Pages:
Author

Topic: OpenEx: Progress Report - 95% launching this week - page 2. (Read 9605 times)

hero member
Activity: 686
Merit: 504
always the student, never the master.
Got a chance to work on the site again tonight.

-Investigate the Session Logins incremental counter exploit suggested in this thread. the poster was wrong, sessions are stored on the server. only exploits are session hijacking and session fixation, neither of which are a problem in our application(session hijacking is possible, but difficult.) despite it, i identified a vulnerability in the process, of which i patched. each increment over 4 of Session 'LoginAttemps' results in an access violations. as you already know, 10 access violation results in an automatic ip ban. i'm thinking up setting an ip tracker global on the site, so that ip bans can be carried over to any account registered/logged in from that ip address. not particularly high on the priority list, but its there and its a good idea.

-Moved all configurable options to a database table, built functions to check each enabled option, as well as 1 function to disable the option, and one function to enable it.

-Fixed moderators page. mods and admins can now ban and unban posters at will. when a poster is banned or unbanned, a message immediately appears in the chat notifying of the ban or unban "system: was banned from chat."

-Patched glitch that allowed Banned users to continue posting in the chat until they refreshed the page.

-Found new bug, chat messages aren't being reloaded on an interval, they are only reloaded on page refresh or form submit. seeking a jquery guru to tell me where my error is, i can't see why the setinterval timeout isn't working correctly and independantly of the reload in the callback function of the submit field.

-Pruned unnecessary files, and dispatched all procedural code from index.php into a function to clean up the index a bit.

Still a ways to go guys, sorry i'm pretty much alone here in development at the moment, working at my own pace and doing as much as i can, and revising the code as i deem necessary. i'll call it some progress. Tomorrow i will be working on the site and catching up on some much needed house chores. My mom has agreed to watch my daughter for me tomorrow so i can work. should be able to get quite a few things done tomorrow.
sr. member
Activity: 840
Merit: 251
Looks like it could be promising, and I appreciate that you're taking your time to make sure you have a stable, secure and reliable system before releasing it. Seems like there's a few here bashing on the fact that it's not out yet, but it's nice for once to see someone that is not rushing to make a few bucks and actually trying to release a solid product. Look forward to seeing it in production.  Smiley
full member
Activity: 140
Merit: 100
Interesting project, thanks for doing this all public.

I know it can get stressful when faceless users make less than constructive comments, but keep it up.

newbie
Activity: 11
Merit: 0
Hey dudes,

What happens with you progress 85%,

See comment #97 - 91%

See before 87%

Is it joke? Could you point true date of beta release?
sr. member
Activity: 914
Merit: 250
Making Smart Money Work
I don't want to seem negative, but you really should not use mysql anymore. (It will be deprecated in PHP5.5) Use mysqli or PDO instead.
newbie
Activity: 42
Merit: 0
Code:
if($_SESSION["Login_Attempts"] > 4)

I didn't see the whole code but this, you know it won't secure anything? A script can remove session cookie easily.
legendary
Activity: 1509
Merit: 1030
Solutions Architect
keep up the good work regardless of the % its all progress to the end result Cool
hero member
Activity: 686
Merit: 504
always the student, never the master.
member
Activity: 87
Merit: 10
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.

Let me give you a little example for what i mean:

Code:
                $PricePer = mysql_real_escape_string($_GET["price2"]);
                $Amount = mysql_real_escape_string($_GET["Amount2"]);
                $X = $PricePer * $Amount;
                $Total = file_get_contents("http://openex.pw/system/calculatefees.php?P=" . $X);
                $Fees = file_get_contents("http://openex.pw/system/calculatefees2.php?P=" . $X);
                $user_id = $loggedInUser->user_id;
                if(TakeMoney($Total,$user_id,$Currency_1) == true)
                {
                        AddMoney($Fees,101,$Currency_1);
                        mysql_query("INSERT INTO trades (`To`,`From`,`Amount`,`Value`,`User_ID`,`Type`,`Fee`,`Total`)VALUES ('$name','$Currency_1a','$Amount','$PricePer','$user_id','$name','$Fees','$Total');");
                }
                else
                {
                        echo "

You cannot afford that!

";
                }

So, on below code, you have a method AddMoney, which updates a table on mysql, and below it you have an insert query. In that code, there is no guarantity that the insert will work after the update script. Update script can work, but insert may not, so this will cause you a balance issue, as you will deduct the amount from the user but there will be no trade operation. This both queries must be inside one transaction, so one fails, all rollbacks automaticaly, if all succed everything goes fine.

As monsterer stated, you can find a lot of information on this by google'ing or from stackoverflow but without this it will be just a horror movie. You have to change your statements and i can say that by the view of the code, yes you have to change a lot of part on the project
full member
Activity: 182
Merit: 100
A while back I stepped up to take care of another abandoned exchange project. I became aware of this project, and considered using it since it was 85% done.

Anyway, private beta testing for the Scifi Coin exchange starts tonight. If you want to participate, please register to scificointalk.com and follow instruction http://scificointalk.com/index.php/topic,12.15.html

Bounty available.


legendary
Activity: 1008
Merit: 1007
Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.

Here is some helpful advice: you do not have the necessary knowledge to perform the task you are undertaking. Transactions are absolutely essential in a system like this, to be without them is to be asking questions like this on stack overflow -

http://stackoverflow.com/questions/15026825/php-mysql-how-to-prevent-two-requests-update

Please stop what you are doing. Do some research. Implement some unit tests on your current code to show why it will break, then move to transactions on the same test, confirm the fix and move on.

Cheers, Paul.
hero member
Activity: 686
Merit: 504
always the student, never the master.
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.
hero member
Activity: 686
Merit: 504
always the student, never the master.
I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

Ditto

Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.
legendary
Activity: 1008
Merit: 1007
I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

Ditto
member
Activity: 112
Merit: 10

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.

Well I am glad that you are considering SBC, but it is great to see you make sure everything is working properly, rather than doing an incomplete launch and then just barely trekking along like Cryptsy has been doing.
newbie
Activity: 9
Merit: 0

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.


I love your approach and attitude. Keep learning and press on!
sr. member
Activity: 308
Merit: 250
Riecoin and Huntercoin to rule all!
If you guys add Stablecoin, consider me hooked.
hero member
Activity: 686
Merit: 504
always the student, never the master.

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.
member
Activity: 87
Merit: 10
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.
member
Activity: 112
Merit: 10

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.
Pages:
Jump to: