I am using this code for facebook like callback:

           <script type="text/javascript">
                FB.Event.subscribe('edge.create', function(response) {
                  // php script to call via ajax
                });
           </script>

The problem is that if i call a php script (for example http://www.test.com/addfacebook?id=xx&user=xxx&code=xxxx) someone can see my javascript and run this page and even spam it or use it without have liked first.

The concept is that i want to give a unique special discount code to every user likes the page. So on callback I want to store in database and id, the user real name from facebook and the discount code I created for him.

How to do it so someone can't override it (as it is javascript)?

Thanks a lot!

The easiest way to get at what you are doing is to verify the user is legitimate. I would have your ajax action have parameters that include the FacebookID and the access_token. This will prevent anyone from gaming your system.

Since you are using the FB JS SDK - just make a call to the API like so:

FB.getLoginStatus(function (loginResponse) {
            FB.api('/me', function (graph) {
                var token = loginResponse.session.access_token;
                var fbid = loginResponse.session.uid;
        } else {
            // no user session available, someone you dont know
        }
    });

I'd put this in your FB.Event.subscribe and use the token and fbid vars accordingly.

Hope this helps!

You can use the PHP SDK to verify the token Joey mentioned, once you have the token on the server use something like this:

$facebook = new Facebook(); // Replace the line with the call that sets the app id and secret
$user = $facebook->api('/me',array('access_token',$_GET['access_token']));

Then check the value in $user