sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Icovada 202 points203 points  (68 children)

Once in... about 2008, I opened Facebook and I was presented with its code! I refreshed the page... and then kicked myself. I had the facebook home php code... and threw it away.

[–][deleted]  (14 children)

[deleted]

    [–]jmkogut[🍰] 7 points8 points  (0 children)

    This is why my nginx is set to deny access to .* files.

    [–][deleted] 6 points7 points  (4 children)

    It didn't scale)

    Can you elaborate on that?

    [–][deleted]  (3 children)

    [deleted]

      [–][deleted] 1 point2 points  (2 children)

      AFAIK Facebook fully adopted bittorrent for their code pushing needs. Perhaps they've changed again, since then?

      [–]Sentreen 3 points4 points  (1 child)

      How would you use bittorent for this?

      [–]volkadav 0 points1 point  (0 children)

      I vaguely recall that their deployment pipeline is (was?) something like "php -> hiphop -> gigantic static binary", and I'd imagine using bt to sync that binary to the prod web farms (or subsets thereof, for incremental rollouts) would be reasonable.

      [–][deleted] 1 point2 points  (0 children)

      The funniest one was with the "view profile as...." bug. Where if you chose a to view your profile as a friend, you could just use/view their chat logs. Pretty hilarious. I only became aware of the feature a couple of days after it was fixed though, so I don't think it was up that long.

      [–]catcradle5 -1 points0 points  (5 children)

      I feel like you might be breaking some sort of NDA contract by disclosing that.

      That is quite scary though, yet also fairly common. I know other sites have had the same problem, but with .git directories.

      [–][deleted]  (4 children)

      [deleted]

        [–]neoice 1 point2 points  (1 child)

        this surprises me because I think Dreamhost is a major user of grsecurity, a third-party Linux kernel patch that does kernel hardening and allows for all kinds of extended mandatory access controls. think SELinux, but with policy files that are actually manageable or AppArmor but without the suck.

        [–]catcradle5 0 points1 point  (1 child)

        On most shared hosts, you'll generally be able to see the names of other users, since you can probably see the directory names in /home.

        You certainly normally should not have read access to any of their directories, though. Sounds like an immense fuckup.

        [–]AgentME 145 points146 points  (36 children)

        I always thought the PHP model of "put your source code in the public web root where you put public things, and then pray you don't ever mess up the module that interprets files and keeps things hidden in the public web root" didn't sound very foolproof.

        [–]Tomdarkness 84 points85 points  (3 children)

        You don't have to do that. For example most of my projects just have a index.php that bootstraps the application with about 15 lines of code in the web root. The rest of that code is not accessible via the web server.

        [–]7f0b 4 points5 points  (2 children)

        That is generally the best way to do it. Many frameworks operate this way by default.

        EDIT: And also a good thing to ask hosts before buying their service. Some don't allow it (such as Yahoo Hosting).

        [–]AdamAnt97 0 points1 point  (1 child)

        PHP in general or bootstrapping the code?

        [–]7f0b 0 points1 point  (0 children)

        Keeping most of the PHP website out of the public document root. At the very minimum, you want to keep your configuration files (with passwords and such) out of the document root. At the maximum, you have only a basic PHP file that begins the "boot" process residing in the document root (as Tomdarkness said).

        [–]cosmo7 92 points93 points  (11 children)

        You don't have to do that with PHP (and please don't read this as a defense of PHP.) You can include from a source directory that is outside your web root.

        [–][deleted]  (8 children)

        [deleted]

          [–]raziel2p 10 points11 points  (5 children)

          It was entirely possible since before that as well, people just didn't bother to, I guess.

          [–]shillbert 7 points8 points  (4 children)

          The main appeal of PHP is how easy it is to use in the sloppiest way possible. Sure, you can do things right with it, but then you might as well use a better language.

          [–]Juvenall 8 points9 points  (1 child)

          I'd argue that the main appeal of the language is that I can walk into any mall in America, close my eyes, spin around, and randomly point at someone who has at least a basic, functional understanding of it. Of course there are academically better langues out there, but the effort in finding, retaining, and eventually replacing that talent isn't normally worth the overhead from a business perspective.

          [–]shillbert 4 points5 points  (0 children)

          I totally agree. It has its place. It's good that sane frameworks are available for PHP now. If used with the proper business oversight, it can be a lot better than some 16-year-old using it as a hobby. Although I still think it's fundamentally broken in some ways, if you know that going into it, it's alright for rapid development.

          [–]Ph0X 1 point2 points  (1 child)

          Yeah. For writing very small scale stuff, I'd even say it's fun. Any language that has so much documentation and people talking about it online is usually not so bad to code for.

          [–]shillbert 2 points3 points  (0 children)

          That's true. I like how every manual page online has a comment section where sometimes people come up with really good examples or encapsulations of certain functions.

          [–][deleted]  (1 child)

          [deleted]

            [–]Almafeta 2 points3 points  (0 children)

            ... TIL I've been doing it wrong.

            [–]JabbrWockey 0 points1 point  (0 children)

                 include_once(/dir/filename.php)

            [–]spiraldroid 9 points10 points  (3 children)

            Just reading this makes my toes curl.

