Skip to content

Instantly share code, notes, and snippets.

@nikcub
Created October 4, 2012 13:06
Show Gist options
  • Save nikcub/3833406 to your computer and use it in GitHub Desktop.
Save nikcub/3833406 to your computer and use it in GitHub Desktop.
Facebook PHP Source Code from August 2007

In August 2007 a hacker found a way to expose the PHP source code on facebook.com. He retrieved two files and then emailed them to me, and I wrote about the issue:

http://techcrunch.com/2007/08/11/facebook-source-code-leaked/

It became a big deal:

http://www.techmeme.com/070812/p1#a070812p1

The two files are index.php (the homepage) and search.php (the search page)

I don't know what ended up happening to the guy who stole the code.

I found these files today while searching for another Facebook related file. Worth preserving as part of Internet history.

-- nik

<? php
include_once $_SERVER['PHP_ROOT'].'/html/init.php';
include_once $_SERVER['PHP_ROOT'].'/lib/home.php';
include_once $_SERVER['PHP_ROOT'].'/lib/requests.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/newsfeed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/poke.php';
include_once $_SERVER['PHP_ROOT'].'/lib/share.php';
include_once $_SERVER['PHP_ROOT'].'/lib/orientation.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/newsfeed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/mobile/register.php';
include_once $_SERVER['PHP_ROOT'].'/lib/forms_lib.php';
include_once $_SERVER['PHP_ROOT'].'/lib/contact_importer/contact_importer.php';
include_once $_SERVER['PHP_ROOT'].'/lib/feed/util.php';
include_once $_SERVER['PHP_ROOT'].'/lib/hiding_prefs.php';
include_once $_SERVER['PHP_ROOT'].'/lib/abtesting.php';
include_once $_SERVER['PHP_ROOT'].'/lib/friends.php';
include_once $_SERVER['PHP_ROOT'].'/lib/statusupdates.php';
// lib/display/feed.php has to be declared here for scope issues.
// This keeps display/feed.php cleaner and easier to understand.
include_once $_SERVER['PHP_ROOT'].'/lib/display/feed.php';
include_once $_SERVER['PHP_ROOT'].'/lib/monetization_box.php';
// require login
$user = require_login();
print_time('require_login');
param_request(array('react' = > $PARAM_EXISTS));
// Check and fix broken emails
// LN - disabling due to excessive can_see dirties and sets when enabled.
//check_and_fix_broken_emails($user);
// migrate AIM screenname from profile to screenname table if needed
migrate_screenname($user);
// homepage announcement variables
$HIDE_ANNOUNCEMENT_BIT = get_site_variable('HIDE_ANNOUNCEMENT_BIT');
$HIDE_INTRO_BITMASK = get_site_variable('HIDE_INTRO_BITMASK');
// redirects
if (is_sponsor_user()) {
redirect('bizhome.php', 'www');
}
include_once $_SERVER['PHP_ROOT'].'/lib/mesg.php';
include_once $_SERVER['PHP_ROOT'].'/lib/invitetool.php';
include_once $_SERVER['PHP_ROOT'].'/lib/grammar.php';
include_once $_SERVER['PHP_ROOT'].'/lib/securityq.php';
include_once $_SERVER['PHP_ROOT'].'/lib/events.php';
include_once $_SERVER['PHP_ROOT'].'/lib/rooster/stories.php';
// todo: password confirmation redirects here (from html/reset.php),
// do we want a confirmation message?
param_get_slashed(array(
'feeduser' = > $PARAM_INT, //debug: gets feed for user here
'err' = > $PARAM_STRING, // returning from a failed entry on an orientation form
'error' = > $PARAM_STRING, // an error can also be here because the profile photo upload code is crazy
'ret' = > $PARAM_INT, 'success' = > $PARAM_INT, // successful profile picture upload
'jn' = > $PARAM_INT, // joined a network for orientation
'np' = > $PARAM_INT, // network pending (for work/address network)
'me' = > $PARAM_STRING, // mobile error
'mr' = > $PARAM_EXISTS, // force mobile reg view
'mobile' = > $PARAM_EXISTS, // mobile confirmation code sent
'jif' = > $PARAM_EXISTS, // just imported friends
'ied' = > $PARAM_STRING, // import email domain
'o' = > $PARAM_EXISTS, // first time orientation, passed on confirm
'verified' = > $PARAM_EXISTS)); // verified mobile phone
param_post(array(
'leave_orientation' = > $PARAM_EXISTS,
'show_orientation' = > $PARAM_INT, // show an orientation step
'hide_orientation' = > $PARAM_INT)); // skip an orientation step
// homepage actions
if ($req_react && validate_expiring_hash($req_react, $GLOBALS['url_md5key'])) {
$show_reactivated_message = true;
} else {
$show_reactivated_message = false;
}
tpl_set('show_reactivated_message', $show_reactivated_message);
// upcoming events
events_check_future_events($user); // make sure big tunas haven't moved around
$upcoming_events = events_get_imminent_for_user($user);
// this is all stuff that can be fetched together!
$upcoming_events_short = array();
obj_multiget_short(array_keys($upcoming_events), true, $upcoming_events_short);
$new_pokes = 0;
//only get the next N pokes for display
//where N is set in the dbget to avoid caching issues
$poke_stats = get_num_pokes($user);
get_next_pokes($user, true, $new_pokes);
$poke_count = $poke_stats['unseen'];
$targeted_data = array();
home_get_cache_targeted_data($user, true, $targeted_data);
$announcement_data = array();
home_get_cache_announcement_data($user, true, $announcement_data);
$orientation = 0;
orientation_get_status($user, true, $orientation);
$short_profile = array();
profile_get_short($user, true, $short_profile);
// pure priming stuff
privacy_get_network_settings($user, true);
$presence = array();
mobile_get_presence_data($user, true, $presence);
feedback_get_event_weights($user, true);
// Determine if we want to display the feed intro message
$intro_settings = 0;
user_get_hide_intro_bitmask($user, true, $intro_settings);
$user_friend_finder = true;
contact_importer_get_used_friend_finder($user, true, $used_friend_finder);
$all_requests = requests_get_cache_data($user);
// FIXME?: is it sub-optimal to call this both in requests_get_cache_data and here?
$friends_status = statusupdates_get_recent($user, null, 3);
memcache_dispatch(); // populate cache data
// Merman's Admin profile always links to the Merman's home
if (user_has_obj_attached($user)) {
redirect('mhome.php', 'www');
}
if (is_array($upcoming_events)) {
foreach($upcoming_events as $event_id = > $data) {
$upcoming_events[$event_id]['name'] = txt_set($upcoming_events_short[$event_id]['name']);
}
}
tpl_set('upcoming_events', $upcoming_events);
// disabled account actions
$disabled_warning = ((IS_DEV_SITE || IS_QA_SITE) && is_disabled_user($user));
tpl_set('disabled_warning', $disabled_warning);
// new pokes (no more messages here, they are in the top nav!)
if (!user_is_guest($user)) {
tpl_set('poke_count', $poke_count);
tpl_set('pokes', $new_pokes);
}
// get announcement computations
tpl_set('targeted_data', $targeted_data);
tpl_set('announcement_data', $announcement_data);
// birthday notifications
tpl_set('birthdays', $birthdays = user_get_birthday_notifications($user, $short_profile));
tpl_set('show_birthdays', $show_birthdays = (count($birthdays) || !$orientation));
// user info
tpl_set('first_name', user_get_first_name(txt_set($short_profile['id'])));
tpl_set('user', $user);
// decide if there are now any requests to show
$show_requests = false;
foreach($all_requests as $request_category) {
if ($request_category) {
$show_requests = true;
break;
}
}
tpl_set('all_requests', $show_requests ? $all_requests : null);
$permissions = privacy_get_reduced_network_permissions($user, $user);
// status
$user_info = array('user' = > $user, 'firstname' = > user_get_first_name($user), 'see_all' = > '/statusupdates/?ref=hp', 'profile_pic' = > make_profile_image_src_direct($user, 'thumb'), 'square_pic' = > make_profile_image_src_direct($user, 'square'));
if (!empty($presence) && $presence['status_time'] > (time() - 60 * 60 * 24 * 7)) {
$status = array('message' = > txt_set($presence['status']), 'time' = > $presence['status_time'], 'source' = > $presence['status_source']);
} else {
$status = array('message' = > null, 'time' = > null, 'source' = > null);
}
tpl_set('user_info', $user_info);
tpl_set('show_status', $show_status = !$orientation);
tpl_set('status', $status);
tpl_set('status_custom', $status_custom = mobile_get_status_custom($user));
tpl_set('friends_status', $friends_status);
// orientation
if ($orientation) {
if ($post_leave_orientation) {
orientation_update_status($user, $orientation, 2);
notification_notify_exit_orientation($user);
dirty_user($user);
redirect('home.php');
} else if (orientation_eligible_exit(array('uid' = > $user)) == 2) {
orientation_update_status($user, $orientation, 1);
notification_notify_exit_orientation($user);
dirty_user($user);
redirect('home.php');
}
}
// timezone - outside of stealth, update user's timezone if necessary
$set_time = !user_is_alpha($user, 'stealth');
tpl_set('timezone_autoset', $set_time);
if ($set_time) {
$daylight_savings = get_site_variable('DAYLIGHT_SAVINGS_ON');
tpl_set('timezone', $short_profile['timezone'] - ($daylight_savings ? 4 : 5));
}
// set next step if we can
if (!$orientation) {
user_set_next_step($user, $short_profile);
}
// note: don't make this an else with the above statement, because then no news feed stories will be fetched if they're exiting orientation
if ($orientation) {
extract(orientation_get_const());
require_js('js/dynamic_dialog.js');
require_js('js/suggest.js');
require_js('js/typeahead_ns.js');
require_js('js/suggest.js');
require_js('js/editregion.js');
require_js('js/orientation.js');
require_css('css/typeahead.css');
require_css('css/editor.css');
if ($post_hide_orientation && $post_hide_orientation <= $ORIENTATION_MAX) {
$orientation['orientation_bitmask'] |= ($post_hide_orientation * $ORIENTATION_SKIPPED_MODIFIER);
orientation_update_status($user, $orientation);
} else if ($post_show_orientation && $post_show_orientation <= $ORIENTATION_MAX) {
$orientation['orientation_bitmask'] &= ~ ($post_show_orientation * $ORIENTATION_SKIPPED_MODIFIER);
orientation_update_status($user, $orientation);
}
$stories = orientation_get_stories($user, $orientation);
switch ($get_err) {
case $ORIENTATION_ERR_COLLEGE:
$temp = array(); // the affil_retval_msg needs some parameters won't be used
$stories[$ORIENTATION_NETWORK]['failed_college'] = affil_retval_msg($get_ret, $temp, $temp);
break;
case $ORIENTATION_ERR_CORP:
$temp = array();
// We special case the network not recognized error here, because affil_retval_msg is retarded.
$stories[$ORIENTATION_NETWORK]['failed_corp'] = ($get_ret == 70) ? 'The email you entered did not match any of our supported networks. '.'Click here to see our supported list. '.'Go here to suggest your network for the future.' : affil_retval_msg($get_ret, $temp, $temp);
break;
}
// photo upload error
if ($get_error) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_PROFILE]]['upload_error'] = pic_get_error_text($get_error);
}
// photo upload success
else if ($get_success == 1) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_PROFILE]]['uploaded_pic'] = true;
// join network success
} else if ($get_jn) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['joined'] = array('id' = > $get_jn, 'name' = > network_get_name($get_jn));
// network join pending
} else if ($get_np) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['join_pending'] = array('id' = > $get_np, 'email' = > get_affil_email_conf($user, $get_np), 'network' = > network_get_name($get_np));
// just imported friend confirmation
} else if ($get_jif) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['just_imported_friends'] = true;
$stories[$ORIENTATION_ORDER[$ORIENTATION_NETWORK]]['domain'] = $get_ied;
}
// Mobile web API params
if ($get_mobile) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['sent_code'] = true;
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['view'] = 'confirm';
}
if ($get_verified) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['verified'] = true;
}
if ($get_me) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['error'] = $get_me;
}
if ($get_mr) {
$stories[$ORIENTATION_ORDER[$ORIENTATION_MOBILE]]['view'] = 'register';
}
if (orientation_eligible_exit($orientation)) {
tpl_set('orientation_show_exit', true);
}
tpl_set('orientation_stories', $stories);
//if in orientation, we hide all feed intros (all 1's in bitmask)
$intro_settings = -1;
}
tpl_set('orientation', $orientation);
// Rooster Stories
if (!$orientation && ((get_site_variable('ROOSTER_ENABLED') == 2) || (get_site_variable('ROOSTER_DEV_ENABLED') == 2))) {
