Home/ Questions/Q 6329309
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T17:38:09+00:00

(Since FBML and FBJS are deprecated by Facebook, I cannot use those approaches to

  • 0

(Since FBML and FBJS are deprecated by Facebook, I cannot use those approaches to pass data to my server).

I have an IFRAME facebook application, mainly built to be used by pages.

When the page admin visits my application tab in their page, they see a settings page where they will be add information about their page. I have a submit button as well. Once the page admin submits information about his page, it will be sent to my server and it will be stored along with the page ID. Once this setup is done, when other users visits this application tab in the page, they will see the information posted by the page admin.

I am using Facebook’s PHP SDK in the server side to decode the signed request and get the page ID.

The following is the code in my application’s index.php to send data to my server (along with the user input, page ID will also be passed, not shown here)

function sendData() {
    $.post('ajax.php', {
        data : $("#userdata").val()
    }, function(data) {
        alert(data);
    });
}
</script>

The following is the simple ajax.php script. This is just a test script as of now.

<?php
echo "<pre>" . print_r($_POST) . "</pre>";
?>

The problem is only the user data is being sent to the server. There is a security problem in this approach. I want to send ‘signed_request’ (that facebook sends initially to my index.php, using which I validate the request) along with the user data, so I can validate the request from the server side and update the information for the right page. Else, anyone can post a request like this and update the information for any page.

firebug image

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    All you need to do is use the Facebook PHP SDK in your server side ajax script as well, then you can check that the request was sent by someone with a valid Facebook session who has authorized your app.

    If you are concerned that multiple people using your application will try and send fake requests to alter each others page settings, then you just need to store some information about which Facebook Ids are associated with the Facebook pages they administer.

    For example, while sending the request to the server, send the page ID along with a encrypted key derived from the page ID (keep this encrypted key in a hidden field while displaying itself). In the server, decrypt this key to match with the page ID. By this way, you can be sure that the page admins are modifying the information for ‘their’ pages only.

    • 0