Hi I am integrating paypal with my website. I want that user enter their all information on my site (creditcard information and personal information).
I have down loded paypalfunctions.php from paypal developer website.
My code is :-
if(isset($_POST['submitCard']))
{
$firstName =trim($_POST['firstName']);
$lastName =trim($_POST['lastName']);
$street =trim($_POST['street']);
$city =trim($_POST['city']);
$state =trim($_POST['state']);
$zip =trim($_POST['zip']);
$countryCode =$_POST['country'];
$currencyCode ='USD';
$paymentType ='Sale';
$paymentAmount =$_POST['productPrice'];
$creditCardType =$_POST['cardType'];
$creditCardNumber=$_POST['cardNo'];
$expDate ='122015';
$cvv2 =$_POST['cvv'];
$returnResult=DirectPayment( $paymentType, $paymentAmount, $creditCardType, $creditCardNumber,
$expDate, $cvv2, $firstName, $lastName, $street, $city, $state, $zip,
$countryCode, $currencyCode );
echo '<pre>';
print_r($returnResult);
DirectPayment method is in paypalFunctions.php and this is
function DirectPayment( $paymentType, $paymentAmount, $creditCardType, $creditCardNumber,
$expDate, $cvv2, $firstName, $lastName, $street, $city, $state, $zip,
$countryCode, $currencyCode )
{
//Construct the parameter string that describes DoDirectPayment
$nvpstr = "&AMT=" . $paymentAmount;
$nvpstr = $nvpstr . "&CURRENCYCODE=" . $currencyCode;
$nvpstr = $nvpstr . "&PAYMENTACTION=" . $paymentType;
$nvpstr = $nvpstr . "&CREDITCARDTYPE=" . $creditCardType;
$nvpstr = $nvpstr . "&ACCT=" . $creditCardNumber;
$nvpstr = $nvpstr . "&EXPDATE=" . $expDate;
$nvpstr = $nvpstr . "&CVV2=" . $cvv2;
$nvpstr = $nvpstr . "&FIRSTNAME=" . $firstName;
$nvpstr = $nvpstr . "&LASTNAME=" . $lastName;
$nvpstr = $nvpstr . "&STREET=" . $street;
$nvpstr = $nvpstr . "&CITY=" . $city;
$nvpstr = $nvpstr . "&STATE=" . $state;
$nvpstr = $nvpstr . "&COUNTRYCODE=" . $countryCode;
$nvpstr = $nvpstr . "&IPADDRESS=" . $_SERVER['REMOTE_ADDR'];
$resArray=hash_call("DoDirectPayment", $nvpstr);
return $resArray;
}
/**
'-------------------------------------------------------------------------------------------------------------------------------------------
* hash_call: Function to perform the API call to PayPal using API signature
* #methodName is name of API method.
* #nvpStr is nvp string.
* returns an associtive array containing the response from the server.
'-------------------------------------------------------------------------------------------------------------------------------------------
*/
function hash_call($methodName,$nvpStr)
{
//declaring of global variables
global $API_Endpoint, $version, $API_UserName, $API_Password, $API_Signature;
global $USE_PROXY, $PROXY_HOST, $PROXY_PORT;
global $gv_ApiErrorURL;
global $sBNCode;
//setting the curl parameters.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$API_Endpoint);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
//turning off the server and peer verification(TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST, 1);
//if USE_PROXY constant set to TRUE in Constants.php, then only proxy will be enabled.
//Set proxy name to PROXY_HOST and port number to PROXY_PORT in constants.php
if($USE_PROXY)
curl_setopt ($ch, CURLOPT_PROXY, $PROXY_HOST. ":" . $PROXY_PORT);
//NVPRequest for submitting to server
$nvpreq="METHOD=" . urlencode($methodName) . "&VERSION=" . urlencode($version) . "&PWD=" . urlencode($API_Password) . "&USER=" . urlencode($API_UserName) . "&SIGNATURE=" . urlencode($API_Signature) . $nvpStr . "&BUTTONSOURCE=" . urlencode($sBNCode);
//setting the nvpreq as POST FIELD to curl
curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpreq);
//getting response from server
$response = curl_exec($ch);
//convrting NVPResponse to an Associative Array
$nvpResArray=deformatNVP($response);
$nvpReqArray=deformatNVP($nvpreq);
$_SESSION['nvpReqArray']=$nvpReqArray;
if (curl_errno($ch))
{
// moving to display page to display curl errors
$_SESSION['curl_error_no']=curl_errno($ch) ;
$_SESSION['curl_error_msg']=curl_error($ch);
//Execute the Error handling module to display errors.
