Learn

1. Gain more knowledge in the Zend Framework – ongoing
2. Learn jQuery Mobile
3. Learn Ruby

Do

1. Upgrade Media-Bugs E-commerce / CMS Platform to v0.5 (currently on v0.1)
2. Design / Build Musiko

Read

1. Read at least 1 book this year (100% increase on last year)
2. Read e-books on web dev

Personal

1. Attend Focus on imaging conference in March at the Birmingham NEC – (UPDATE  – booked for 7th March) Fail
2. Start martial arts style fitness programme once a week
3. Try to go climbing a few times this year
4. Do more photography
5. Compete in Tough Mudder

Games

1. Complete Final Fantasy 13
2. Complete Battlefield 3
3. Buy & complete Final Fantasy 13-2
4. Complete Super Mario World (snes)
5. Complete Zelda – The Phantom Hourglass

Will build on this list & repost as and when it is updated

Step 1 – The setup

Mysql Table
Lets start by creating the users table

CREATE TABLE `users` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`oauth_provider` varchar(10),
`oauth_uid` text,
`username` text,
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Quite simple: we will be setting up a table for user information with id, username, first and last name, the URL to the user’s picture, and registered date. Also, we’re adding both an oauth_provider and oauth_uid fields, to distinguish between different third party open authentication protocols and their identifiers. For example, let’s say that, next week, you decide that it’s a good idea to also let Twitter users in. Easy; you just set another value to the oauthprovider, and avoid duplicating oauthuid values.

The Facebook App

Let’s begin by creating a new application. Give it a name and agree to the terms and conditions. Next, grab both the API Key and Secret in the basic tab as shown below.

On the canvas tab, set both the Canvas URL and Post-Authorize Redirect URL to your localhost and path that the script will process — something like http://localhost.com/login_facebook.php?. Note the question mark at the end and the domain; both are required by Facebook. Simply set your hosts file to a valid domain name.

On the connect tab, set the Connect URL to the same value and set localhost.com (or the one you are using) as the Base Domain.

Now save, download the client library, and unzip facebook.php in the srcdir to a new directory created in the root.

Step 2. The Callback

The authentication flow has three steps:

1. The local script generates a URL asking the user for permission
2. Facebook returns to the Canvas URL specified with a GET parameter
3. The GET parameter authenticates the session

Let’s make a quick test before registering and login.

# We require the library
require("facebook.php");

# Creating the facebook object
$facebook = new Facebook(array(
'appId' => 'YOUR_APP_ID',
'secret' => 'YOUR_APP_SECRET',
'cookie' => true
));

# Let's see if we have an active session
$session = $facebook->getSession();

if(!empty($session)) {
# Active session, let's try getting the user id (getUser()) and user info (api->('/me'))
try{
$uid = $facebook->getUser();
$user = $facebook->api('/me');
} catch (Exception $e){}

if(!empty($user)){
# User info ok? Let's print it (Here we will be adding the login and registering routines)
print_r($user);
} else {
# For testing purposes, if there was an error, let's kill the script
die("There was an error.");
}
} else {
# There's no active session, let's generate one
$login_url = $facebook->getLoginUrl();
header("Location: ".$login_url);
}

Now, go to http://localhost.com/login_facebook.php, and let’s see what happens. If you are redirected to Facebook and requested for permission, we are on the right track.

However, there might be two issues. The first one: if you’re redirected to Facebook, but it shows an error, there might be a missing value in the configuration. Go back to your application settings and check both the Connect and Canvas tabs and make sure the fields are ok as described above.

There might be another issue, where you see an error, like “Uncaught CurlException: 60: SSL certificate problem, verify that the CA cert is OK.” This happens because of the CURL settings. You’ll have to open facebook.php, find the makeRequest() method, and, inside the function, find this line:

 $opts = self::$CURL_OPTS; 

Immediately following it, add:

$opts[CURLOPT_SSL_VERIFYPEER] = false;

hate hacking libraries, but I haven’t found another way. Well, let’s continue with user registration. I’ve also added a try/catch statement, because, if there’s an old session keys in the GET params in the URL, the script will die with a horrible error.