$rooster_story_count = get_site_variable('ROOSTER_STORY_COUNT');
if (!isset($rooster_story_count)) {
// Set default if something is wrong with the sitevar
$rooster_story_count = 2;
}
$rooster_stories = rooster_get_stories($user, $rooster_story_count, $log_omissions = true);
if (!empty($rooster_stories) && !empty($rooster_stories['stories'])) {
// Do page-view level logging here
foreach($rooster_stories['stories'] as $story) {
rooster_log_action($user, $story, ROOSTER_LOG_ACTION_VIEW);
}
tpl_set('rooster_stories', $rooster_stories);
}
}
// set the variables for the home announcement code
$hide_announcement_tpl = ($intro_settings | $HIDE_INTRO_BITMASK) & $HIDE_ANNOUNCEMENT_BIT;
// if on qa/dev site, special rules
$HIDE_INTRO_ON_DEV = get_site_variable('HIDE_INTRO_ON_DEV');
if ((IS_QA_SITE || IS_DEV_SITE) && !$HIDE_INTRO_ON_DEV) {
$hide_announcement_tpl = 0;
}
tpl_set('hide_announcement', $hide_announcement_tpl);
if ($is_candidate = is_candidate_user($user)) {
tpl_set('hide_announcement', false);
}
$home_announcement_tpl = !$hide_announcement_tpl || $is_candidate ? home_get_announcement_info($user) : 0;
tpl_set('home_announcement', $home_announcement_tpl);
tpl_set('hide_announcement_bit', $HIDE_ANNOUNCEMENT_BIT);
$show_friend_finder = !$orientation && contact_importer_enabled($user) && !user_get_hiding_pref($user, 'home_friend_finder');
tpl_set('show_friend_finder', $show_friend_finder);
if ($show_friend_finder && (user_get_friend_count($user) > 20)) {
tpl_set('friend_finder_hide_options', array('text' = > 'close', 'onclick' = > "return clearFriendFinder()"));
} else {
tpl_set('friend_finder_hide_options', null);
}
$account_info = user_get_account_info($user);
$account_create_time = $account_info['time'];
tpl_set('show_friend_finder_top', !$used_friend_finder);
tpl_set('user', $user);
// MONETIZATION BOX
$minimize_monetization_box = user_get_hiding_pref($user, 'home_monetization');
$show_monetization_box = (!$orientation && get_site_variable('HOMEPAGE_MONETIZATION_BOX'));
tpl_set('show_monetization_box', $show_monetization_box);
tpl_set('minimize_monetization_box', $minimize_monetization_box);
if ($show_monetization_box) {
$monetization_box_data = monetization_box_user_get_data($user);
txt_set('monetization_box_data', $monetization_box_data);
}
// ORIENTATION
if ($orientation) {
$network_ids = id_get_networks($user);
$network_names = multiget_network_name($network_ids);
$in_corp_network = in_array($GLOBALS['TYPE_CORP'], array_map('extract_network_type', $network_ids));
$show_corp_search = $in_corp_network || get_age(user_get_basic_info_attr($user, 'birthday')) >= 21;
$pending_hs = is_hs_pending_user($user);
$hs_id = null;
$hs_name = null;
if ($pending_hs) {
foreach(id_get_pending_networks($user) as $network) {
if (extract_network_type($network['network_key']) == $GLOBALS['TYPE_HS']) {
$hs_id = $network['network_key'];
$hs_name = network_get_name($hs_id);
break;
}
}
}
//$orientation_people = orientation_get_friend_and_inviter_ids($user);
$orientation_people = array('friends' = > user_get_all_friends($user), 'pending' = > array_keys(user_get_friend_requests($user)), 'inviters' = > array(), // wc: don't show inviters for now
);
$orientation_info = array_merge($orientation_people, array('network_names' = > $network_names, 'show_corp_search' = > $show_corp_search, 'pending_hs' = > array('hs_id' = > $hs_id, 'hs_name' = > $hs_name), 'user' = > $user, ));
tpl_set('orientation_info', $orientation_info);
tpl_set('simple_orientation_first_login', $get_o); // unused right now
}
// Roughly determine page length for ads
// first, try page length using right-hand panel
$ads_page_length_data = 3 + // 3 for profile pic + next step
($show_friend_finder ? 1 : 0) + ($show_status ? ($status_custom ? count($friends_status) : 0) : 0) + ($show_monetization_box ? 1 : 0) + ($show_birthdays ? count($birthdays) : 0) + count($new_pokes);
// page length using feed stories
if ($orientation) {
$ads_page_length_data = max($ads_page_length_data, count($stories) * 5);
}
tpl_set('ads_page_length_data', $ads_page_length_data);
$feed_stories = null;
