dsdsdsdsd Posted February 4, 2013 Share Posted February 4, 2013 I have my_app which is intended to be accessed only as a facebook canvas app, and I am looking for a solid test which my_app will perform during the loading phase to verify whether it or isn't being loaded into a facebook iframe. So one approach I am looking at is to check the $_REQUEST array. In a legitimate facebook iframe, the $_REQUEST[ "signed_request" ] is readable. But I would like to know if somehow another webpage could attempt to load my_app and send a fake 'signed_request'. - thanks, Shannon Quote Link to comment Share on other sites More sharing options...
dsdsdsdsd Posted February 4, 2013 Author Share Posted February 4, 2013 (edited) I guess another way of asking this question is: If I load somebodys_url into an iframe on my_page, can I inject values into the $_REQUEST array that accompanies that request for their page? please see my first post for the explanation of why I want to know this. Edited February 4, 2013 by dsdsdsdsd Quote Link to comment Share on other sites More sharing options...
Christian F. Posted February 4, 2013 Share Posted February 4, 2013 Well.. Yes. All the $_REQUEST is data sent to your server by the client, a collection of the data in $_POST, $_GET and $_COOKIE. So if this token is a static token for your application, then it would be trivial to send it from another site too. However, if it's randomly generated for each FB user, and confirmed against a token from the Facebook-user object in your code, then it'll be a bit trickier. It all depends upon how Facebook has set this up. Quote Link to comment Share on other sites More sharing options...
dsdsdsdsd Posted February 4, 2013 Author Share Posted February 4, 2013 Christian, thanks for responding; your response is helpful. I am trying to create the scenario, so I made 2 php files, iframe__parent.php and iframe__child.php // iframe__parent.php <?php $_REQUEST[ "signed_request" ] = "blah" ; ?> ... <iframe src = "iframe__child.php"> </iframe> ... // iframe__child.php <?php print_( isset( $_REQUEST[ "signed_request" ] ) ) ; ?> // ..... returns false so although I understand that it is possible (otherwise how would facebook do it, right?), but how? thanks for your time, Shannon Quote Link to comment Share on other sites More sharing options...
Christian F. Posted February 4, 2013 Share Posted February 4, 2013 Setting the $_REQUEST value in the parent script doesn't do anything, as that is simply dropped as soon as the script finishes parsing. Something it does before the client requests the page linked to in the iframe. To send the desired value to the child page, you need to add it to the URL of the iframe source. That way it will become a GET parameter, which is included in the $_REQUEST array. Remember: Every single instance of a PHP script is completely separate from any other instances, and unless you send the data specifically to each instance it will not exist. Quote Link to comment Share on other sites More sharing options...
dsdsdsdsd Posted February 4, 2013 Author Share Posted February 4, 2013 aha of course ... and it worked as you said ... thanks! I have since learned that facebook apps have a app_secret that is intended to be secret, and that that is included in the $_REQUEST sent with the child_index.php ... I suppose that child_index.php will check for that ... getting ready to test it. thanks for your answer! Quote Link to comment Share on other sites More sharing options...
Christian F. Posted February 4, 2013 Share Posted February 4, 2013 You're welcome, glad I could help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.