}
else
{
//closing the curl
curl_close($ch);
}
return $nvpResArray;
}
}
?>
it gives error
Array
(
[TIMESTAMP] => 2010-12-21T06:06:54Z
[CORRELATIONID] => 1cafc53222e76
[ACK] => Failure
[VERSION] => 64
[BUILD] => 1620725
[L_ERRORCODE0] => 10002
[L_SHORTMESSAGE0] => Security error
[L_LONGMESSAGE0] => Security header is not valid
[L_SEVERITYCODE0] => Error
)
i cant understand what is problem is going on.Please help.
Here are a few things to need to worry about as well:
Login to the developer site:
https://developer.paypal.com/
Go to Applications
On the left side, hit "Sandbox Accounts"
You should be able to create one of type BUSINESS right there with the "Create Account" button if there isn't one.
Click on the account, choose "Profile", make sure the account is the BUSINESS kind.
The API Credentials tab will the display the username/password/signature you want to use.
If you don't use the credentials of a sandbox account when using the sandbox url, you are likely to get this 10002 Security error not valid code.
Have configure your API credentials correctly?
you can dump the hash_call out if needed.
If you are doing sandbox testing,
Make sure the endpoint of the call is: https://api-3t.sandbox.paypal.com/nvp
-- pointed to the 'SANDBOX'
Related
Any one of you know know to send a reset link for lost password by wordpress rest api ? I have been looking into wordpress rest api documentation but I haven't find out anything about it. Maybe someone has done a custom function for that.
I found out a way to do that:
function runRetrivePassword($data)
{
global $wpdb, $wp_hasher;
$user_data = get_user_by('email', $data['email']);
if (!$user_data) return array('result' => false);
do_action('lostpassword_post');
$user_login = $user_data->user_login;
$user_email = $user_data->user_email;
$key = get_password_reset_key($user_data);
$message = __('Someone requested that the password be reset for the following account:') . "\r\n\r\n";
$message .= network_home_url('/') . "\r\n\r\n";
$message .= sprintf(__('Username: %s'), $user_login) . "\r\n\r\n";
$message .= __('If this was a mistake, just ignore this email and nothing will happen.') . "\r\n\r\n";
$message .= __('To reset your password, visit the following address:') . "\r\n\r\n";
$message .= network_site_url("wp-login.php?action=rp&key=$key&login=" . rawurlencode($user_login), 'login');
if (is_multisite())
$blogname = $GLOBALS['current_site']->site_name;
else
$blogname = wp_specialchars_decode(get_option('blogname'), ENT_QUOTES);
$title = sprintf(__('[%s] Password Reset'), $blogname);
$title = apply_filters('retrieve_password_title', $title);
$message = apply_filters('retrieve_password_message', $message, $key);
if ($message && !wp_mail($user_email, $title, $message))
wp_die(__('The e-mail could not be sent.') . "<br />\n" . __('Possible reason: your host may have disabled the mail() function...'));
return array('result' => true);
}
add_action('rest_api_init', function () {
register_rest_route('apiuser/v1', '/forgotpwd/(?P<email>\S+)', array(
'methods' => 'GET',
'callback' => 'runRetrivePassword'
));
});
I am trying to integrate paypal ipn to my website. I keep receiving the following error. Im at my wits end here. What am I missing??? I guess Im am just not understanding why the ipn.php page would not be seeing what paypal is sending to the POST variable or is this even the issue? I have been at it all day and I am new to this process so any help would be great!!
INVALID
[2015-12-02 17:39 America/Denver] Invalid IPN: cmd=_notify-validate
Here is my code
ipn.php
<?php
// CONFIG: Enable debug mode. This means we'll log requests into 'ipn.log' in the same directory.
// Especially useful if you encounter network errors or other intermittent problems with IPN (validation).
// Set this to 0 once you go live or don't require logging.
define("DEBUG", 1);
// Set to 0 once you're ready to go live
define("USE_SANDBOX", 1);
define("LOG_FILE", "./ipn.log");
// Read POST data
// reading posted data directly from $_POST causes serialization
// issues with array data in POST. Reading raw POST data from input stream instead.
$raw_post_data = file_get_contents('php://input');
$raw_post_array = explode('&', $raw_post_data);
$myPost = array();
foreach ($raw_post_array as $keyval) {
$keyval = explode ('=', $keyval);
if (count($keyval) == 2)
$myPost[$keyval[0]] = urldecode($keyval[1]);
}
// read the post from PayPal system and add 'cmd'
$req = 'cmd=_notify-validate';
if(function_exists('get_magic_quotes_gpc')) {
$get_magic_quotes_exists = true;
}
foreach ($myPost as $key => $value) {
if($get_magic_quotes_exists == true && get_magic_quotes_gpc() == 1) {
$value = urlencode(stripslashes($value));
} else {
$value = urlencode($value);
}
$req .= "&$key=$value";
}
// Post IPN data back to PayPal to validate the IPN data is genuine
// Without this step anyone can fake IPN data
if(USE_SANDBOX == true) {
$paypal_url = "https://www.sandbox.paypal.com/cgi-bin/webscr";
} else {
$paypal_url = "https://www.paypal.com/cgi-bin/webscr";
}
$ch = curl_init($paypal_url);
if ($ch == FALSE) {
return FALSE;
}
curl_setopt($ch, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_1_1);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POSTFIELDS, $req);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
curl_setopt($ch, CURLOPT_FORBID_REUSE, 1);
if(DEBUG == true) {
curl_setopt($ch, CURLOPT_HEADER, 1);
curl_setopt($ch, CURLINFO_HEADER_OUT, 1);
}
// CONFIG: Optional proxy configuration
//curl_setopt($ch, CURLOPT_PROXY, $proxy);
//curl_setopt($ch, CURLOPT_HTTPPROXYTUNNEL, 1);
// Set TCP timeout to 30 seconds
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, 30);
curl_setopt($ch, CURLOPT_HTTPHEADER, array('Connection: Close'));
// CONFIG: Please download 'cacert.pem' from "http://curl.haxx.se/docs/caextract.html" and set the directory path
// of the certificate as shown below. Ensure the file is readable by the webserver.
// This is mandatory for some environments.
//$cert = __DIR__ . "./cacert.pem";
//curl_setopt($ch, CURLOPT_CAINFO, $cert);
$res = curl_exec($ch);
if (curl_errno($ch) != 0) // cURL error
{
if(DEBUG == true) {
error_log(date('[Y-m-d H:i e] '). "Can't connect to PayPal to validate IPN message: " . curl_error($ch) . PHP_EOL, 3, LOG_FILE);
}
curl_close($ch);
exit;
} else {
// Log the entire HTTP response if debug is switched on.
if(DEBUG == true) {
error_log(date('[Y-m-d H:i e] '). "HTTP request of validation request:". curl_getinfo($ch, CURLINFO_HEADER_OUT) ." for IPN payload: $req" . PHP_EOL, 3, LOG_FILE);
error_log(date('[Y-m-d H:i e] '). "HTTP response of validation request: $res" . PHP_EOL, 3, LOG_FILE);
}
curl_close($ch);
}
// Inspect IPN validation result and act accordingly
// Split response headers and payload, a better way for strcmp
$tokens = explode("\r\n\r\n", trim($res));
$res = trim(end($tokens));
if (strcmp ($res, "VERIFIED") == 0) {
// check whether the payment_status is Completed
// check that txn_id has not been previously processed
// check that receiver_email is your PayPal email
// check that payment_amount/payment_currency are correct
// process payment and mark item as paid.
// assign posted variables to local variables
$item_name = $_POST['item_name'];
$item_number = $_POST['item_number'];
$payment_status = $_POST['payment_status'];
$payment_amount = $_POST['mc_gross'];
$payment_currency = $_POST['mc_currency'];
$txn_id = $_POST['txn_id'];
$receiver_email = $_POST['receiver_email'];
$payer_email = $_POST['payer_email'];
if(DEBUG == true) {
error_log(date('[Y-m-d H:i e] '). "Verified IPN: $req ". PHP_EOL, 3, LOG_FILE);
}
} else if (strcmp ($res, "INVALID") == 0) {
// log for manual investigation
// Add business logic here which deals with invalid IPN messages
if(DEBUG == true) {
error_log(date('[Y-m-d H:i e] '). "Invalid IPN: $req" . PHP_EOL, 3, LOG_FILE);
}
}
?>
orderdetails.php
<?php
require 'ipn.php';
?>
<form target="_new" method="post" action="https://www.kathyhaggerty.info/Final/ipn.php">
<input type="hidden" name="SomePayPalVar" value="SomeValue1"/>
<input type="hidden" name="SomeOtherPPVar" value="SomeValue2"/>
<!-- code for other variables to be tested ... -->
<input type="submit"/>
</form>
<br />
Thank you for your payment. Your transaction has been completed, and a receipt for your purchase has been emailed to you. You may log into your account at www.sandbox.paypal.com/ie to view details of this transaction.
index.php
<!-- INFO: The post URL "checkout.php" is invoked when clicked on "Pay with PayPal" button.-->
<!doctype html>
<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
</head>
<body>
<form action='checkout.php' METHOD='POST'>
<input type='image' name='paypal_submit' id='paypal_submit' src='https://www.paypal.com/en_US/i/btn/btn_dg_pay_w_paypal.gif' border='0' align='top' alt='Pay with PayPal'/>
</form>
</body>
<!-- Add Digital goods in-context experience. Ensure that this script is added before the closing of html body tag -->
<script src='https://www.paypalobjects.com/js/external/dg.js' type='text/javascript'></script>
<script>
var dg = new PAYPAL.apps.DGFlow(
{
trigger: 'paypal_submit',
expType: 'instant'
//PayPal will decide the experience type for the buyer based on his/her 'Remember me on your computer' option.
});
</script>
</html>
I am at a loss!!
That is an incorrect way of implementing IPN.
First of all, since you are using ExpressCheckout, have you done DoExpressCheckoutPayment API call? This is because I don't see it in your question.
I am assuming that the orderdetails.php is your Return URL you have set since there is a Thank you message underneath. However, I did not see any DoExpressCheckoutPayments being called.
Without DoEC API call, the transaction is not complete and your IPN will always be Invalid.
If you are following through the Integration Wizard, you should be able to reach Step 4: Make Payment whereby it gives you the whole code as orderconfirm.php, that is the full code of how you should implement DoEC API call.
It's a must to complete and ensure the above, then here is what you need to do to get IPN working:
Regarding the IPN, you can set the URL in the DoEC API call.
In the orderconfirm.php, find the chunk of code and insert $ipnUrl as below:
//Format the parameters that were stored or received from GetExperessCheckout call.
$token = $_REQUEST['token'];
$payerID = $_REQUEST['PayerID'];
$paymentType = 'Sale';
$currencyCodeType = $res['CURRENCYCODE'];
$ipnUrl = 'https://www.kathyhaggerty.info/Final/ipn.php';
$items = array();
$i = 0;
// adding item details those set in setExpressCheckout
while(isset($res["L_PAYMENTREQUEST_0_NAME$i"]))
{
$items[] = array('name' => $res["L_PAYMENTREQUEST_0_NAME$i"], 'amt' => $res["L_PAYMENTREQUEST_0_AMT$i"], 'qty' => $res["L_PAYMENTREQUEST_0_QTY$i"]);
$i++;
}
$resArray = ConfirmPayment ( $token, $paymentType, $currencyCodeType, $payerID, $finalPaymentAmount, $items, $ipnUrl );
$ack = strtoupper($resArray["ACK"]);
