CodeIgniter Forums
Facebook Webhooks API - Printable Version

+- CodeIgniter Forums (
+-- Forum: Using CodeIgniter (
+--- Forum: General Help (
+--- Thread: Facebook Webhooks API (/showthread.php?tid=68026)

Facebook Webhooks API - tan87 - 05-11-2017

Not sure whether you guys can help me out here.

I have worked on CI for other project and it is working perfectly fine.

However, when I am trying to use CI for one of my Facebook Webhooks projects, it seems that CI is filtering the data posted from Facebook but if i create a standalone PHP file using the same code (except the GET/POST function which using CI $this->input), it is working fine.

When I enable CI debug mode, this is the debug log available:
DEBUG - 2017-05-12 02:18:51 --> Global POST, GET and COOKIE data sanitized

I have checked the HTTP log as well, HTTP 403 is returned for all Facebook post to CI.

I would really like to use CI for all my project. Hope someone out there will have some idea

RE: Facebook Webhooks API - Martin7483 - 05-12-2017

Is CSRF protection enabled?

RE: Facebook Webhooks API - tan87 - 05-12-2017

Does not seems to work too as I disable it.

RE: Facebook Webhooks API - antony - 05-12-2017

Could you provide an example of what you're trying to achieve, and how you tried doing it in CI?

RE: Facebook Webhooks API - tan87 - 05-14-2017

Thanks antony.

Ok, when performing Facebook verification, FB send a GET request to CI and it is working fine for the verification part.

Quote:if (isset($_GET['hub_verify_token'])) {
   if ($_GET['hub_verify_token'] === 'lgC5XeJwYCJgaMfdTzit') {
       echo $_GET['hub_challenge'];
   } else {
       echo 'Invalid Verify Token';
However, when FB do a postback for data , it is posting via POST which we need to extract it using this code. This code is inside the controller.
$input = json_decode(file_get_contents('php://input'), true);

However, CI response 403. No matter what I do.

RE: Facebook Webhooks API - InsiteFX - 05-14-2017

Do you by any chance have xss_clean turned on?

I checked the input core and it does nothing to the input stream unless you have xss_clean turned on.