OpenEx: Progress Report - 95% launching this week - page 2.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Got a chance to work on the site again tonight.

-Investigate the Session Logins incremental counter exploit suggested in this thread. the poster was wrong, sessions are stored on the server. only exploits are session hijacking and session fixation, neither of which are a problem in our application(session hijacking is possible, but difficult.) despite it, i identified a vulnerability in the process, of which i patched. each increment over 4 of Session 'LoginAttemps' results in an access violations. as you already know, 10 access violation results in an automatic ip ban. i'm thinking up setting an ip tracker global on the site, so that ip bans can be carried over to any account registered/logged in from that ip address. not particularly high on the priority list, but its there and its a good idea.

-Moved all configurable options to a database table, built functions to check each enabled option, as well as 1 function to disable the option, and one function to enable it.

-Fixed moderators page. mods and admins can now ban and unban posters at will. when a poster is banned or unbanned, a message immediately appears in the chat notifying of the ban or unban "system: was banned from chat."

-Patched glitch that allowed Banned users to continue posting in the chat until they refreshed the page.

-Found new bug, chat messages aren't being reloaded on an interval, they are only reloaded on page refresh or form submit. seeking a jquery guru to tell me where my error is, i can't see why the setinterval timeout isn't working correctly and independantly of the reload in the callback function of the submit field.

-Pruned unnecessary files, and dispatched all procedural code from index.php into a function to clean up the index a bit.

Still a ways to go guys, sorry i'm pretty much alone here in development at the moment, working at my own pace and doing as much as i can, and revising the code as i deem necessary. i'll call it some progress. Tomorrow i will be working on the site and catching up on some much needed house chores. My mom has agreed to watch my daughter for me tomorrow so i can work. should be able to get quite a few things done tomorrow.

datguyian

sr. member

Activity: 840

Merit: 251

Looks like it could be promising, and I appreciate that you're taking your time to make sure you have a stable, secure and reliable system before releasing it. Seems like there's a few here bashing on the fact that it's not out yet, but it's nice for once to see someone that is not rushing to make a few bucks and actually trying to release a solid product. Look forward to seeing it in production.

btc1210

full member

Activity: 140

Merit: 100

Interesting project, thanks for doing this all public.

I know it can get stressful when faceless users make less than constructive comments, but keep it up.

antithetical

newbie

Activity: 11

Merit: 0

Hey dudes,

What happens with you progress 85%,

See comment #97 - 91%

See before 87%

Is it joke? Could you point true date of beta release?

gielbier

sr. member

Activity: 914

Merit: 250

Making Smart Money Work

I don't want to seem negative, but you really should not use mysql anymore. (It will be deprecated in PHP5.5) Use mysqli or PDO instead.

Sejnt

newbie

Activity: 42

Merit: 0

Code:

if($_SESSION["Login_Attempts"] > 4)

I didn't see the whole code but this, you know it won't secure anything? A script can remove session cookie easily.

BlueDragon747

legendary

Activity: 1509

Merit: 1030

Solutions Architect

keep up the good work regardless of the % its all progress to the end result Cool

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

callawey

member

Activity: 87

Merit: 10

Quote from: r3wt on December 19, 2013, 07:48:11 PM

Quote from: callawey on December 19, 2013, 05:30:48 PM

Quote from: monsterer on December 19, 2013, 05:10:54 PM

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.

Let me give you a little example for what i mean:

Code:

                $PricePer = mysql_real_escape_string($_GET["price2"]);
                $Amount = mysql_real_escape_string($_GET["Amount2"]);
                $X = $PricePer * $Amount;
                $Total = file_get_contents("http://openex.pw/system/calculatefees.php?P=" . $X);
                $Fees = file_get_contents("http://openex.pw/system/calculatefees2.php?P=" . $X);
                $user_id = $loggedInUser->user_id; 
                if(TakeMoney($Total,$user_id,$Currency_1) == true)
                {
                        AddMoney($Fees,101,$Currency_1);
                        mysql_query("INSERT INTO trades (`To`,`From`,`Amount`,`Value`,`User_ID`,`Type`,`Fee`,`Total`)VALUES ('$name','$Currency_1a','$Amount','$PricePer','$user_id','$name','$Fees','$Total');");
                }
                else
                {
                        echo "You cannot afford that!
";
                }

So, on below code, you have a method AddMoney, which updates a table on mysql, and below it you have an insert query. In that code, there is no guarantity that the insert will work after the update script. Update script can work, but insert may not, so this will cause you a balance issue, as you will deduct the amount from the user but there will be no trade operation. This both queries must be inside one transaction, so one fails, all rollbacks automaticaly, if all succed everything goes fine.

As monsterer stated, you can find a lot of information on this by google'ing or from stackoverflow but without this it will be just a horror movie. You have to change your statements and i can say that by the view of the code, yes you have to change a lot of part on the project

unfocus

full member

Activity: 182

Merit: 100

A while back I stepped up to take care of another abandoned exchange project. I became aware of this project, and considered using it since it was 85% done.

Anyway, private beta testing for the Scifi Coin exchange starts tonight. If you want to participate, please register to scificointalk.com and follow instruction http://scificointalk.com/index.php/topic,12.15.html

Bounty available.

monsterer

legendary

Activity: 1008

Merit: 1002

Quote from: r3wt on December 19, 2013, 06:39:04 PM

Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.

Here is some helpful advice: you do not have the necessary knowledge to perform the task you are undertaking. Transactions are absolutely essential in a system like this, to be without them is to be asking questions like this on stack overflow -

http://stackoverflow.com/questions/15026825/php-mysql-how-to-prevent-two-requests-update

Please stop what you are doing. Do some research. Implement some unit tests on your current code to show why it will break, then move to transactions on the same test, confirm the fix and move on.

Cheers, Paul.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Quote from: callawey on December 19, 2013, 05:30:48 PM

Quote from: monsterer on December 19, 2013, 05:10:54 PM

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Quote from: monsterer on December 19, 2013, 06:28:10 PM

Quote from: callawey on December 19, 2013, 05:30:48 PM

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

Ditto

Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.

monsterer

legendary

Activity: 1008

Merit: 1002

Quote from: callawey on December 19, 2013, 05:30:48 PM

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

Ditto

zavtra

member

Activity: 112

Merit: 10

Quote from: r3wt on December 19, 2013, 05:32:06 PM

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.

Well I am glad that you are considering SBC, but it is great to see you make sure everything is working properly, rather than doing an incomplete launch and then just barely trekking along like Cryptsy has been doing.

PGomer

newbie

Activity: 9

Merit: 0

Quote from: r3wt on December 19, 2013, 05:32:06 PM

Quote from: zavtra on December 19, 2013, 05:27:32 PM

Quote from: r3wt on December 19, 2013, 04:15:43 PM

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.

I love your approach and attitude. Keep learning and press on!

northranger79510

sr. member

Activity: 308

Merit: 250

Riecoin and Huntercoin to rule all!

If you guys add Stablecoin, consider me hooked.

r3wt

hero member

Activity: 686

Merit: 504

always the student, never the master.

Quote from: zavtra on December 19, 2013, 05:27:32 PM

Quote from: r3wt on December 19, 2013, 04:15:43 PM

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.

callawey

member

Activity: 87

Merit: 10

Quote from: monsterer on December 19, 2013, 05:10:54 PM

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

zavtra

member

Activity: 112

Merit: 10

Quote from: r3wt on December 19, 2013, 04:15:43 PM

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

Topic: OpenEx: Progress Report - 95% launching this week - page 2. (Read 9538 times)