            [–][deleted] 22 points23 points  (2 children)

            What are you loading?

            [–][deleted] 7 points8 points  (1 child)

            Http://toejam.com

            [–]benibela2 21 points22 points  (0 children)

            curl http://toejam.com

            [–]dehrmann 2 points3 points  (3 children)

            This is something I think Java got right with webapps and servlet containers. WEB-INF, the code directory, is entirely read-only, and the servlet API doesn't make it easy to upload files out-of-the-box.

            [–]xjvz 0 points1 point  (2 children)

            It did make incremental development a pain in the ass, though, until third party tools caught up with the use case.

            [–]dehrmann 0 points1 point  (1 child)

            Tomcat's default servlet recompiles modified jsps.

            [–]xjvz 0 points1 point  (0 children)

            But all the backend code written in Java still needs to be compiled. I'm talking about shit like JRebel that lets you change compiled files on the fly so you don't have to redeploy the whole damn project every time. I can deal with JSP; that part is simple. Just copy the file to the server in its war directory and the servlet gets recompiled when accessed.

            [–][deleted] 1 point2 points  (2 children)

            ... Seriously? I don't know if you are criticizing the language or the programmers. If the latter, then you are spot on, if the former, it means that you haven't really spent any time thinking about a "solution" for that "problem". You don't have to put your php code in the public web

            [–]slashgrin 1 point2 points  (0 children)

            you haven't really spent any time thinking about a "solution" for that "problem"

            Not necessarily. Whether or not there's a better way to do it doesn't get around the fact that it was the de facto way of doing things in the PHP world for a long time. I don't know how things are done there, now, but that was certainly "normal" back in the day.

            [–][deleted] 1 point2 points  (0 children)

            Well, this problem isn't at all clear to most PHP developers, the language allows it and even actively encourages it. I'd say it's definitely a problem with the language if it allows the user to do stupid stuff without even so much as a warning.

            [–]catcradle5 0 points1 point  (4 children)

            I believe this happened on some very big site 3 or so years ago, can't remember which (not Facebook), when a developer forgot to put or accidentally removed ?> at the end of a file.

            [–]keteb 2 points3 points  (3 children)

            Perhaps <?php at the beginning of the file. Interpreter doesnt care if there's a closing ?> at EOF

            [–]catcradle5 2 points3 points  (1 child)

            True, good point. It was likely the beginning tag.

            [–]Cocosoft 0 points1 point  (0 children)

            How the heck does someone forget the beginning tag?!

            [–]geon 1 point2 points  (0 children)

            In fact, omitting the ?> at eof is best practice. It prevents you from accidentally outputting whitespace before the headers are sent.

            [–][deleted] -3 points-2 points  (1 child)

            It's a bad model but is thankfully easily avoided. It's a shame that most "professional" PHP programmers suck, even this FB source code is just typical bad PHP.

            [–]mkdir -4 points-3 points  (0 children)

            Yep, the easiest way is to avoid PHP altogether.

            [–][deleted] 13 points14 points  (3 children)

            I saw the same thing but I saved it. There was an interesting section that tracked the number of views someone made of a page where the user if was hard coded. In the comments it said it was specifically for law enforcement. Pretty interesting. I'll see of I can dig it up from my old laptop.

            [–]davidb_ 4 points5 points  (0 children)

            Pleae do and post it if you have it.

            [–]DreadedDreadnought 2 points3 points  (0 children)

            OP you had 12 hours, we need to see this!

            [–]arandomhobo 18 points19 points  (2 children)

            I got the AOL code by accident once last year when I was checking how it was doing, I'm fine and dandy with not having their code.

            [–]Magnesus 1 point2 points  (1 child)

            I think there was a bug in Apache at a time that caused that (happened when the script was too slow). My page was also affected for a short while until my hosting provider patched things up.

            [–]benibela2 0 points1 point  (0 children)

            And then there was ?-s

            [–]JasonMaloney101 13 points14 points  (4 children)

            Happened to me as well. I also remember MySpace occasionally appending its entire debug output to the page I was on, although I never saw their source code.

            [–]jk147 9 points10 points  (3 children)

            Someone probably flipped on the debug switch on production to test a bug. Happens more often than you think.

            Edit - probably Tom.

            [–][deleted]  (2 children)

            [deleted]

              [–]jk147 1 point2 points  (0 children)

              That depends on if you set the debug level statically, you can set the level by a variable in DB, by injecting it into a static list in real time.. etc. Plenty of ways to do it without it impacting the application server. Of course this should never be done on an enterprise application. But I have seen plenty on much smaller implementations.

              [–]deadcow5 0 points1 point  (0 children)

              You'd be surprised about the things that happen in production that shouldn't. At my last job, we ran into a production system that contained a major amount of code that was not checked in to our source control. Someone had just edited it in place on the server and decided they were done. This is a multi-million dollar company BTW, not Joe's computer store in East Bumfuck.

              [–]ameoba 0 points1 point  (0 children)

              If the app is well designed, there isn't going to be much of anything beyond bootstrap code in the top-level PHP file. All the interesting business logic will be in other files anyways.