Step 3. Registration and Authentication

We’ll next be working with MySQL. Please note that I will not implement a data sanitizer, since I want to keep the code as short and on task as possible. Please keep this in mind: always sanitize your data.

First, let’s connect to the database.

 mysql_connect('localhost', 'YOUR_USERNAME', 'YOUR_PASSWORD');
mysql_select_db('YOUR_DATABASE'); 

Now, let’s work on the $session conditional, in case we have a session.

# We have an active session; let's check if we've already registered the user
$query = mysql_query("SELECT * FROM users WHERE oauth_provider = 'facebook' AND oauth_uid = ". $user['id']);
$result = mysql_fetch_array($query);

# If not, let's add it to the database
if(empty($result)){
$query = mysql_query("INSERT INTO users (oauth_provider, oauth_uid, username) VALUES ('facebook', {$user['id']}, '{$user['name']}')");
$query = msyql_query("SELECT * FROM users WHERE id = " . mysql_insert_id());
$result = mysql_fetch_array($query);
}

Note that I’m querying the database, looking for facebook as a oauth_provider; it’s generally a good idea, if you want to accept other OAuth providers (as twitter, Google Accounts, Open ID, etc.) and a oauth_uid, since it’s the identifier the provider gives to its user accounts.

The oauth_provider field could potentially lead to bad performance if we leave it as a text field type. As such, the best option is setting it to an ENUM type.

We have now a $result var with the values queried from the database. Let’s next add some sessions. Add this line at the beginning of your script.

 session_start(); 

After the empty($result) conditional, append the following:

if(!empty($user)){
# ...

if(empty($result)){
# ...
}

# let's set session values
$_SESSION['id'] = $result['id'];
$_SESSION['oauth_uid'] = $result['oauth_uid'];
$_SESSION['oauth_provider'] = $result['oauth_provider'];
$_SESSION['username'] = $result['username'];
}

As it makes little sense to authenticate a user who is already logged in, just below the session_start() line, add:

if(!empty($_SESSION)){
header("Location: home.php");
}

And in the scripts which require authentication, just add:

session_start();
if(!empty($_SESSION)){
header("Location: login_facebook.php");
}

And if you want to display the username, access it as an array.

echo 'Welcome ' . $_SESSION['username'];
# or..
echo 'Welcome ' . !empty($_SESSION) ? $_SESSION['username'] : 'guest';

Step 4. Additional Methods

Facebook has a ton of connect features, but here are four that I’ve found to be the most useful.

Legacy Methods

I might be missing something, but the FQL seems more flexible and easy than the Graph API. Fortunately, Facebook still lets developers use it, altough with the new library, it has changed a bit.

If you want the user id, first name, last name, squared thumbnail for the user picture, the biggest user picture available, and his or her gender, you can use the users.getInfo method.

$uid = $facebook->getUser();
$api_call = array(
'method' => 'users.getinfo',
'uids' => $uid,
'fields' => 'uid, first_name, last_name, pic_square, pic_big, sex'
);
$users_getinfo = $facebook->api($api_call);

It is possible to achieve the same result, using FQL.

$uid = $facebook->getUser();
$fql_query = array(
'method' => 'fql.query',
'query' => 'SELECT uid, first_name, last_name, pic_square, pic_big, sex FROM user WHERE uid = ' . $uid
);
$fql_info = $facebook->api($fql_query);

Here’s the list of tables

which can be accessed with FQL, as well as the fields available for the table users.

Extended Permissions

Facebook provides applications with some interaction with the user’s data – just as long as it’s authorized. With the old API, the authorization for additional permissions was exclusively available for the Javascript SDK (altough I’m not quite sure). With the new API, we can easily redirect the user to an authorization dialog in Facebook, and return to our site after the access is either granted or denied.

