Facebook "Like" button callback help

Question

I am using this code for facebook like callback:

           <script type="text/javascript">
                FB.Event.subscribe('edge.create', function(response) {
                  // php script to call via ajax
                });
           </script>

The problem is that if i call a php script (for example http://www.test.com/addfacebook?id=xx&user=xxx&code=xxxx) someone can see my javascript and run this page and even spam it or use it without have liked first.

The concept is that i want to give a unique special discount code to every user likes the page. So on callback I want to store in database and id, the user real name from facebook and the discount code I created for him.

How to do it so someone can't override it (as it is javascript)?

Thanks a lot!

Answer 1

The easiest way to get at what you are doing is to verify the user is legitimate. I would have your ajax action have parameters that include the FacebookID and the access_token. This will prevent anyone from gaming your system.

Since you are using the FB JS SDK - just make a call to the API like so:

FB.getLoginStatus(function (loginResponse) {
            FB.api('/me', function (graph) {
                var token = loginResponse.session.access_token;
                var fbid = loginResponse.session.uid;
        } else {
            // no user session available, someone you dont know
        }
    });

I'd put this in your FB.Event.subscribe and use the token and fbid vars accordingly.

Hope this helps!

Answer 2

You can use the PHP SDK to verify the token Joey mentioned, once you have the token on the server use something like this:

$facebook = new Facebook(); // Replace the line with the call that sets the app id and secret
$user = $facebook->api('/me',array('access_token',$_GET['access_token']));

Then check the value in $user