Never develop for Facebook canvas

Some time ago we started a project (like a social game) mainly targeting Facebook audience. We decided to base it on Facebook Canvas technology, not to be confused with, which is business presentation layout. Basically it loads your web application into iframe inside the familiar Facebook user interface page on an URL like{your-application-machine-name}.

At first, it seemed to be a cakewalk and the technology matching our expectations just right:

  1. The users are presented with a Facebook interface they are already familiar too.
  2. The users doesn’t have to login if they are logged in to Facebook. They just have to sign up to the application the very first time they access it.
  3. We can use Facebook’s Invitation Dialog that sends game invitations to selected Facebook friends of the user.
  4. We can use Canvas Payment service instead of implementing some payment gateway support in our application.
  5. We can automatically create Facebook groups for user teams in our application.

But when we started to dive more and more deeper into Facebook Canvas development, the disadvantages started to show up one by one:

  1. It required us to host our application (what is loaded into the iframe) on SSL URL so we had to buy an SSL certificate. While not a big deal and good for security but why SSL is also required for a test version of the application?
    Facebook allows registering a test version(s) of your canvas application with different URL(s), which can point to local host the hustle for code testing. But it’s all ruined by this SSL requirement so you end up telling your browser is safe even with self-created certificate. Honestly speaking, I failed to solve this issue permanently for Google Chrome browser on Windows even after adding my certificate to white list following some guidelines I found on the web.
  2. The whole Facebook Canvas system seems to be not developed for web applications with link transitions and POST forms. I think they targeted mainly Flash or JS applications that always stay on the same URL.
    If you refresh the iframe or follow some link, it will lost all the Facebook authentication data. So we had to save the login data in user session on our side and restore on page load if original Facebook data is not available. AFAIK, this may not work for some old IE version that do not save cookies for iframes.
  3. Another thing is that the URL in your browser stays the same when you surf between application pages in the iframe so if you refresh the Facebook page, you will go back to the application’s page you started with. At the same time, Facebook allows coding application local paths into Facebook Canvas URL like:{your-application-machine-name}/{path-inside-your-application}. So, if you open an URL like{your-application-machine-name}/my/test/page it will load https://{your-application-base-URL}/my/test/page into the iframe.
    I ended up implementing a JS trick that intercepted any link lick event and reloaded the main frame of the browser with corresponding Facebook URL. This is what I didn’t like the most: a JS failure or slow page load may cause the user to click an original link.
    Still I had to save login data to user session in order to restore it after POST request sent by any form in my application. This approach did not allow having form targets reside on URLs different to the current page but that was fine to me.
    Those could be considered a root issues of using the iframe tag to load the Canvas application but why aren’t they all documented?
    All in all it seems that you should better use pjax or any similar JS technology to process requests and update the application page w/o doing a n iframe reload actually.
  4. While Facebook have a mobile version, there is nothing like that for It doesn’t matter you made a responsive layout in your application, the whole page still uses a desktop layout making your page inside iframe use it too. This makes mobile user see a conventional desktop Facebook page with sidebars and menus, zoomed out to fit inside tiny mobile device screen. This is just unacceptable.
  5. Facebook Canvas for Games have a nice feature called invitations. The user could pick some of his or her Facebook friends and send them invitation messages, which will bring them to the game if clicked. The invitation messages will appear below the Notifications (globe) icon on the Facebook menu when you click it. This is just nice and you know what? The invitation messages are completely not shown in mobile version of Facebook ( and in mobile Facebook application. Everything else is shown but not the game invitations. And as Facebook support answered, this is not a bug, it’s a “feature”. They don’t want to annoy mobile users with Canvas game invitations assuming Facebook Canvas is not for mobile devices at all.
    Taking into account that most of our users accessed Facebook via mobile devices, we had to fallback to old-style email invitations for recipient addresses manually entered by the user.
  6. The invitation dialog itself is a complete disaster. It shows “Send” button right to each friend on your list but it doesn’t actually send anything until you click the OK button in the bottom of the dialog which is very hard to notice. So many times our users fall into this mistake thinking they invited their friends while no invitation was on the way. And as the dialog is provided by Facebook, we could not alter it much. The worst problem there is not other way your application may message the users who didn’t yet signed up to the application.
  7. Another issue with the Invite Dialog is that it doesn’t indicate the users you already invited resulting in duplicate invitations sent to the same user.
  8. Facebook Canvas have also a nice feature called Canvas Payments. With a few lines of JS code you can accept payments from wide variety of services: PayPal, credit cards, mobile payments, etc. But it all goes for a price of draconian 30% commission, which we didn’t notice when we made the decision to use the service. It turned out our application could not commercially success with such a high rate for processing payments.
  9. Another problem with Canvas Payments is that it only works in one direction: from the user to the Facebook (and eventually to your bank account). If you want the users to monetize their achievements in your game, you should pick another service like PayPal at least for payouts.
  10. And finally the application groups feature went deprecated this year without any replacement provided. So you cannot generate Facebook groups and invite members from your application anymore. This is quite sad as we just loved the feature for hosting internal conversations or team members within our game.


Facebook Canvas seems to be a good way to promote your application if it is already successful as a web or mobile application. At any way it shouldn’t be considered as the primary publication platform unless for a simple one-page application. You should consider Facebook Canvas for providing as a limited version of your application or just as a gateway to it. The whole Facebook Canvas platform seems to be ageing and it looks like Facebook may abandon it later either completely or partially.

You shouldn’t use Facebook Canvas Payments if small commission rate is critical for your commercial success. If you’re going to allow users monetize their achievements or get paid for anything else, you should consider a different service like PayPal.

You should have a mobile (Android/iOS) application if you’re targeting mobile users. Facebook allows some integration with the mobile application(s) you specify in your Canvas application profile.

All in all, it turned out that for us it would better if we developed a stand-alone web application with Facebook Login function and PayPal payments instead of relying on Facebook Canvas and Canvas Payments. It was a huge failure but I hope somebody will learn from our mistake.

Avoiding emails sent from PHP getting blocked by Gmail

Many times I had problems with emails sent from my applications were rejected by Gmail. One of customers told me that adding “Return-Path” header with the same address as “From” field should fix that and it worked like a charm! Quite interesting as I never found this documented.

Also, to avoid getting your emails filtered as “spam”, you can add SPF and DKIM records. The easiest way is to enable it directly on the mail server so you don’t have to change your PHP code at all. On cPanel it’s just a matter of setting two checks on Email Authentication page. I wish they were checked by default.

Changing array from within the foreach loop

A very basic PHP syntax thing usually ignored by developers is that you can directly update current element from within the foreach loop.

Just precede value variable with & character and it will be assigned by reference:

$arr = array(1, 2, 3, 4);
foreach ($arr as &$value) {
    $value = $value * 2;

Read more

Easy way to automatically update commercial WordPress plug-ins

Update notification for a commercial plug-in

WordPress CMS has a nice auto update feature that displays update notifications for outdated plug-ins and themes in admin panel. Once you got a notification you can go to Dashboard->Updates and install all updates with few clicks while WordPress will automatically download and extract archives, remove old versions and reactivate plug-ins for you.

The only problem is  that it works for plug-ins published on which are open-source so it’s not an option for commercial plug-ins.

Luckily there is a very good solution to this problem: Upgrademe plug-in.

Read more

Admintasia: awesome design template for web applications

PS. The post was written so long time ago. Now I’m happy we can simply use Twitter Bootstrap and get working application/site design in seconds.

Unlike desktop applications which rarely use “skins”, web applications look ugly and unprofessional w/o a design template. However, building unique design for each project sometimes is just not affordable, especially for back-end, admin and other data analysis and management applications. At the other hand, if you look for free or commercial design templates available, you’ll find nothing but website templates which doesn’t have elements like cascading menus, dialog, grid, form elements and others usually required for an application user interface.