After that, go to your paypalfunctions.php, find the function ConfirmPayment, and edit the code below (or you can just replace the whole ConfirmPayment function with mine):
function ConfirmPayment( $token, $paymentType, $currencyCodeType, $payerID, $FinalPaymentAmt, $items, $ipnUrl )
{
/* Gather the information to make the final call to
finalize the PayPal payment. The variable nvpstr
holds the name value pairs
*/
$token = urlencode($token);
$paymentType = urlencode($paymentType);
$currencyCodeType = urlencode($currencyCodeType);
$payerID = urlencode($payerID);
$serverName = urlencode($_SERVER['SERVER_NAME']);
$ipnUrl = urlencode($ipnUrl);
$nvpstr = '&TOKEN=' . $token . '&PAYERID=' . $payerID . '&PAYMENTREQUEST_0_PAYMENTACTION=' . $paymentType . '&PAYMENTREQUEST_0_AMT=' . $FinalPaymentAmt . '&PAYMENTREQUEST_0_NOTIFYURL=' . $ipnUrl;
$nvpstr .= '&PAYMENTREQUEST_0_CURRENCYCODE=' . $currencyCodeType . '&IPADDRESS=' . $serverName;
foreach($items as $index => $item) {
$nvpstr .= "&L_PAYMENTREQUEST_0_NAME" . $index . "=" . urlencode($item["name"]);
$nvpstr .= "&L_PAYMENTREQUEST_0_AMT" . $index . "=" . urlencode($item["amt"]);
$nvpstr .= "&L_PAYMENTREQUEST_0_QTY" . $index . "=" . urlencode($item["qty"]);
$nvpstr .= "&L_PAYMENTREQUEST_0_ITEMCATEGORY" . $index . "=Digital";
}
/* Make the call to PayPal to finalize payment
If an error occured, show the resulting errors
*/
$resArray=hash_call("DoExpressCheckoutPayment",$nvpstr);
/* Display the API response back to the browser.
If the response from PayPal was a success, display the response parameters'
If the response was an error, display the errors received using APIError.php.
*/
$ack = strtoupper($resArray["ACK"]);
return $resArray;
}
Once you have done, put every file together and if everything works fine, IPN should be triggered automatically upon completed payment (after DoExpressCheckoutPayment API have been called in orderconfirm.php)
I am using PayPal Checkout in my website using the PayPal Integration Wizard
and I want to disable the shipping details. What changes should I make in which file?
Updated
This is my expresscheckout file and I have posted a portion from the paypalfunctions.php as well.
expresscheckout.php
<?php
require_once ("paypalfunctions.php");
$_SESSION["Payment_Amount"] = $_POST["Payment_Amount"];
// ==================================
// PayPal Express Checkout Module
// ==================================
//'------------------------------------
//' The paymentAmount is the total value of
//' the shopping cart, that was set
//' earlier in a session variable
//' by the shopping cart page
//'------------------------------------
$paymentAmount = $_SESSION["Payment_Amount"];
//'------------------------------------
//' The currencyCodeType and paymentType
//' are set to the selections made on the Integration Assistant
//'------------------------------------
$currencyCodeType = "USD";
$paymentType = "Sale";
//'------------------------------------
//' The returnURL is the location where buyers return to when a
//' payment has been succesfully authorized.
//'
//' This is set to the value entered on the Integration Assistant
//'------------------------------------
$returnURL = "http://localhost/Reg/Components/PayPal/billinghandler.php";
//'------------------------------------
//' The cancelURL is the location buyers are sent to when they hit the
//' cancel button during authorization of payment during the PayPal flow
//'
//' This is set to the value entered on the Integration Assistant
//'------------------------------------
$cancelURL = "http://localhost/Reg/Portal/SecretaryProfile.php";
//'------------------------------------
//' Calls the SetExpressCheckout API call
//'
//' The CallShortcutExpressCheckout function is defined in the file PayPalFunctions.php,
//' it is included at the top of this file.
