this post was submitted on 15 Apr 2025
828 points (98.9% liked)

Technology

68918 readers
4418 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
828
4chan hacked and taken offline. Hacker reopens /qa/ and leaks all admins emails. (old.reddit.com)
submitted 3 days ago* (last edited 3 days ago) by Tea@programming.dev to c/technology@lemmy.world
204 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] KingThrillgore@lemmy.ml 184 points 3 days ago (4 children)

I looked at some of the leaked source code and my god the code smells are so rotten its like they had a dead horse in the back for a while and its developed a stank like an Eric Andre skit.

It increasingly looks like nobody would maintain this bundle of wax besides under-experienced juniors who threw themselves at it, and apparently after moot sold it, it was never touched. It runs on an extremely old version of FreeBSD and PHP.

The fact this happened now as opposed to any time in the past decade is, I have no words.

[–] elrecoal19_1@lemmy.world 56 points 3 days ago (2 children)

I wanna bet attackers probably thought it would be maintained by one or several of the most no-life, chronically-online users of the web... or that they would be waiting for an attack to get revenge in their typical unhinged way... and it turned out no one was maintaining or watching it at all XD

[–] desktop_user@lemmy.blahaj.zone 21 points 2 days ago

security theater is a quite effective deterrent at times.

[–] Clinicallydepressedpoochie@lemmy.world 8 points 2 days ago

Not even 4chaners thought it was worth protecting

[–] Realitaetsverlust@lemmy.zip 47 points 3 days ago (3 children)

I mean, the source code looks a lot cleaner than WordPress, which is an incredibly sad statement.

Kill WordPress now.

[–] futatorius@lemm.ee 1 points 12 hours ago (1 children)

I'm unconvinced that it's even possible to write clean code in a language as fucked-up as PHP.

[–] Realitaetsverlust@lemmy.zip 2 points 11 hours ago

Your opinion was correct like 10 years ago. PHP7 made a lot of fixes to many of the problems it had and PHP8 improved on it even more. And if you slap a framework on top of it, like laravel, PHP looks awesome.

[–] ProtecyaTec@lemmy.world 1 points 1 day ago* (last edited 1 day ago) (1 children)

Really though, it doesn't.

Github -> WordPress

Github -> 4chan

I absolutely hate the way 4chan formats their HTML + PHP intermingling in views. That's not to say WordPress doesn't do this as well, but oh man in a much better, cleaner, and more sparingly way. The 4chan imageboard view Github -> 4chan is absolute chaos. Why this wasn't rewritten is beyond me. That's just the first thing I see as I peruse the source, I can't imagine it gets much better from here.

Here's a fun exercise: What's the deepest nest in this loop? Github -> 4chan Bonus points: What's the deepest nested statement in the whole source?

[–] Realitaetsverlust@lemmy.zip 2 points 1 day ago (2 children)

but oh man in a much better, cleaner, and more sparingly way

I don't think we're looking at the same source code. The first thing I see in wp-activate.php:

function wpmu_activate_stylesheet() {
	?>
	<style type="text/css">
		.wp-activate-container { width: 90%; margin: 0 auto; }
		.wp-activate-container form { margin-top: 2em; }
		#submit, #key { width: 100%; font-size: 24px; box-sizing: border-box; }
		#language { margin-top: 0.5em; }
		.wp-activate-container .error { background: #f66; color: #333; }
		span.h3 { padding: 0 8px; font-size: 1.3em; font-weight: 600; }
	</style>
	<?php
}

This isn't better nor cleaner. This is a disaster. A function that stops PHP execution halfway-through, outputs some text and then restarts PHP execution? Hell, I've been in the PHP ecosystem for over a decade now and I didn't even know this was possible and I wish that knowledge was still hidden from me.

Maybe I was wrong by saying that the 4chan source code is better than wordpress, fair. Maybe I should just say both are abominations, I will not judge which one is better and both should be discarded and forgotten.

[–] bufalo1973@lemm.ee 3 points 1 day ago

This has been possible since the very beginning of PHP.

