I need help getting started with some PHP coding. I am writing an app for Facebook that requires voting. I've got the whole framework up and working and I've created functionality where the user can click under a photo to vote on it. The client wants people to be able to vote for as many photos as they like but I need to figure out how to limit it so they can't vote for the same one over and over again.
My first thought was that I would set the SESSION variables to somehow link to the Facebook user's account so the app could identify the person but I'm trying to create more of a 'custom tab' than an actual app. If the only method to do this is by create an app where the user has to opt-in, then so be it, but I was wondering if there's a way to set a cookie and do this without the user logging into to the app or the app having to be opted in to.
As you can tell, I'm pretty new to PHP and MySQL coding so I'm still learning.
Thanks for pointing me in the right direction!
You probably can find what cookies FB uses and hack it to get the user id but it's a bad thing to do and it probably violates FB terms.
A much better approach to create an engaging experience for your users would be to create a FB app and ask your users to accept if they want to vote.
In order to make them have a better experience, I suggest you the following flow:
When the user clicks the voting button, you check if he has accepted your app and prompt him to do so, in case he hasn't.
When he accepts you app, you grab his data, put it in your db and check if there's already a relationship between the user and the thing to be voted and act accordingly (if the user has already voted for that item, you don't compute the double vote and inform him).
Related
I'm working with a team on a webapp that will use an existing database with client data, but has no user accounts setup. The goal is to have users perform an email lookup in the database to see if their info already exists, that way if we find them, we can tie the existing data to their new user account.
We'd also like to implement OAuth so that users are able to login via facebook or google, but we're a bit unsure on how to link these third-party accounts to our own. We can request the email back and check it against our DB (assuming the user grants us access), but that would be a big assumption of them having the same email in our system as their other accounts.
Getting to the actual point, we're curious as to how others have implemented this workflow. Would it be better to force the user to check for their email first when selecting one of those options? or roll the dice with a lookup? Should we hide the option to login via third-party and only allow them to associate a third-party account after they login (so they would automatically login to our site assuming they're logged in elsewhere)? Or would it be best to let them build a new account, and provide admin tools to link local data to an account after the fact?
Sorry for the open-ended question, I'm sure I'll get some downvotes here (don't hate me), but I've been scouring the internet for a while with very little to show for it, and I feel that the StackOverflow community is one of the best Q&A resources out there (love you guys).
Thank you in advance!
Since you already have client data - it will be a bad move to force all those users to do something - anything really. So, unless you are cardinally changing way too many things - you must smoothly move them over to the new opportunities in your app.
For the old users - offer to login with their existing account, and offer to add social network (maybe some notice at the top of the window about it), with which they can authenticate afterwards.
For the new users - offer to create an account like old users, and also offer to create account by using oauth.
I currently have my iOS app hooked up to facebooks API to log users into my app. I don't give users any other way to login, so they do not have local passwords on my database now. The app currently posts the facebook user_id to my server and if it is in the DB, it completes the login, if not, it redirects the user to register. Obviously, this is a pretty lousy way to do it, as anyone can just submit the user id if they know it (it's public info) and log in to my app as someone else. I do have if statements in my PHP to make sure the user is actually in the table before posting.
My question is how can I make the login process secure so people can't just submit a user id and gain access? I've read the facebook API, but I'm not very familiar with programming and would appreciate the help. I know facebook must have something for this purpose, I either overlooked it because I don't understand it or missed it entirely.
Thanks in advance!
Access the Token and Save it on your Database. Instead of saving UserID.
Tokens are given only when a user grants access to a Application, Similar to what you see on a regular Website that has Facebook Login Access.
More Documentation here: Official Fb iOS SDK
https://developers.facebook.com/docs/reference/ios/current/class/FBAccessTokenData/
Im going to make an app that will be able to sync data between android mobile phone and a webpage database. At the moment im trying to think things through and figure out the hard parts. The first thing that crosses my mind is the login part.
The best idea i have is that before starting my app user has to log in. When he logs in it sends user data to my web page and it returns true/false. If it returns true i make somekind of an session in my app that says i am logged in (to access app features) but also stores my username and password. Now if i press the sync button or do something else that will need communication with my webside i can check the user/password every time. Because on the web site im planning to do different actions (login, sync, something else) i need to check the login every time - otherwise a third party could just access sync action without actually logign in first.
Anyway, that my thoughts at the moment. Im sure ill ask more detailed questions when i get to coding (im a beginner with android/java) but at the moment i wish to know if the idea of the thing is good or can it be done smarter/better?
Thank you.
I'm suggesting you to create API based application so you won't be troubled if you want to create it in many platform (in case you also want to create in iOS).
What I'm usually used is using API_KEY. API_KEY is a random number generated by the PHP side to save the login session of the user. When the user login from the mobile phone (sends the username and the password) the PHP side will generate API_KEY and updatethe existing API_KEY (if the user have logged in before in other device) in the web database so the login session in the other device will be automatically expired but you must add API_KEY validation everytime you try to access the the database (sync your application) or if you want more strict you can do the checking everytime the user change the screen.
If you have some question about this feel free to ask in the comment ! :)
I'm fairly new to facebook development, but have experience with PHP and JavaScript.
I've been reading through the SDK documentation and various articles regarding facebook integration but have found that a couple of fundamental questions are still open in my head!
I am trying to achieve the following:
Create a website that uses facebook only for registration and login
Use PHP to store facebook user id of registered users in a database on my app server, along with some limited app specific info for those users. All 'generic' info (email address, etc.) should be retreived from facebook.
when a user logs in, get a combination of database records for that user, and facebook stuff.
What I've achieved so far:
I have used the registration plugin to display a register button to unregistered users, and a login button for users who are logged out when they land on the page. I hide the login button using javascript and jquery if the user is already logged in.
I also have a page which receives a registered user and interprets the signed_request, adding the user's id to the users table in my database.
Where my confusion arises:
I want to use the Javascript SDK for user authentication (as it's really easy) - this is obviously done asynchronously on the client side.
Having said that, once a user has logged in using the JS SDK, I need to get some data from my database. I am happy to do this via an AJAX request, BUT that would require passing the facebook user id as part of that request. Surely this could be easily spoofed/changed by a savvy user & they could hence login to my application as someone else?
Question:
How do I securely pass information about a user who has logged in using the JS API to my server?
If the answer is "you can't" then why bother authenticating with the JS API? Is that just for apps that are really light touch?
Thanks in advance for any help!
The simple answer is, you use cookies. This Facebook blog post has a clear example of how to implement a client-side login and expose that data to the server.
Take a look at signed requests: https://developers.facebook.com/docs/authentication/signed_request/
It gives you a nice little primer on how signed requests work and how you can/should use them. If I understand your question correctly, this should answer your question as to why/how you can provide an extra layer of security. Send a signed request that only your application with its own app_secret can decode.
I know of the FBML tag to see if "is app user" for an id, but how can I determine that within PHP itself?
It seems that i have misread the question. if you want to know if your user is an app user or not you cannot use the graph api.
When a user comes to your application for the first time facebook sends you some data regarding that user. At that time you can decide what to do with that information. An easy way would be to use a database and store the id of that user so you can later use it when you want to check if other users have used your app or not.