'dy2' = > $events_end);
param_get(array('c1' = > $PARAM_INT, 'c2' = > $PARAM_INT), 'evt_');
if (isset($evt_c1)) {
$events_params['c1'] = $evt_c1;
}
if (isset($evt_c2)) {
$events_params['c2'] = $evt_c2;
}
$results = events_get_calendar($user, $get_n, $events_params);
tpl_set('events_date', $results['events_date']);
}
// Holy shit, is this the cleanest fucking frontend file you've ever seen?!
ubersearch($_GET, $embedded = false, $template = true);
// Render it
render_template($_SERVER['PHP_ROOT'].'/html/s.phpt');
/**
* login function for s.php
*
* @author Philip Fung
*/
function search_require_login() {
//check if user is logged in
$user = require_login(true);
if($user 0 && !is_unregistered($user)) { return $user; }
// this is an unregistered user
param_get(
array('k' = > $GLOBALS['PARAM_HEX'], // search key (used by rest of ubersearch code)
));
global $get_k;
$search_key = $get_k;
//Let user see event or group search if criteria are obeyed
if ($search_key && (search_module::get_key_type($search_key) == SEARCH_MOD_EVENT || search_module::get_key_type($search_key) == SEARCH_MOD_GROUP) //event or group search
) {
return $user;
} else {
go_home();
}
}
@Portekoi
Copy link

Portekoi commented Apr 28, 2022

"Done is better than perfect", @jerrylau91, you are so right! Many like to criticize but this code changed the world.

@0STEFAN0
Copy link

0STEFAN0 commented May 1, 2022

well, i'm too bad to see why the code is bad

@Oussag
Copy link

Oussag commented Jun 1, 2022

id=100070926030443

@atharva100
Copy link

atharva100 commented Jul 3, 2022

just being a part of internet history here :)
And yeah man, the code isnt too bad altho i agree with some commentors, making the code work seems more imp when youre just building up a startup , mainatainable code can be organised later when success is starting to meet and the team scales up.

@ShockAwer
Copy link

ShockAwer commented Aug 8, 2022

woah damn

@ShockAwer
Copy link

ShockAwer commented Aug 8, 2022

ok its not that bad, they needa cut down on all those includes though

@AJ1062910
Copy link

AJ1062910 commented Aug 8, 2022

at least it is well indented

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment