Previously I blogged about how I don't believe that companies should put their whole website and businees inside of a Facebook shell. Now that I have said this I going to show code. Because it's easy to talk about the why's-and-why-not's but showing them is better. The other day I got an interview task to embed a Facebook Page timeline to a website using the more customizable Open Graph API tools. Surprisingly I found the task was time consuming given the fact that Facebooks API docs and examples for PHP (or any programming language) are weak and almost non-existent.
Step by step
Setup your site as a Facebook application by logging in and surfing to developers.facebook.com and clicking on the Apps link in the top bar. I won't touch on this here because there is a good tutorial on Facebook and other parts of the web.Download and setup the Facebook PHP-SDK:
require 'facebook/src/facebook.php'; // Create our Application instance (replace this with your appId and secret). $facebook = new Facebook(array( 'appId' => 'App id Here', 'secret' => 'App secret here', )); $access_token = 'App access token here';
Get an access token:
https://graph.facebook.com/oauth/access_token?client_id=[]&client_secret=[]&grant_type=client_credentials
Use PHP curl:
$c = curl_init("https://graph.facebook.com/berlinto/feed?access_token=" .$access_token . "&limit=100"); // necessary so CURL doesn't dump the results on your page curl_setopt($c, CURLOPT_RETURNTRANSFER, 1); $result = curl_exec($c); curl_close ($c); $facebook_info = json_decode($result, true); print '<pre>'; print_r($facebook_info); print '</pre>The results:
Array ( [0] => Array ( [id] => 116499591832278_116561445159426 [from] => Array ( [name] => Carl Adam McDade [id] => 100000381424682 ) [to] => Array ( [data] => Array ( [0] => Array ( [name] => Berlinto [category] => Website [id] => 116499591832278 ) ) ) [message] => Welcome to the Berlinto Facebook Page for PHPer's [type] => status [created_time] => 2012-09-06T15:20:56+0000 [updated_time] => 2012-09-06T15:20:56+0000 [comments] => Array ( [count] => 0 ) ) [1] => Array ( [id] => 116499591832278_116499601832277 [from] => Array ( [name] => Berlinto [category] => Website [id] => 116499591832278 ) [story] => Berlinto joined Facebook. [story_tags] => Array ( [0] => Array ( [0] => Array ( [id] => 116499591832278 [name] => Berlinto [offset] => 0 [length] => 8 [type] => page ) ) ) [type] => status [application] => Array ( [name] => Reviews [id] => 6261817190 ) [created_time] => 2012-09-06T11:38:59+0000 [updated_time] => 2012-09-06T11:38:59+0000 [comments] => Array ( [count] => 0 ) ) )
Explainations
As you can see there are a few things to know beforehand that are not readily apparent when reading the documentation. One is the fact that when you create an application you get the application id and the secret key but there is no access token provided. Again this is done on purpose. I find it hard to believe otherwise. For your cut and paste convenience I put up the URL here. There is a "get access token" tools in the GraphAPI Explorer but you have to log in as the page user to get things correct. It would be easier if FB just made the tool available in the App settings area.When you get the object back from the API call it comes in JSON format and when converted to a PHP array you will notice that "story" and "message" are not separated. So you will have code in some logic to your loop when gathering information from the array.
Facebook never uses the word REST for the API. They assume you and I know what type of web service is provided by looking at the URL's which is quite frankly stupid. This because I get confused by the FQL which to me means SOAP when I see it. This is a documentation weakness where Facebook really could shine if they were interested.
PHP cURL is used here because for the life of me I could not get the built in API call to work. I then later found that using Curl is not only faster but recommended. This should have been in the documentation also.
Security
Lastly there is a security flaw in Facebooks implementation of the API or possibly a documentation error.App Access Tokens should only be used when the posting functions are originated directly from your servers in order to keep them private to the app. For example, you should not publish using an App Access Token from within a native mobile app. Doing that could allow the user to obtain the App Access Token, which could then allow them to take actions on behalf of your app.The problem here is that when the JSON is returned it contains paging URL's which show the app access token quite clearly. So if you want to page through the results there is an instant whole in security. So be careful about what keys you use when presenting the array information.
No comments:
Post a Comment