Facebook Development: Too Soon!

I haven't added my app to the Facebook directory or even told anyone about it yet; nevertheless, I somehow wound up with more than 1000 users in my database! (And oddly, Facebook only mentioned 299 "monthly active users"; I wonder how they got that number?)

The app is nowhere near ready, and I don't anyone seeing my plans, since stealing Facebook app ideas is rampant (just look at anything by Zynga)! So I shut it down.

But I still need to develop. And I'd like to let my friends visit, since they'll give me good feedback without causing me trouble. What to do?

Program them in, of course. Read on for my three-step approach.

Preconditions: shut down the app to everybody. Visit and make sure that nobody can get in. After the bit that verifies I've got a valid user ID, just add this snippet:

echo "<error message="Too soon!">This app is not ready for release yet.  Please come back later.</error>\n";
return;

Okay, now we're ready to start letting people in, selectively.

First step: don't let anybody in but me. Since my user ID is 1077135837, that's as easy as can be. I just checked to see if the valid user id was mine:

if ($user_id != 1077135837) {
  echo "<error message="Too soon!">This app is not ready for release yet.  Please come back later.</error>\n";
  echo "<p>Thanks for visiting, <name uid="$user_id" linked="false" useyou="false"></name>.</p>";
  return;
}

The "Thanks for visiting" message is my not-too-subtle debugging attempt; if I can't get in, I'd like to know what user ID it thinks I'm using.

Okay, step 2: allow my friends in. Luckily, Facebook passes a POST variable with all the visitor's friends' user IDs. (Say that three times fast!) I just search in there to see if mine is listed, using PHP's handy-dandy in_array() and explode() functions. Since I'm using my user ID twice, I turn it into a variable, $me.

$me = 1077135837;
if ($user_id != $me) {
  $friends = explode(',', $_POST['fb_sig_friends']);
  if (!in_array($me, $friends)) {
    echo "<error message="Too soon!">This app is not ready for release yet.  Please come back later.</error>\n";
    echo "<p>Thanks for visiting, <name uid="$user_id" linked="false" useyou="false"></name>.</p>";
    return;
  }
}

So now my friends can all get in, too. This is exactly what I want.

Step 3: allow friends of my friends to get in. This may seem counter-intuitive, but consider it an invitation-only release process. It'll prevent my app from getting too big too quickly, allow me a chance to correct errors with a group of reasonably forgiving people, and judge whether I need to buy a standalone server.

The idea here is to check the database for each user in the visitor's friends' list. Some people have really big friend lists, though; rather than running a query for each friend, I'd rather just run a single query returning all the friends. Heck, even just a count of friends who are in the database would be enough for this! Since databases vary, I can only provide some sample SQL here. You'll have to modify it for your needs:

$safe_friends = mysql_real_escape_string($friends);
$sql = "SELECT COUNT(u.id) FROM users AS u WHERE u.id IN ($safe_friends)";
$rows = mysql_query($sql, $dblink);
$result = mysql_fetch_row($rows);
if ($result === false || $result[0] &lt;= 0) {
  // You're not allowed... yet.
}

So, there you go! Effective, simple user filtering for your unreleased Facebook app.