Reading this Ajax example,
http://wiki.developers.facebook.com/index.php/FBJS/Examples/Ajax#Working_Example
I found the following line. I'm not sure what to understand out of it, how do you "check the sig values per Platform spec"?
"Note: For brevity's sake we are trusting $_POST['fb_sig_user'] without checking the full signature. This is unsafe as anyone could easily forge a user's action. Always be sure to either use the Facebook object which is supplied with the client libraries, or check the sig values per Platform spec"