Sad but true, except this little thing: Admintasia 2.1. Powered with jQuery and jQuery IU it has all the elements you need to build rich professional user interfaces.

Read more

Cascade update fails on MySQL for foreign keys referring to the same table

Recently I noticed that ON UPDATE CASCADE rule falis in MySQL on InnoDB tables if a foreign key references the same table, which is usual for tree-like data structured. At the same time ON DELETE CASCADE works fine.

This  is not corresponding to SQL standard but it’s already stated in MySQL manual:

Deviation from SQL standards: If ON UPDATE CASCADE or ON UPDATE SET NULL recurses to update the same table it has previously updated during the cascade, it acts like RESTRICT

It was also reported as a bug but rejected years ago.

Read more

Enabling/Disabling HTML elements with jQuery 1.6+

After upgrading to jQuery 1.6+ you’ll find that code you used to enable/disable elements doesn’t work anymore:

//This is supposed to enable element(s) before jQuery 1.6:
$("some-selector").attr("disabled", "");
//This is supposed to disable element(s) before jQuery 1.6:
$("some-selector").attr("disabled", "disabled"); 

But now the code above doesn’t change anything. So what’s the problem?

Read more

PDFmyURL: export web pages with JavaScript elements to PDF on shared hosting

Customers and users sometimes ask for an ability to save some reports from web applications to PDF files. It could be very tricky to write PDF directly but as far as you already have those reports on web pages you can add printable views of them and then ability to convert HTML/CSS of the pages to PDF, say with dompdf library.
This way you can hit two targets: add printing of reports and PDF export. Dompdf is still in beta but at least it could work on shared hosting AFAIK.

But what if you need to export web pages with JavaScript canvas elements like Flot charts that are plotted on browser side only? All available solutions require installing executables which is usually problematic on shared hosting.

The solution is which you can easily use as a web-service: send GET requests with URL of the page you want to export and get PDF file as a response. The service is based wkhtmltopdf. As you can see, it’s good enough to convert pages with Flot charts:

You can call the service from JavaScript on your pages or from server-side scripts via any HTTP client library like cURL. All wkhtmltopdf options are supported and could be passed as GET request parameters.

Their free service inserts very small watermark to each page which is usually not a problem. But of course you can upgrade to paid service to remove it.

Beware: Estimated result count in Google AJAX Search API is incorrect

If you need to get Google search result count for some query, using estimatedResultCount from Google AJAX Search API sounds like a winner. However, the number reported as estimatedResultCount doesn’t match the number displayed on regular search pages and could be different in many times. This is known issue since 2008 and it seems it will never be fixed.

So if you want more correct result count, the extract it from regular Google search page. Alternatively you can use Yahoo or Bing APIs as they report the same numbers to displayed on their regular search pages.

UPDATE: It was found that regular Google search pages display even more rough estimated result count than Google AJAX Search API. For example, query for "" (w/ quotes) it reports "About 1,380 results" while only finds 284 pages. Bing reports 55 results while finds 50-52 and Yahoo reports 210 results while finds 55. So using Bing or Yahoo API for analysis of result counts is likely more accurate.

Flot: Amazing JavaScript/jQuery/AJAX charting library

When I developed Windows desktop applications I was tied to ProEssentials library which was powerful yet expensive and had weird and very limiting API. Don’t want to say anything bad about ProEssentials developers but, OMG, their API contains hundreds of properties and functions you have to go through just to find few ones you really need. Not only do many of them have strange names, but they also do very strange things))).
How do you like “ForceVerticalPoints” property? How in this World could points be vertical or horizontal? Well, it’s actually about point labels… Enough about that horror.

Thank to Flot library, charting for the Web made extremely easy yet powerful and extensible. Flot is jQuery plug-in which means you can use all power of jQuery for setting it up, passing data to it and reacting to its events. Moreover, chart plotting happens on the browser side which means your server isn’t slowed down by producing chart pictures. And this also means you can add interactive features to your chart like point tooltips, zooming, live AJAX updates or display options applied w/o page reload.

Read more