Facebook Connect Ping vs. Redirect URL?

I almost have facebook connect working the way I need it on my site, I need to work out a couple bugs still, below is from the facebook connect documents, it list the 3 different URL options below in the settings of FB connect. This could be very useful for me because when a user logs in for the 1st time on my site with facebook, I need to create there mysql profile with profile data from facebook.

Ok so I am a bit confused, I understand a Redirect URL just redirects the browser to a page but you can see that 2 of these links I save below are for a Callback URL, so I take it that facebook post data to the URL's I provide? If I am correct, how can I know what data it post back in the Ping?

1)

Post-Authorize Callback URL: Facebook pings this URL when a user authorizes your application for the first time. You can also call users.isAppUser to determine if the user has authorized your application.

2)

Post-Authorize Redirect URL: You can redirect a user to this URL after the user authorizes your application for the first time. You can use this URL only if the user authorizes your application through login.php and not the login dialog.

3)

Post-Remove Callback URL: Facebook pings the URL when a user removes your application.

When the user redirects in the browser I can run code like this to get there profile data from facebook but I am not sure about when facebook pings data?

$user_details=$fb->api_client->users_getInfo($fb_user, array('las开发者_如何转开发t_name', 'first_name', 'proxied_email','birthday_date', 'sex', 'is_app_user', 'current_location', 'about_me', 'activities', 'interests', 'relationship_status', 'pic_big', 'pic_small', 'books'));  

$firstName = $user_details[0]['first_name']; 
.....

I don't think I completelly understand your question, so I'll try to answer what I can - if there's anything missing, please comment here and I'll edit the answer accordingly.

You're right assuming that Facebook sends POST data when pinging. So, basically what you'd do on the endpoint given (the url you told facebook to ping) is to read the $_REQUEST dict for the data you want. A list of every parameter Facebook sends on ping can be found here.

What would happen is the following:

1. User clicks to connect with your site with Facebook Connect
2. A Facebook log-in page shows a confirmation to the user asking if he allows this operation
3. If allowed, Facebook sends the POST data to the specified URL asap

The same happens when the user removes herself from your site through Facebook Connect.

Please note that you should validate carefully the data received on your endpoint. Since you're creating persistent data on every post request, at least ensure the requests can only be received from facebook.

Alternatively, you can just redirect the user somewhere after the authorization, call users_getInfo and check if is_app_user is true. If so, you go on creating your entities on your database.

1) Post-Authorize Callback is the url Facebook will POST some data to when a user authorizes your application/site. This is through ANY means, not just through Facebook Connect. You should keep the user ID that is passed with this so you can track which users have authorized your application/site. You can then use the user ID to send messages to (i.e. notifications) the user, typical app-to-user messages. It's "ping" because Facebook ignores any response you send. You don't respond.

2) After a user authorizes your application, you can optionally have Facebook send the user to this URL. For example, a welcome page and/or introduction. This does not happen under Facebook Connect, only under the Facebook platform.

3) Exactly the opposite of #1. Facebook just lets you know that someone removed/deauthorized your application. Again, you don't need to respond.

Items #1 and #2 is how you keep track of which user IDs have authorized your application. You cannot query Facebook for this. Facebook writes a cookie under your domain if the user is logged into Facebook and has connected with your site. You can always check for this cookie when a user arrives and log them in automatically to your site. You should verify the cookie data, of course. Instructions for doing that are here: http://wiki.developers.facebook.com/index.php/Verifying_The_Signature