signed request example and getting an access token

Question

In the code below there is a variable that is never defined. That variable is $access_token. Code needs to be added that will get a fresh access token so that the program can execute without generating any exceptions. I have been reading the Facebook documentation on oauth flow etc. but I can not seem to figure out how to get one of these access tokens that this code finds acceptable. Does anyone know what can be done with this?

<?php

define('YOUR_APP_ID', 'x');
define('YOUR_APP_SECRET', 'x');

function get_facebook_cookie($app_id, $app_secret) {
  $args = array();
  parse_str(trim($_COOKIE['fbs_' . $app_id], '\\"'), $args);
  ksort($args);
  $payload = '';
  foreach ($args as $key => $value) {
    if ($key != 'sig') {
      $payload .= $key . '=' . $value;
    }
  }
  if (md5($payload . $app_secret) != $args['sig']) {
    return null;
  }
  return $args;
}

$cookie = get_facebook_cookie(YOUR_APP_ID, YOUR_APP_SECRET);

$access_token="214620421927216|fAAieRnJoDaWmBsG1stxfq4zKN4";
$url = 'https://graph.facebook.com/me?access_token=' . $access_token;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$response = curl_exec($ch);
curl_close($ch);

$user = json_decode($response);
print_r($user);

?>
<html>
  <body>
    <?php if ($cookie) { ?>
      Welcome <?php  ?>
    <?php } else { ?>
      <fb:login-button></fb:login-button>
    <?php } ?>
    <div id="fb-root"></div>
    <script src="http://connect.facebook.net/en_US/all.js"></script>
    <script>
      FB.init({appId: '<?= YOUR_APP_ID ?>', status: true,
               cookie: true, xfbml: true});
      FB.Event.subscribe('auth.login', function(response) {
        window.location.reload();
      });
    </script>
  </body>
</html>

Answer 1

This code proved to be much more useful in obtaining the proper access token.

<?php 

$app_id = "YOURS";
$app_secret = "YOURS";
$my_url = "YOURS";

session_start();
$code = $_REQUEST["code"];
echo $code . "</br>";

if(empty($code)) {

$_SESSION['state'] = md5(uniqid(rand(), TRUE)); //CSRF protection
$dialog_url = "https://www.facebook.com/dialog/oauth?client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url) . "&state=" . $_SESSION['state'];
echo("<script> top.location.href='" . $dialog_url . "'</script>");

}

if($_REQUEST['state'] == $_SESSION['state']) {

$token_url = "https://graph.facebook.com/oauth/access_token?" . "client_id=" . $app_id . "&redirect_uri=" . urlencode($my_url) . "&client_secret=" . $app_secret . "&code=" . $code;

$response = file_get_contents($token_url);
$params = null;
parse_str($response, $params);

$graph_url = "https://graph.facebook.com/me?access_token=" . $params['access_token'];

$user = json_decode(file_get_contents($graph_url));
    echo("Hello " . $user->name);
}    
else {
    echo("The state does not match. You may be a victim of CSRF.");
}

?>