Saturday, August 11, 2007

Leaking PHP all over the place... don't they have a pill for that?

Facebook has a code leak, or at least it did for several hours due to a server being misconfigured. Facebook, like a lot of other Web 2.0 sites use PHP. PHP not being a compiled language sits in source code form on the server waiting to be interpreted instead of executed like the output of other languages (C++ for example)... which means that if you can get the web server to not interpret the code before serving it or you can get into the web root by some other means outside the the web server (FTP, remote terminal, etc.), you can view all the source code.... the "secret sauce" is out!

Luckily, there are some simple rules of thumb and settings that can stop this from happening. A good blog post to read on the subject was written by Nic Cubrilovic over at his blog.

Some folks have done a quick critique on the released code. For me personally, it's nice to get confirmation that a big site like Facebook is also using the Smarty template engine. They don't seem to be as object oriented as my code though... I wonder if this is intentional, for speed perhaps, or just a legacy framework that never was updated?

Don't let PHP leakage happen to you.

No comments: