Facebook Cookbook - Jay Goldman [71]
imgstyle
string
None
Inline CSS styling for the image specified in imgsrc.
loop
bool
false
Setting this to true will cause your Flash to loop endlessly.
quality
string
None
This can be any one of “low”, “medium”, or “high”.
salign
string
None
This is the same as the salign variable you specify in a normal Flash embed, which can be “l” (left), “r” (right), “t” (top), “b” (bottom), or a combination (“tl”, “tr”, “bl”, “br”).
scale
string
None
Choose one of “showall”, “noborder”, or “exactfit”.
swfbgcolor
string
#ffffff
A hex-encoded background color that will be shown behind the movie.
waitforclick
bool
true
Setting this to false will autoplay your Flash whenever Facebook allows that behavior (i.e., anywhere other than Profile Boxes).
width
int
None
Width of your Flash, in pixels.
wmode
string
transparent
Standard Flash window modes: “transparent”, “opaque”, or “window”.
Here are some important things to note:
Facebook requires users to have the Flash 9.0 plug-in or greater, so take that into account when you’re building your movies.
Your Flash will be inserted into a div with a generated id (such as 15021277386_fbswf_47f06eeeae3c29499214985) and no class set.
Enhancing security in your Flash
It’s a good idea to make sure that your Flash is actually embedded in a Facebook page, because it tells you that the uids passed in are valid and have been authenticated by Facebook. If you don’t verify this, someone could download your Flash that actually does some action on people’s accounts, embed it in another page, pass in someone’s ID, and do bad things. The fb_sig variable that Facebook passes into your Flash will help you do this, but you need to follow a few extra steps in order to be really secure.
The basic intent of fb_sig is to provide your app with an MD5 hash of all of the fb_sig_ variables and your app’s secret key, so that you can create a hash in your Flash movie and then check that it matches the hash passed in. Checking that will definitely prove that you were passed the correct key and that it’s likely your Flash is inside of Facebook, but it’s also possible that some malicious hacker type installed your app, grabbed the URL to your Flash from the page, downloaded myBrilliantFlash.swf onto their machine, and then reverse engineered it to extract your secret key. That would be bad, so the answer is not to put the key into your Flash. But if you don’t do that, how will you check the hash?
It’s actually not that hard. Instead of putting the key into your Flash, create a simple service on your backend that will accept the fb_sig_ variables and the hash, and validate it, returning a boolean to indicate whether it passed the sniff test. The simplest way to do this is to add a page (written in PHP, or whatever you’d prefer) to your server, which accepts the fb_sig_s and hash as parameters:
http://www.someserver.com/myapp/checkMD5.php?fb_sig_profile=12345&fb_sig_time=12345&fb_sig_session_key=12345&fb_sig_expires=12345&fb_sig_api_key=12345&fb_sig_added=1&fb_sig=9e107d9d372bb6826bd81d3542a419d6
The page will recreate the fb_sig string and then compare it to what gets passed in, returning true if they match and false if they don’t. Here’s the PHP version:
// Copy the $_GET params into a local array and sort it by the keys
$nameValueArray = $_GET;
ksort($nameValueArray);
// Iterate through and create a string out of all the name/values pairs
$nameValueString = '';
foreach($nameValueArray as $key=>$value){
if($key != 'fb_sig'){
$nameValueString .= strtolower(substr($key, 7)) . '=' . $value;
}
}
// Append the app's secret key
$nameValueString .= $your_apps_secret_key_goes_here;
// Encode as an MD5 hash
$nameValueString = md5($nameValueString);
// Check to see if they