I have an app that posts to people's Facebook pages and profiles. The below code has been in place for about 2 years. Now, for new users, when my app logs into Facebook and asks for permissions, it does not ask for manage_pages, even though its explicitly listed below.
Did something on the Facebook side change which requires me to change my code?
Thanks,
Brian
if (isset($_REQUEST["code"]))
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $FBAPPID . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'] . "&scope=publish_actions,manage_pages,publish_pages";
header("Location: " . $dialog_url);
exit;
}
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
// state variable matches
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $FBAPPID . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $FBSECRET . "&code=" . $code;
$response = file_get_contents($token_url);
... (more stuff)
Related
I am trying to get Facebook profile picture . I am using the following with my value in place of ######### . After running the PHP i get a message "Hello".
I want that i get my name also with it like "Hellow Aditya" along with my profile picture. what should i edit to get that ? Also would it be possible to save the profile picture on the sever itself?
<?php
$app_id = ###############;
$app_secret = "#################";
$my_url = "###################";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
?>
You can get it this way:
http://graph.facebook.com/[USER ID]/picture
I am currently making a facebook app and am having some problems with permissions. I need permission from each user to use there location and there friends locations. The code I have has worked in the past but recently seems to have stopped working. Assume my app_id and app_namespace are declared. All that happens is I am redirected to the dialog_url in the if(empty($code)) block, but to my knowledge $code should not be empty. Any help would be greatly appreciated. Thanks.
require_once('sdk/src/facebook.php');
require_once('AppInfo.php');
require_once('utils.php');
require_once('connection.php');
$facebook = new Facebook(array(
'appId' => AppInfo::appID(),
'secret' => AppInfo::appSecret(),
));
$user_id = $facebook->getUser();
if(user has ran the app before)
{
mysql_close($connection);
session_start();
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id"
. $app_id . "&redirect_uri=" . urlencode($my_url2) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
else
{
mysql_close($connection);
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id"
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&scope= user_location, friends_location, offline_access" . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = #file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token"
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else
{
echo("The state does not match. You may be a victim of CSRF.");
}
}
Seems too simple, but you have spaces in your oauth url that you've assigned to $dialog_url?
I want that users can authenticate through their fb account, and i tried their demo script:
$app_id = "*****";
$app_secret = "*****";
$my_url = "http://localhost/fb/fb.php";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = #file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
echo "$user->name";
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
The problem is that after a successful login only the "Hello" string is displayed, but my $user->name is not showed.
Even though this is official FB code (I didn't realize that at the start, sorry), I recommend you debug it to see what goes wrong.
Activate error reporting
Remove the # in front of all calls - it suppresses the output of errors
Look what address $graph_url contains and whether you can access it in your browser
See whether the call to $graph_url works out (output the result)
See whether the json_decode() works out (output the result)
if this is a global or Facebook issue, you may need to talk to Facebook about what is wrong with their demo code.
The following is an example taken from Facebook's authentication page. What is the idea behind adding data to the session and then redirecting to a URL using javascript? Also why do an md5 hash of a uniqid?
<?php
$app_id = "YOUR_APP_ID";
$app_secret = "YOUR_APP_SECRET";
$my_url = "YOUR_URL";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
?>
I know this will probably get slated as it is a wikipedia link, but you can find a full explanation of csrf here http://en.wikipedia.org/wiki/Cross-site_request_forgery, once you fully understand what it is you will understand how having a unique token per user can protect against it. The prevention section lists using a per-user token as a method of prevention.
It ensures that you are being redirected here only in response to an action initiated by the site. Read up on CSRF at https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29.
By generating a hard (impossible) to guess value ans storing it in a session as well as sending it with a request, this script can verify if it was called by itself instead of somewhere else. somewhere else the hard to guess value would be unknwon and could thus not be supplied.
im trying to import "log in with facebook" opportunity to my website, im using http://developers.facebook.com/docs/authentication, but still can not make it work.
I register my website and have app id and app secret.
I have the following code in my login form:
<img src="images/fb-login-button.png" />
facebook.php file:
<?php
$app_id = 1000000000000;
$app_secret = "asdasdasdasd";
$my_url = "http://xxxx.xx/";
$code = $_REQUEST["code"];
if(empty($code)) {
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url);
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
$token_url = "https://graph.facebook.com/oauth/access_token?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&client_secret="
. $app_secret . "&code=" . $code;
$access_token = file_get_contents($token_url);
$graph_url = "https://graph.facebook.com/me?" . $access_token;
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
?>
It returns message "undefined index code" and I have no idea where and what to change.
Please, help!
The error you're getting is telling you that the "code" parameter you're looking for in the request:
$code = $_REQUEST["code"];
is not being submitted.. E.g. you either need to post "code" to the page or pass it via GET using facebook.php?code=something
To avoid running into errors when the parameter "code" is not sent, your code could look like:
if(!isset( $_REQUEST["code"] ) ) {
$dialog_url = "http://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url);
echo("<script> top.location.href='" . $dialog_url . "'</script>");
} else {
$code = $_REQUEST["code"];
}
Hope that helps..