//'-------------------------------------------------
$resArray = CallShortcutExpressCheckout ($paymentAmount, $currencyCodeType, $paymentType, $returnURL, $cancelURL);
$ack = strtoupper($resArray["ACK"]);
if($ack=="SUCCESS" || $ack=="SUCCESSWITHWARNING")
{
RedirectToPayPal ( $resArray["TOKEN"] );
}
else
{
//Display a user friendly Error on the page using any of the following error information returned by PayPal
$ErrorCode = urldecode($resArray["L_ERRORCODE0"]);
$ErrorShortMsg = urldecode($resArray["L_SHORTMESSAGE0"]);
$ErrorLongMsg = urldecode($resArray["L_LONGMESSAGE0"]);
$ErrorSeverityCode = urldecode($resArray["L_SEVERITYCODE0"]);
echo "SetExpressCheckout API call failed. ";
echo "Detailed Error Message: " . $ErrorLongMsg;
echo "Short Error Message: " . $ErrorShortMsg;
echo "Error Code: " . $ErrorCode;
echo "Error Severity Code: " . $ErrorSeverityCode;
}
?>
a portion from paypalfunctions.php
function hash_call($methodName,$nvpStr)
{
//declaring of global variables
global $API_Endpoint, $version, $API_UserName, $API_Password, $API_Signature;
global $USE_PROXY, $PROXY_HOST, $PROXY_PORT;
global $gv_ApiErrorURL;
global $sBNCode;
//setting the curl parameters.
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$API_Endpoint);
curl_setopt($ch, CURLOPT_VERBOSE, 1);
//turning off the server and peer verification(TrustManager Concept).
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
curl_setopt($ch, CURLOPT_POST, 1);
//if USE_PROXY constant set to TRUE in Constants.php, then only proxy will be enabled.
//Set proxy name to PROXY_HOST and port number to PROXY_PORT in constants.php
if($USE_PROXY)
curl_setopt ($ch, CURLOPT_PROXY, $PROXY_HOST. ":" . $PROXY_PORT);
//NVPRequest for submitting to server
$nvpreq="METHOD=" . urlencode($methodName) . "&VERSION=" . urlencode($version) . "&PWD=" . urlencode($API_Password) . "&USER=" . urlencode($API_UserName) . "&SIGNATURE=" . urlencode($API_Signature) . $nvpStr . "&BUTTONSOURCE=" . urlencode($sBNCode);
//setting the nvpreq as POST FIELD to curl
curl_setopt($ch, CURLOPT_POSTFIELDS, $nvpreq);
//getting response from server
$response = curl_exec($ch);
//convrting NVPResponse to an Associative Array
$nvpResArray=deformatNVP($response);
$nvpReqArray=deformatNVP($nvpreq);
$_SESSION['nvpReqArray']=$nvpReqArray;
if (curl_errno($ch))
{
// moving to display page to display curl errors
$_SESSION['curl_error_no']=curl_errno($ch) ;
$_SESSION['curl_error_msg']=curl_error($ch);
//Execute the Error handling module to display errors.
}
else
{
//closing the curl
curl_close($ch);
}
return $nvpResArray;
}
Solved. In the hash_call function in the paypalfunctions.php file, the NVPRequest for submitting to server should be updated with passing NOSHIPPING=1 as a parameter as below.
//NVPRequest for submitting to server
$nvpreq="METHOD=" . urlencode($methodName) ."&NOSHIPPING=1" . "&VERSION=" . urlencode($version) . "&PWD=" . urlencode($API_Password) . "&USER=" . urlencode($API_UserName) . "&SIGNATURE=" . urlencode($API_Signature) . $nvpStr . "&BUTTONSOURCE=" . urlencode($sBNCode);
I want to extract events from a facebook Page to an official website and struggle with graph and oauth to get out the information.
Simplified code, phase 1&2 in same code:
<?php
$app_id = '...........4639';
$app_secret = '7547xxxxxxxxxxxxxxxxxxxxxxxx';
if (isset($_GET['code'])) {
//stage 2
$state = $_GET['state'];
$code = $_GET['code'];
//the code doesn't work. If I use graph api explorer to get key, I'm all fine.
//the code here from graph api explorer.
//$code = 'AAAIERWeZCHZxxxxxxxxxxxxxxxxxxxxx';
$s = "https://graph.facebook.com/_PAGE_ID?fields=feed.fields(story,message,picture)&access_token=" . $code;
$json = file_get_contents($s);
die($json);
} else {
//stage 1
$my_url = 'http://www.myself.com/fb/index.php';
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" .
$app_id . "&redirect_uri=" . urlencode($my_url) . "&state=" . $_SESSION['state'];
//now redirect to myself - phase2
header("Location: " . $dialog_url);
exit();
}
In case anyone sits in the same annoyance:
file_get_contents doesn't seem to cope with the token request. The following code works.