if (!$orientation) { // if they're not in orientation they get other cool stuff
// ad_insert: the ad type to try to insert for the user
// (0 if we don't want to try an insert)
$ad_insert = get_site_variable('FEED_ADS_ENABLE_INSERTS');
$feed_off = false;
if (check_super($user) && $get_feeduser) {
$feed_stories = user_get_displayable_stories($get_feeduser, 0, null, $ad_insert);
} else if (can_see($user, $user, 'feed')) {
$feed_stories = user_get_displayable_stories($user, 0, null, $ad_insert);
} else {
$feed_off = true;
}
// Friend's Feed Selector - Requires dev.php constant
if (is_friendfeed_user($user)) {
$friendfeed = array();
$friendfeed['feeduser'] = $get_feeduser;
$friendfeed['feeduser_name'] = user_get_name($get_feeduser);
$friendfeed['friends'] = user_get_all_friends($user);
tpl_set('friendfeed', $friendfeed);
}
$feed_stories = feed_adjust_timezone($user, $feed_stories);
tpl_set('feed_off', $feed_off ? redirect('privacy.php?view=feeds', null, false) : false);
}
tpl_set('feed_stories', $feed_stories);
render_template($_SERVER['PHP_ROOT'].'/html/home.phpt');
<?php
/*
* @author Mark Slee
*
* @package ubersearch
*/
ini_set('memory_limit', '100M'); // to be safe we are increasing the memory limit for search
include_once $_SERVER['PHP_ROOT'].'/html/init.php'; // final lib include
include_once $_SERVER['PHP_ROOT'].'/lib/s.php';
include_once $_SERVER['PHP_ROOT'].'/lib/browse.php';
include_once $_SERVER['PHP_ROOT'].'/lib/events.php';
include_once $_SERVER['PHP_ROOT'].'/lib/websearch_classifier/websearch_classifier.php';
flag_allow_guest();
$user = search_require_login();
if ($_POST) {
$arr = us_flatten_checkboxes($_POST, array('ii'));
$qs = '?';
foreach($arr as $key = > $val) {
$qs. = $key.'='.urlencode($val).'&';
}
$qs = substr($qs, 0, (strlen($qs) - 1));
redirect($_SERVER['PHP_SELF'].$qs);
}
// If they performed a classmates search, these values are
// needed to pre-populate dropdowns
param_get_slashed(array('hy' = > $PARAM_STRING, 'hs' = > $PARAM_INT, 'adv' = > $PARAM_EXISTS, 'events' = > $PARAM_EXISTS, 'groups' = > $PARAM_EXISTS, 'classmate' = > $PARAM_EXISTS, 'coworker' = > $PARAM_EXISTS));
$pos = strpos($get_hy, ':');
if ($pos !== false) {
$hsid = intval(substr($get_hy, 0, $pos));
$hsyear = intval(substr($get_hy, $pos + 1));
} else {
$hsid = intval($get_hs);
$hsyear = null;
}
tpl_set('hs_id', $hsid);
tpl_set('hs_name', get_high_school($hsid));
tpl_set('hs_year', $hsyear);
tpl_set('is_advanced_search', $get_adv);
tpl_set('user', $user);
tpl_set('count_total', 0); // pre-set count_total for the sake of ads page length
// Events search calendar data
param_get(array('k' = > $PARAM_HEX, 'n' = > $PARAM_SINT));
if (($get_k == search_module::get_key(SEARCH_MOD_EVENT, SEARCH_TYPE_AS))) {
$EVENTS_CAL_DAYS_AHEAD = 60;
$events_begin = strftime("%Y%m01"); // first of the month
$events_end = strftime("%Y%m%d", strtotime(strftime("%m/01/%Y")) + (86400 * $EVENTS_CAL_DAYS_AHEAD));
$events_params = array('dy1' = > $events_begin, 'dy2' = > $events_end);
param_get(array('c1' = > $PARAM_INT, 'c2' = > $PARAM_INT), 'evt_');
if (isset($evt_c1)) {
$events_params['c1'] = $evt_c1;
}
if (isset($evt_c2)) {
$events_params['c2'] = $evt_c2;
}
$results = events_get_calendar($user, $get_n, $events_params);
tpl_set('events_date', $results['events_date']);
}
// Holy shit, is this the cleanest fucking frontend file you've ever seen?!
ubersearch($_GET, $embedded = false, $template = true);
// Render it
render_template($_SERVER['PHP_ROOT'].'/html/s.phpt');
/**
* login function for s.php
*
* @author Philip Fung
*/
function search_require_login() {
//check if user is logged in
$user = require_login(true);
if($user 0 && !is_unregistered($user)) { return $user; }
// this is an unregistered user
param_get(
array('k' = > $GLOBALS['PARAM_HEX'], // search key (used by rest of ubersearch code)
));
global $get_k;
$search_key = $get_k;
//Let user see event or group search if criteria are obeyed
if ($search_key && (search_module::get_key_type($search_key) == SEARCH_MOD_EVENT || search_module::get_key_type($search_key) == SEARCH_MOD_GROUP) //event or group search
) {
return $user;
} else {
go_home();
}
}
@atharva100
Copy link

