Facebook Cookbook - Jay Goldman [72]
if($nameValueArray['fb_sig'] == $nameValueString){
echo 'true';
}else{
echo 'false';
}
?>
Substitute your app’s secret key on line 15, and you should be in business. Here’s some ActionScript 3 code you can use in Flash to send the request and deal with the response (I put it in frame 1 of the movie, but you might have somewhere else you’d rather stick it):
var nameValue:String = "";
try {
// Step through the parameters and keep any which are part of fb_sig
var keyStr:String;
var valueStr:String;
var paramObj:Object = LoaderInfo(this.root.loaderInfo).parameters;
for (keyStr in paramObj) {
if (keyStr.substr(0,6) == "fb_sig") {
valueStr = String(paramObj[keyStr]);
if (nameValue!="") {
nameValue += "&";
}
nameValue += keyStr + "=" + valueStr;
}
}
nameValue = "http://someserver.com/checkMD5.php?" + nameValue;
// Setup the URLLoader
var loader:URLLoader = new URLLoader();
loader.dataFormat = URLLoaderDataFormat.TEXT;
loader.addEventListener(Event.COMPLETE, onMD5Check);
// You should add more listeners for IO_ERROR, SECURITY_ERROR, and HTTP_STATUS
loader.load(new URLRequest(nameValue));
} catch (e:Error) {
// Handle your errors here
}
function onMD5Check(ev:Event) {
try {
if (ev.target.data == "true") {
// Your key matched! You can continue
} else {
// Your key didn't match. Something fishy going on so deal with it
}
} catch (e:TypeError) {
// Handle your errors here
}
}
The check should still work even if you pass additional flashvars into the Flash that start with fb_sig_, but you should generally avoid that and use your own prefix if you want to have one.
NOTE
A really crafty hacker could still get around this by observing the URL to which you’re sending the security check then using some network trickery to route requests to that address to a different page that just returns true without doing the check. The truth about software security is that there’s always someone with more time and willingness to break your code than you can invest in preventing them, so it’s probably safe to assume you’re reasonably secure (unless your Flash app launches nuclear missiles, in which case you probably don’t need my advice).
Embedding Flash Video
Problem
I’ve encoded some great video as FLV files and now I need to embed this in my FBML.
Solution
Use the fb:flv tag to embed Flash Video (FLV) files. The simplest form is:
The player fits right into the Facebook look and feel, as shown in Figure 6-9.
Figure 6-9. Facebook Flash Video player
Discussion
The fb:flv tag really is just that: a tag that plays FLV files. This is not a generic video player, meaning it won’t handle anything but FLV files, so don’t throw it .mov, .wmv, or .avi files and hope they’ll work. The three optional parameters let you set the width and height (which you should do if you can because some reports indicate that Internet Explorer will collapse your video down to a single gray dot if you don’t), and a title, which will be passed into the video as the Flash variable video_title.
Embedding Microsoft Silverlight
Problem
I love using the latest and greatest technologies, so I’ve gone and built a kick-ass Silverlight movie that I want to embed into my app.
Solution
Use the fb:silverlight tag to embed your Silverlight objects. The simplest form is:
Discussion
As with embedding Flash (see Embedding Adobe Flash), your Silverlight objects will play automatically when embedded on a Canvas page and will load and display the image specified in imgsrc when embedded in a Profile Box, which will require a click to start playing. The fb:silverlight tag shares some of the same optional parameters as fb:swf, and these are listed in Table 6-8.
Table 6-8. Parameters for fb:silverlight
Name
Type
Default value
Description
silverlightsrc
string
N/A
The URL of the Silverlight you want to embed. This is the