I won't say if this is the best way now. I haven't touch PHP in the last 2 decades.

[–] ProtecyaTec@lemmy.world 2 points 1 day ago* (last edited 1 day ago) (1 children)

I completely disagree.

Intermingling PHP and HTML is one of PHP strengths. The processing/executing difference you're describing is almost always negligible due to how PHP is optimized (specifically for this kind of thing - outputting HTML to the browser sometimes).

Seriously, compare this to the 4chan image board view we really aren't looking at the same source code. In comparison, the WordPress function is blocked, purposeful, together. It's a single CSS block output all at once. On the otherhand, in the linked 4chan discussion board PHP file, it echos as strings, broken up by multiple conditionals, and is difficult (even from an IDE perspective on highlighting) to tell where a block starts and where it ends (again due to it being echo'd in strings, and broken by conditionals). Trying to modify this blocked CSS is going to be wayyyyyyyyyyyyyyyyyyyy easier than trying to modify a bunch of printed HTML strings broken up by multiple nested conditionals. Plus it's just straight-up easier to read and straight-forward to understand what the function does right away.

To harp on this even more, one of the benefits of blocking HTML in this way is IDE highlighting. In your example, if you were to pop that into a modern IDE like VSCode, it'll highlight tags and allow collapsing like a normal HTML doc. It'll probably even highlight the CSS as expected. On the other-hand, by echoing / printing HTML strings, IDEs aren't going to highlight these things as HTML since they're PHP strings, and in the case of the imageboard, it's going to struggle finding matching open/end tags due to PHP strings and broken conditionals. I'd much prefer the WordPress example over echo / printing multiple lines of HTML strings (this is really a pet-peeve of mine).

I can't think of a single system that doesn't "stop PHP executing" at some point to output HTML in some way. Maybe an app that dynamically pulls it's views in through JS I guess.

For comparison to future readers, this is just a small portion of the imageboard which goes on like this for another 600 lines:

	if( $resno ) {
		$closed = $log[$resno]['closed'] || $log[$resno]['archived'];
		
		if( !$stripm ) {
			$msg .= '<div class="navLinks mobile">
	<span class="mobileib button"><a href="/' . BOARD_DIR . '/" accesskey="a">' . S_RETURN . '</a></span> <span class="mobileib button"><a href="/' . BOARD_DIR . '/catalog">' . S_CATALOG . '</a></span> <span class="mobileib button"><a href="#bottom">' . S_BOTTOM . '</a></span> <span class="mobileib button"><a href="#top_r" id="refresh_top">' . S_REFRESH . '</a></span>
</div>';
		}

			if( !$stripm ) $msg .= '<div id="mpostform"><a href="#" class="mobilePostFormToggle mobile hidden button">' . S_FORM_REPLY . '</a></div>';
	} else {
		if( !$stripm ) $msg .= '
<div class="navLinks mobile">
	<span class="mobileib button"><a href="#bottom">' . S_BOTTOM . '</a></span> <span class="mobileib button"><a href="/' . BOARD_DIR . '/catalog">' . S_CATALOG . '</a></span> <span class="mobileib button"><a href="#top_r" id="refresh_top">' . S_REFRESH . '</a></span>
</div>
<div id="mpostform"><a href="#" class="mobilePostFormToggle mobile hidden button">' . S_FORM_THREAD . '</a></div>';
	}

Formatting and structure is important for a readable framework / project and longevity. 4chan had none of this - Moot took the bag and ran and whoever took it over just left left the PHP standards/organization in 2003.

[–] Realitaetsverlust@lemmy.zip 2 points 7 hours ago (1 children)

Intermingling PHP and HTML is one of PHP strengths

Eeeh, no. It's a bad practice in 2025. That was a good thing a decade ago.

Trying to modify this blocked CSS is going to be wayyyyyyyyyyyyyyyyyyyy easier than trying to modify a bunch of printed HTML strings broken up by multiple nested conditionals. Plus it’s just straight-up easier to read and straight-forward to understand what the function does right away.

True. But I was just looking at the source code of wordpress for 30 seconds. I could probably find worse.

To harp on this even more, one of the benefits of blocking HTML in this way is IDE highlighting.

Which isn't a problem if you use a template engine - as you should in modern applications.

I can’t think of a single system that doesn’t “stop PHP executing” at some point to output HTML in some way.

Not a single modern system does that. It's terrible practice and won't even pass automated code reviews with sane settings.

[–] ProtecyaTec@lemmy.world 1 points 6 hours ago* (last edited 6 hours ago)

Not a single modern system does that. It’s terrible practice and won’t even pass automated code reviews with sane settings.

What you're talking about is semantics. At a base level, whether you use a templating engine, include / require, or just straight up mix HTML / PHP - PHP "stops execution" to output to the browser. The few exceptions to this that I can think of is if it's instead handing off that responsibility to JS or some other frontend processor.

Templating engines are cool. They make it easier to separate your views from logic. It makes interloping more straight-forward and possibly more maintainable (though, not always - Engines don't save from bad practices), but I do not agree that it's defacto. I think the strength of PHP is it's ease to just jump into it and get something working, right "out of the box". The ease of mixing PHP and HTML is a boon from an entry level aspect. Low entry level leads to wider adoption, leads to more discussions, more volunteers for FOSS, more bug reports, more more more.

I could create a vanilla PHP application that organizes views just as well without a templating engine which could be understood by someone with baseline PHP knowledge - that's good thing. It's inherit to PHP and I won't need to worry about keeping any templating library updated or ported to a new engine. In my made-up vanilla app, I wouldn't do what 4chan did in their views, but I may do what WordPress does in your example because, used sparingly, in an organized application, it's not that big of a deal. For the most part though, I do like to keep my HTML views and my PHP logic separate in an MVC kind of way either through templating or just straight up includes.

[–] Scrollone@feddit.it 14 points 2 days ago (4 children)

Also, the owner of Wordpress is allegedly a piece of s...

[–] jodanlime@midwest.social 39 points 2 days ago (2 children)

I wish people would stop censuring themselves on lemmy like they do for the other social medias. You can say shit, and a lot worse now that you aren't asking a corpo for permission to speak.

[–] KingThrillgore@lemmy.ml 1 points 1 day ago

I think he did it because the actual WordPress guy (Matt Mullenweg) is really litigious.

[–] towerful@programming.dev 2 points 1 day ago

Censoring*

Censure is like a harsh criticism

[–] diemartin@sh.itjust.works 11 points 2 days ago (1 children)

...panish Inquisition

[–] Fenrir@lemmings.world 7 points 2 days ago (1 children)

Didn't expect that

[–] diemartin@sh.itjust.works 7 points 1 day ago

Nobody does 😔

[–] harmsy@lemmy.world 12 points 2 days ago (1 children)

Shaaaaaving cream! Be nice and clean! Shave every day and you'll always look keen!

[–] mPony@lemmy.world 1 points 2 days ago

Aaah, someone of culture, I see.

[–] anomnom@sh.itjust.works 8 points 2 days ago (2 children)

Stilton Cheese?

Satin undies?

Shit?

[–] lennivelkant@discuss.tchncs.de 6 points 2 days ago

Satin undies?

Close. Soiled undies.

[–] hayes_@sh.itjust.works 6 points 2 days ago

Ssssssandwiches

[–] gamer@lemm.ee 21 points 3 days ago (2 children)

I looked at some of the leaked source code

Where? I'd be interested in looking through it too

[–] Realitaetsverlust@lemmy.zip 17 points 3 days ago (1 children)
[–] massi1008@lemmy.world 3 points 2 days ago (2 children)

Link unfortunately dead by now...

[–] Realitaetsverlust@lemmy.zip 1 points 2 days ago

I can upload a new one. Ping me tomorrow when I'm awake again.

[–] desktop_user@lemmy.blahaj.zone 1 points 2 days ago

check some of the other chans and you will find a catbox.moe link to it.

[–] jqubed@lemmy.world 1 points 2 days ago

Didn’t they get hacked pretty regularly in the past?