just being a part of internet history here :)
And yeah man, the code isnt too bad altho i agree with some commentors, making the code work seems more imp when youre just building up a startup , mainatainable code can be organised later when success is starting to meet and the team scales up.

@fukionline
Copy link

woah damn

@fukionline
Copy link

ok its not that bad, they needa cut down on all those includes though

@AJ1062910
Copy link

at least it is well indented

@Chris98
Copy link

Chris98 commented Apr 16, 2023

There isn't really enough here to be able to be able to form a proper opinion, but it's definitely a mess and it definitely has security issues.

@atharva100
Copy link

If it works, it works. Investors don't give a damn about code quality.

@Viguuthecoder
Copy link

Code is very complicated for me :(

@DieNand
Copy link

DieNand commented May 24, 2023

If it works, it works. Investors don't give a damn about code quality.

They do, Facebook especially has spent tons and tons and tons of time optimizing and rewriting underperforming code.

@Preshy
Copy link

Preshy commented Jul 6, 2023

If it works, don't touch it ;)

@fukionline
Copy link

@anikwai
Copy link

anikwai commented Jul 7, 2023

Wow

@Gusase
Copy link

Gusase commented Jul 29, 2023

hmpr snake case semua @LanLan1412

@wwwlain
Copy link

wwwlain commented Aug 21, 2023

very cool

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment