How do I login with javascript but store userinfo with php/mysql?

I have created a javascript based login for my latest application, and everything works fine. The problem is that i want to store all users in a database, an开发者_如何学JAVAd dont know how to do this the facebook way. I have very good php and sql knowledge, so that is not a problem. I just need some advice on how to securely store the data.

The procedure i want is this:

User login with javascript popup -> check if facebook id exists in mysql table. if not, save with additional info -> user is logged in

---

<script type="text/javascript">
window.fbAsyncInit = function() {
    FB.init({
        appId: 'YOUR_APP_ID',
        status: true,
        cookie: true,
        oauth: true
    });
    FB.Event.subscribe('auth.login', function(response) {
        // response returns a JSON object containing data relevant to the logged in user.
        userID = response.authResponse.userID;

        // using jQuery to perform AJAX POST.
        $.post('form_handler.php', {userID: userID}, function() {
            // POST callback
        });
    });
}
</script>

Your form_handler.php file would need to be set up to fetch the userID variable from $_POST. From there you can use SQL to check if the user already exists, etc.

If your concern is that the userID JavaScript variable can be easily tampered with, I suggest using the PHP SDK within the form_handler.php file to grab the current uid. Inside of form_handler.php here (in the most basic form) is what you would need to do:

<?php
require('facebook.php');
$facebook = new Facebook(array(
    'appId' => YOUR_APP_ID,
    'secret' => YOUR_APP_SECRET
));
// get the current logged in userID
$user = $facebook->getUser();

// SQL queries (check if user exists, insert, etc.)

?>

The above code assumes you've migrated your app to oAuth 2.0.

---

After a successful login with Facebook JS Login call this function testAPI()

yourJSfile.js

function testAPI() {
    console.log('Welcome!  Fetching your information.... ');
    FB.api('/me', function(response) {

        var json = JSON.stringify(response);
        setCookie("fbresponse_"+response.id, json, 1);
        facebook_response = response;
        doLocalPosiive();
        return;
        for(var propt in response){
            console.log(propt + ': ' + response[propt]);
        }
    });
}

function setCookie(c_name,value,exdays)
{
    var exdate=new Date();
    exdate.setDate(exdate.getDate() + exdays);
    var c_value=encodeURIComponent(value) + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
    document.cookie=c_name + "=" + c_value;
}

The testAPI function will convert the response to JSON string and save it to cookie and on your php page you can retrieve the cookie and parse the signed_request ( and verify the signed request with your valid app_secret which is known to you alone I guess) and decode the JSONed Response, then do whatever you want with it safely in your php/mySQL.

thePHPfile.php

<?php

function getSignedRequest($app_id){
    $signed_request = $_COOKIE["fbsr_{$app_id}"];
    if($signed_request){
        return $signed_request;
    } else {
        return false;
    }
}

function parseSignedRequest($signed_request, $secret){
    list($encoded_sig, $payload) = explode('.', $signed_request, 2);

    //Decode the data
    $sig = base64_url_decode($encoded_sig);
    $data = json_decode(base64_url_decode($payload), true);

    if(strtoupper($data['algorithm']) !== 'HMAC-SHA256'){
        error_log("Unknown Algorithm. Expected HMAC-SHA256");
        return null;
    }

    //Verify the signed_resquest
    $expeted_sig = hash_hmac('sha256', $payload, $secret, $raw = true);
    if($sig !== $expeted_sig){
        error_log("Bad Signed JSON signature!");
        return null;
    }

    return $data;
}

function base64_url_decode($str){
    //$str .= str_repeat("=", (4-(strlen($str)%4)));
    return base64_decode(strtr($str, '-_', '+/')); 
}

// Please edit the next 2 lines
$app_id = "314xxxxxxxxx990";
$app_secret = "56b5eaxxxxxxxxxxxxxxxxxxx37c799";



if($fbsr = getSignedRequest($app_id)){
    $response = parseSignedRequest($fbsr, $app_secret);
    if($response['user_id']){
        $js_response = $_COOKIE["fbresponse_{$response['user_id']}"];       
        $response_array = (json_decode($js_response, true));

        //you can perform your database activities here now
    }
}

?>

Please don't forget to edit your APP_ID and APP_SECRET. I hope you or someone else find this useful.