===== 公式サンプル - callback.php(日本語コメント) ===== '; $secret = ''; include_once 'facebook.php'; // リターンデータ用配列を用意 $data = array('content' => array()); // 暗号化データを解析 $request = parse_signed_request($_REQUEST['signed_request'], $secret); if ($request == null) { // 不正アクセスに対する処理を記述 } $payload = $request['credits']; // パラメータを取得 $func = $_REQUEST['method']; $order_id = $payload['order_id']; if ($func == 'payments_status_update') { $status = $payload['status']; // 処理を記述 if ($status == 'placed') { $next_state = 'settled'; $data['content']['status'] = $next_state; } // レスポンスを生成 $data['content']['order_id'] = $order_id; } else if ($func == 'payments_get_items') { // エスケープ文字を取り除く $order_info = stripcslashes($payload['order_info']); if (is_string($order_info)) { // 確認ダイアログの生成に必要な情報を取得 // formから渡されたパラメータや、必要であればDBへ問い合わせる、etc $item['title'] = 'BFF Locket'; $item['price'] = 1; $item['description'] = 'This is a BFF Locket...'; $item['image_url'] = 'http://www.facebook.com/images/gifts/21.png'; $item['product_url'] = 'http://www.facebook.com/images/gifts/21.png'; } else { // In the sample credits application we allow the developer to enter the // information for easy testing. Please note that this information can be // modified by the user if not verified by your callback. When using // credits in a production environment be sure to pass an order ID and // contruct item information in the callback, rather than passing it // from the parent call in order_info. $item = json_decode($order_info, true); $item['price'] = (int)$item['price']; // urlの接頭語が「http://」か確認、設定 $url_key = array('product_url', 'image_url'); foreach ($url_key as $key) { if (substr($item[$key], 0, 7) != 'http://') { $item[$key] = 'http://'.$item[$key]; } } // test-mode の設定 if (isset($payload['test_mode'])) { $update_keys = array('title', 'description'); foreach ($update_keys as $key) { $item[$key] = '[Test Mode] '.$item[$key]; } } } // Put the associate array of item details in an array, and return in the // 'content' portion of the callback payload. $data['content'] = array($item); } // required by api_fetch_response() $data['method'] = $func; // send data back echo json_encode($data); // you can find the following functions and more details // on http://developers.facebook.com/docs/authentication/canvas function parse_signed_request($signed_request, $secret) { list($encoded_sig, $payload) = explode('.', $signed_request, 2); // decode the data $sig = base64_url_decode($encoded_sig); $data = json_decode(base64_url_decode($payload), true); if (strtoupper($data['algorithm']) !== 'HMAC-SHA256') { error_log('Unknown algorithm. Expected HMAC-SHA256'); return null; } // check signature $expected_sig = hash_hmac('sha256', $payload, $secret, $raw = true); if ($sig !== $expected_sig) { error_log('Bad Signed JSON signature!'); return null; } return $data; } function base64_url_decode($input) { return base64_decode(strtr($input, '-_', '+/')); }