In the following example, we will be redirecting a user to authorize posts status updates, photos, videos and notes, the user’s real email address, birthday and access to photos and videos.

$uid = $facebook->getUser();

# req_perms is a comma separated list of the permissions needed
$url = $facebook->getLoginUrl(array(
'req_perms' => 'email,user_birthday,status_update,publish_stream,user_photos,user_videos'
));
header("Location: {$url} ");

Here’s a full list of permissions. Note that you can specify both the url to direct to if the user accepts and the url to be redirected to if the user denies. The key for these array elements are next and cancel_url, respectively. Here’s a quick example:

$url = $facebook->getLoginUrl(array(
'req_perms' => 'email',
'next' => 'http://localhost.com/thanks.php',
'cancel_url' => 'http://localhost.com/sorry.php'
));

If not specified, the default is the requesting script’s location.

Checking for Extended Permissions

Since the user can easily revoke permissions, the application should always check if a given permission is granted before using it, specially if it’s about publishing something.

$uid = $facebook->getUser();

# users.hasAppPermission
$api_call = array(
'method' => 'users.hasAppPermission',
'uid' => $uid,
'ext_perm' => 'publish_stream'
);
$users_hasapppermission = $facebook->api($api_call);
print_r($users_hasapppermission);

The ext_perm will only support the old list of available permissions.

Publishing to the Wall

Let’s post something to the wall after verifying the user has the publish_stream permission.

# let's check if the user has granted access to posting in the wall
$api_call = array(
'method' => 'users.hasAppPermission',
'uid' => $uid,
'ext_perm' => 'publish_stream'
);
$can_post = $facebook->api($api_call);
if($can_post){
# post it!
$facebook->api('/'.$uid.'/feed', 'post', array('message' => 'Saying hello from my Facebook app!'));
echo 'Posted!';
} else {
die('Permissions required!');
}

Essentially, we are making an API call to /{user_id}/feed, using the POST method (second argument) and an array as a third argument for the data to be sent. In this case, this third argument supports message, link, picture, caption, name and description. Here’s the code:

$facebook->api('/'.$uid.'/feed', 'post', array(
'message' => 'The message',
'name' => 'The name',
'description' => 'The description',
'caption' => 'The caption',
'picture' => 'The Image',
'link' => 'http://thewebdude.co.uk/'
));

Here’s how it is posted.

Conclusion

While Facebook’s authentication capabilities are indeed useful, since so many people are on Facebook these days, using it as the only method of authentication in a site is not recommended. What about those who don’t have Facebook accounts? Are they not allowed to access your application? Thanks for reading!

SQL Injection is one of the most common methods used to gain access to a web application and take control. For example, it is done by hackers entering sql into dynamic parameters to gain access to the database and displaying all of the information from the database or to force a login to a system where the user credentials don’t exist.

To protect against this it is important that we check the data that is passed into the system from forms and url strings.

Using PHP Data Objects (PDO)

PDO is a PHP extension that work like class letting you access database more fast and secure.

$PSH=$db->prepare('SELECT * FROM table WHERE id = :id');
$PSH->execute(array(':id' => $_GET['id']));
$rows = $PSH ->fetchAll();

where $db is a success PDO connection

mysql_real_escape_string()

mysql_real_escape_string() is a function that escape the unsafe character before sending the MySQL query.

$id = mysql_real_escape_string($_GET['id']);
$query = mysql_query("SELECT * FROM table where id = "' .$id. '");

preg_replace()

preg_replace() is a function that find and replace character in string. Here we will use it to find anything but numbers and remove it.

This method is good if you are selecting from MySQL using WHERE id = INT;

$id = preg_replace("/[^0-9]/","", $_GET['id']);
$query = mysql_query("SELECT * FROM table where id = "' .$id. '");

Conclusion

Make sure that all data that is entered by a user is striped of anything that can be malicious. If you don’t you could end up loosing your application.

Always keep a backup of everything to!

Will update another day though.