PDO requires PDO and PECL, that's already alone dirtiest than dirt can be. 
PHP 5.1.0 and newer comes with PDO already.
Topic: [Pre Alpha] PHPCoin - page 6. (Read 11013 times)
PHP 5.1.0 and newer comes with PDO already.
@btcash,
The project is open source, when I release it you're welcome to implement whatever procedure to store passwords you want.
@smoothie
This isn't usable to mine anything, it's a storage frontend, not a mining one. Can be used, with some changes, to store namecoins also.
The project is open source, when I release it you're welcome to implement whatever procedure to store passwords you want.
@smoothie
This isn't usable to mine anything, it's a storage frontend, not a mining one. Can be used, with some changes, to store namecoins also.
This salt method of storing passwords would still leave you open to the same type attack MtGox had. If the attack is based on getting a copy of the database, every account in database is at risk with current code.
Best option is two-factor auth. (ubikey, RSA key)
Best option is two-factor auth. (ubikey, RSA key)
Will it be usable to mine namecoins too? 
Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual for more info.
PDO requires PDO and PECL, that's already alone dirtiest than dirt can be.
As I'm off now for a while, here's the incomplete code of the cron (it should run like each 5 minutes by php-cgi or so), hope this already gives you a better clue of what I'm working on:
Code:
define("_V",1);
//This file must NOT be accessible from the Web!
$coin_install_path = "/web/default/public_html";
include($coin_install_path ."/sys/config.php");
include($coin_install_path ."/inc/general_functions.php");
error_reporting(E_ALL);
ini_set("display_errors",1);
include($coin_install_path ."/classes/jsonRPCClient.php");
//Starting CRON sequence
$b = new jsonRPCClient("http://$btc_user:$btc_pass@127.0.0.1:8332");
//Checking for new deposits
$accounts = $b->listaccounts((int)$config['confirmations']['value']);
foreach($accounts as $k => $a){
if($a == 0) continue; //Nothing to do
$acc = explode("_",$k);
if(!is_array($acc) || sizeof($acc) != 3) continue; //Invalid account identifier
//Get the account
$sql = "SELECT * FROM accounts WHERE uid = {$acc[1]} AND account_id = {$acc[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)) continue; //Account not found
$act = mysql_fetch_assoc($q);
$b->move($k,$config['central_account']['value'],$a);
$prevBal = 0;
$sql = "SELECT balance FROM movements WHERE account_id = {$act['id']} ORDER BY id DESC LIMIT 0,1";
$q = mysql_query($sql);
if(mysql_num_rows($q)){
$pbal = mysql_fetch_assoc($q);
$prevBal = $pbal['balance'];
}
$newBal = $prevBal + $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Bitcoin deposit',$a,1,$newBal)");
mysql_query("UPDATE accounts SET balance = balance + $a WHERE id = {$act['id']}");
//Check if account is forwarded
if($act['forward'] == 1){
$isValid = $b->validateaddress($act['forward_to']);
if($isValid['isvalid'] != 1){
$invBTC = makeSQLSafe($act['forward_to']);
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid address to forward your deposits to :: $invBTC. Amount remains in your account!')");
}elseif($isValid['ismine'] == 1){
//It's forward to a local address, so we just move the balance
$recAct = explode("_",$isValid['account']);
if(!is_array($recAct) || sizeof($recAct) != 3){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account is not an user account :: $invBTC. Amount remains in your account!')");
}else{
$sql = "SELECT * FROM accounts WHERE uid = {$recAct[1]} AND account_id = {$recAct[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account not found :: $invBTC. Amount remains in your account!')");
}else{
$receiver = mysql_fetch_assoc($q);
$nextBal = $newBal - $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Forward to {$act['forward_to']}',$a,0,$nextBal)");
mysql_query("UPDATE accounts SET balance = balance - $a WHERE id = {$act['id']}");
//A small issue; re-forwarded accounts will not forward to prevent loop attacks.
}
}
}
// $nextBal = $newBal - $a;
// $b->sendfrom();
}
}
?>
//This file must NOT be accessible from the Web!