<?php
function curlRequest($url) {
$ch = curl_init();
$useragent="Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1";
curl_setopt($ch, CURLOPT_USERAGENT, $useragent);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$timeout = 5;
curl_setopt($ch, CURLOPT_CONNECTTIMEOUT, $timeout);
$data = curl_exec($ch);
curl_close($ch);
return $data;
}
$app_id = '................';
$app_secret = '..................................';
$my_url = 'http://www.memyself.andi/me.php';
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
// Redirect to Login Dialog
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); // CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. urlencode($_SESSION['state']) . "&scope=user_birthday,read_stream";
header("Location: " . $dialog_url);
}
if($_SESSION['state'] && ($_SESSION['state'] === $_REQUEST['state'])) {
$token_url = 'https://graph.facebook.com/oauth/access_token?client_id=' .
$app_id . '&redirect_uri=' . urlencode($my_url) .
'&client_secret=' . $app_secret . '&code=' . urlencode($code);
//die($token_url);
$response = curlRequest($token_url);
//bummer - this won't work (php 5.3/ubuntu)
//$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$_SESSION['access_token'] = $params['access_token'];
$graph_url = "https://graph.facebook.com/_THE_PAGE_ID/feed?access_token="
. $params['access_token'];
$json = json_decode(file_get_contents($graph_url));
echo serialize($json);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
At the bottom is a working example of server side flow. It is a file fb_server_side_flow.php that I prepared from a template I found on developers.facebook.com. My first question is what exactly is $code = $_REQUEST["code"]; doing? Is it getting a Facebook cookie? If so how is $code = $_REQUEST["code"]; different from the code directly below? Is it really necessary to use session_start at towards the top of fb_server_side_flow.php?
Mainly I am trying to implement a system that gives my user an OPTION to login via Facebook but a login via Facebook is not a requirement. Is there any documentation available on implementing a login via Facebook OPTION as opposed to a required login via Facebook?
Thank you!
....
function get_facebook_cookie($app_id, $app_secret) {
$args = array();
parse_str(trim($_COOKIE['fbs_' . $app_id], '\\"'), $args);
ksort($args);
$payload = '';
foreach ($args as $key => $value) {
if ($key != 'sig') {
$payload .= $key . '=' . $value;
}
}
if (md5($payload . $app_secret) != $args['sig']) {
return null;
}
return $args;
}
$cookie = get_facebook_cookie(YOUR_APP_ID, YOUR_APP_SECRET);
....
fb_server_side_flow.php
<?php
$app_id = "****";
$app_secret = "****";
$my_url = "http://www.sepserver.net/dsg/fb_server_side_flow.php";
session_start();
$code = $_REQUEST["code"];
if(empty($code)) {
$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id="
. $app_id . "&redirect_uri=" . urlencode($my_url) . "&state="
. $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");
}
if($_REQUEST['state'] == $_SESSION['state']) {
$token_url = "https://graph.facebook.com/oauth/access_token?"
. "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url)
. "&client_secret=" . $app_secret . "&code=" . $code;
$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);
$graph_url = "https://graph.facebook.com/me?access_token="
. $params['access_token'];
$user = json_decode(file_get_contents($graph_url));
echo("Hello " . $user->name);
}
else {
echo("The state does not match. You may be a victim of CSRF.");
}
?>
The first block of code is for retrieving Facebook cookie parameters for users who are already authorized and logged in.
The second block of code is for letting the user authorize your application (oauth) AND for retrieving an access_token your application can use to make API (FB Graph) calls on the user's behalf.
$_REQUEST relates to POST or GET parameters, not cookies. If you check the docs on authentication flow, you can see that Facebook redirects the user to http://your_redirect_uri?code=1234abcd after the user has approved your application. You're supposed to grab that code parameter and use it to make another call to graph.facebook.com to get the user's access_token.
The purpose of session_start() is to prepare the $_SESSION array, so that $_SESSION['state'] is preserved across page reload. If your framework already has session handling code, you can omit it. It's only used for the CSRF protection bit.
Optional login is pretty straightforward. If you're using the new PHP SDK, you can check the return value of $facebook->getUser(); -- if it's 0, the user is not logged in (and you can show content as normal, with perhaps an additional link to fb_server_side_flow.php to begin the authorization procedure.)