Home/ Questions/Q 6805407
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T19:34:57+00:00

I am using the code from the facebook app developer site. I tried it

  • 0

I am using the code from the facebook app developer site. I tried it and I am getting the following error :

"The state does not match. You may be a victim of CSRF"

The code used is as follows :

  <?php 

   $app_id = "YOUR_APP_ID";
   $app_secret = "YOUR_APP_SECRET";
   $my_url = "YOUR_URL";

   session_start();
   $code = $_REQUEST["code"];

   if(empty($code)) {
     $_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
     $dialog_url = "http://www.facebook.com/dialog/oauth?client_id=" 
       . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
       . $_SESSION['state'];

     echo("<script> top.location.href='" . $dialog_url . "'</script>");
   }

   if($_REQUEST['state'] == $_SESSION['state']) {
     $token_url = "https://graph.facebook.com/oauth/access_token?"
       . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
       . "&client_secret=" . $app_secret . "&code=" . $code;

     $response = file_get_contents($token_url);
     $params = null;
     parse_str($response, $params);

     $graph_url = "https://graph.facebook.com/me?access_token=" 
       . $params['access_token'];

     $user = json_decode(file_get_contents($graph_url));
     echo("Hello " . $user->name);
   }
   else {
     echo("The state does not match. You may be a victim of CSRF.");
   }

 ?>

From the code its obv that for some reason, $_REQUEST[‘state’] != $_SESSION[‘state’]. Can somebody please explain why this is happening. I am also a PHP amateur.

Thank u 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Use SDK, much easier.

    This code gets the user data and serializes it, and throws to the database, i know its not perfect but have a look. I’m going to edit this when i get some free time, then i recommend encoding the users data as JSON, not as base64 serialized, because it will be easier to do query searches in the future.

        <?php
        require 'facebook.php'; // USE FACEBOOK PHP SDK

        // Create our Application instance (replace this with your appId and secret).
        $facebook = new Facebook(array(
          'appId'  => 'APPID',
          'secret' => 'APPSECRET',
        ));
        // ----------------------------------------------------------------------------------------
        // ----------------------------------------------------------------------------------------

        // Get User ID
        $user = $facebook->getUser();

        /* We may or may not have this data based on whether the user is logged in.
           If we have a $user id here, it means we know the user is logged into
           Facebook, but we don't know if the access token is valid. An access
           token is invalid if the user logged out of Facebook. */

        if ($user) {
          try {
            // Proceed knowing you have a logged in user who's authenticated.
            // these are the graph calls
            $dt = $facebook->api('/me');
            $lk = $facebook->api('/me/likes');
          } catch (FacebookApiException $e) {
            error_log($e);
            $user = null;
          }
        }

        // ----------------------------------------------------------------------------------------
        // ----------------------------------------------------------------------------------------
        // Handler for Login Status
        // With the LoginURL, user the 'scope' to ask for permissions
        if ($user) {
          $logoutUrl = $facebook->getLogoutUrl();
        } else {
          $loginUrl = $facebook->getLoginUrl(array("scope" => "email,user_birthday,user_likes,user_work_history,user_location,user_education_history"));
        }
        // ----------------------------------------------------------------------------------------
        ?>
        <?php if (!$user): header ('Location:'.$loginUrl.''); //CHECKS IF USER IS LOGGED IN
        else: 

 // Do Something here. This next bit of code shows what comes out of those calls.
      echo "<pre>"; 
      print_r($dt);
      echo"</pre>";

      echo"<br/><br/>";

      echo "<pre>"; 
      print_r($lk);
      echo"</pre>";

      endif
        ?>
    • 0