Comments on: PHP Did Not Cause Facebook Code Leakage

By: Startup Signal - Today’s Top Blog Posts on Entrepreneurship - Powered by SocialRank

Mon, 01 Oct 2007 10:04:11 +0000

[…] PHP Did Not Cause Facebook Code Leakage […]

By: developercast.com » ProPHP Podcast: Newscast - August 16, 2007

developercast.com » ProPHP Podcast: Newscast - August 16, 2007 — Fri, 17 Aug 2007 16:22:05 +0000

[…] the Facebook PHP code leak […]

By: Null is Love » Blog Archive » Lessons from the Facebook Leak

Null is Love » Blog Archive » Lessons from the Facebook Leak — Tue, 14 Aug 2007 17:03:14 +0000

[…] Nik Cubrilovic offers four tips to help prevent your server from doing the same thing. (Though a lot of people have blasted his assertion that PHP is known to sometimes return source code…) Vidyut Luther […]

By: Clay

Clay — Tue, 14 Aug 2007 15:12:30 +0000

@Chase - whose point is that, other than yours, in this discussion?

Not even Cubrilovic is arguing for a compiled language in either of his posts.

No, the point, quite clearly, is that PHP is more than adequately secure for web applications when deployed by system administrators who dot their ‘i’s and cross their ‘t’s.

Cubrilovic’s assertion that PHP failed in some way in the Facebook scenario is just complete and utter bullshit. That’s the point.

By: Chase Saunders

Chase Saunders — Tue, 14 Aug 2007 14:55:52 +0000

You’re missing the point. This could not have happened in a compiled language. All interpreted language, including PHP, JavaScript, Ruby, etc. are less secure from a corporate IT perspective for this reason.

By: Mike Seth

Mike Seth — Tue, 14 Aug 2007 10:08:11 +0000

The allegation that PHP is responsible for leaking source code in any fashion is, indeed, false. For a short period of time, there was an issue with the PHP interpreter crashing and being unable to recognize the PHP source code when a certain bug was triggered which has caused the source to be leaked. If I remember correctly, something to do with invalid regular expression. However, this does not happen anymore, last time I’ve seen it was maybe three years ago if not more, and this can not be used to blame PHP.

Of course, the histrionic nonsense spewed out by the big folks is rooted in their despise of PHP in general, for its open, chaotic nature of development which yields historical lack of naming conventions (just look at the string API or the array API), and for its disregard to the “enterprise” needs, which are basically pretty frontends and some sort of money-backed guarantee that the stuff works.

PHP has gone a long way from being just a scripting language for rendering HTML. We now have decent support for Unicode and more to come in PHP6, we have PDO which is intended to replace intermediary hacky database APIs, we have a great OO system that suits the purposes of web development, and a rich base of written user-level code which can be reused by application developers. Commercial quality frameworks are being grown as we speak, the documentation is being improved (and PHP is known to have the single best documentation in the FOSS world - which, ironically, no one ever bothers to read), there’s a thriving community that gives a lot of support to newcomers and many many many businesses from small web studios to giants such as Yahoo rely on PHP for mission critical tasks.

So, the whining can be safely ignored.

By: Famous last words of Marius » RSS feed update - 14 August 2007

Famous last words of Marius » RSS feed update - 14 August 2007 — Tue, 14 Aug 2007 08:22:03 +0000

[…] and PHP – PHP Did Not Cause Facebook Code Leakage And the actual code In my view the best Facebook app — That’s just […]

By: Morgan

Morgan — Mon, 13 Aug 2007 19:39:38 +0000

Even worse is this post on Scott Gilbertson’s blog at Wired.com.
Quote: “PHP is notorious for just this sort of thing — serving code as text — but there are ways you prevent it from happening on your own site.”

By: Mike Malone

Mike Malone — Mon, 13 Aug 2007 16:53:44 +0000

When I read that article I thought the exact same thing. I’ve had single CPU servers running with a load average over 50 (it wasn’t pretty). Responses lagged like hell, but I’ve never seen mod_php barf up source code.

It’s much, much more likely that it was a configuration error. And, while proper configuration is always a must, I have to agree that keeping source code outside the root directory is kind of a “best practice”. I took a look at the facebook source, and it looks like most of their “libraries” are not in their wwwroot dir, but the index page held far too much code. It would be wise for them to move their index to another directory and have a simple index.php that includes it… or something.

By: developercast.com » Community News: Facebook PHP Source Leaked

developercast.com » Community News: Facebook PHP Source Leaked — Mon, 13 Aug 2007 13:42:32 +0000

[…] course, the PHP community is speaking back to the allegations including Clay Loveless in a new blog entry on his site: I agree with Cubrilovic that the inadvertent delivery of source code instead of the […]