问题
I am using this code for facebook like callback:
<script type="text/javascript">
FB.Event.subscribe('edge.create', function(response) {
// php script to call via ajax
});
</script>
The problem is that if i call a php script (for example http://www.test.com/addfacebook?id=xx&user=xxx&code=xxxx) someone can see my javascript and run this page and even spam it or use it without have liked first.
The concept is that i want to give a unique special discount code to every user likes the page. So on callback I want to store in database and id, the user real name from facebook and the discount code I created for him.
How to do it so someone can't override it (as it is javascript)?
Thanks a lot!
回答1:
The easiest way to get at what you are doing is to verify the user is legitimate. I would have your ajax action have parameters that include the FacebookID and the access_token. This will prevent anyone from gaming your system.
Since you are using the FB JS SDK - just make a call to the API like so:
FB.getLoginStatus(function (loginResponse) {
FB.api('/me', function (graph) {
var token = loginResponse.session.access_token;
var fbid = loginResponse.session.uid;
} else {
// no user session available, someone you dont know
}
});
I'd put this in your FB.Event.subscribe and use the token and fbid vars accordingly.
Hope this helps!
回答2:
You can use the PHP SDK to verify the token Joey mentioned, once you have the token on the server use something like this:
$facebook = new Facebook(); // Replace the line with the call that sets the app id and secret
$user = $facebook->api('/me',array('access_token',$_GET['access_token']));
Then check the value in $user
来源:https://stackoverflow.com/questions/6230092/facebook-like-button-callback-help