$coin_install_path = "/web/default/public_html";
include($coin_install_path ."/sys/config.php");
include($coin_install_path ."/inc/general_functions.php");
error_reporting(E_ALL);
ini_set("display_errors",1);
include($coin_install_path ."/classes/jsonRPCClient.php");
//Starting CRON sequence
$b = new jsonRPCClient("http://$btc_user:$btc_pass@127.0.0.1:8332");
//Checking for new deposits
$accounts = $b->listaccounts((int)$config['confirmations']['value']);
foreach($accounts as $k => $a){
if($a == 0) continue; //Nothing to do
$acc = explode("_",$k);
if(!is_array($acc) || sizeof($acc) != 3) continue; //Invalid account identifier
//Get the account
$sql = "SELECT * FROM accounts WHERE uid = {$acc[1]} AND account_id = {$acc[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)) continue; //Account not found
$act = mysql_fetch_assoc($q);
$b->move($k,$config['central_account']['value'],$a);
$prevBal = 0;
$sql = "SELECT balance FROM movements WHERE account_id = {$act['id']} ORDER BY id DESC LIMIT 0,1";
$q = mysql_query($sql);
if(mysql_num_rows($q)){
$pbal = mysql_fetch_assoc($q);
$prevBal = $pbal['balance'];
}
$newBal = $prevBal + $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Bitcoin deposit',$a,1,$newBal)");
mysql_query("UPDATE accounts SET balance = balance + $a WHERE id = {$act['id']}");
//Check if account is forwarded
if($act['forward'] == 1){
$isValid = $b->validateaddress($act['forward_to']);
if($isValid['isvalid'] != 1){
$invBTC = makeSQLSafe($act['forward_to']);
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid address to forward your deposits to :: $invBTC. Amount remains in your account!')");
}elseif($isValid['ismine'] == 1){
//It's forward to a local address, so we just move the balance
$recAct = explode("_",$isValid['account']);
if(!is_array($recAct) || sizeof($recAct) != 3){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account is not an user account :: $invBTC. Amount remains in your account!')");
}else{
$sql = "SELECT * FROM accounts WHERE uid = {$recAct[1]} AND account_id = {$recAct[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account not found :: $invBTC. Amount remains in your account!')");
}else{
$receiver = mysql_fetch_assoc($q);
$nextBal = $newBal - $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Forward to {$act['forward_to']}',$a,0,$nextBal)");
mysql_query("UPDATE accounts SET balance = balance - $a WHERE id = {$act['id']}");
//A small issue; re-forwarded accounts will not forward to prevent loop attacks.
}
}
}
// $nextBal = $newBal - $a;
// $b->sendfrom();
}
}
?>
Well, this could be extremely useful for a project I have coming up! Here's to hoping you get it finished up soon.
Hi M'Tux,
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.
About SQLi, vars are passed this way:
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.
About SQLi, vars are passed this way:
Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual for more info.
Your method is not good enough...
But your method was..
Too bad people only learn after the trouble...
While start to draft the most important part of the site, the CRON, here're two screens of it so far:
Let me explain also how I had this idea: I want to move my coins to a "minimalistic" Debian VM, and this is a way to access and manage the wallet on that VM.
Let me explain also how I had this idea: I want to move my coins to a "minimalistic" Debian VM, and this is a way to access and manage the wallet on that VM.
I'm starting a new project to go GPL OpenSource, I named it PHPCoin.
Great! The PHP/bitcoin world needs more open source projects.
By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.
With all due respect: Good intentions are nice, but released code is what makes an open source project alive.
Release the code early and often. Don't worry about ugly code, don't worry about bugs. Those things can and will be fixed down the road. Nothing will get messed up.
DO worry about your project turning into vaporware if you don't release code soon.
If you're interested in browsing some bitcoin-related PHP open source projects:
https://github.com/mikegogulski/bitcoin-php
- Bitcoin library for PHP
- a basic PHP class for interacting with bitcoind
- Hasn't been updated for a while, but still usable
https://github.com/zamgo/bitcoin-webskin
- an open source PHP web interface to bitcoind
- my own project
and a lot more out there on github and other places...
How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...
What is bitcoin-php? The only thing I know by such name is a class.
@smoothie
Not yet. Will put as soon as the basic functions are done. I'm around editing own account at the moment.
How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...
Hi M'Tux,
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.
About SQLi, vars are passed this way:
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.
About SQLi, vars are passed this way:
Code:
isset($_POST['user']) && trim($_POST['user']) ? $user = makeSQLSafe(trim($_POST['user'])) : $e[] = "Username missing!";
//... which means to call the function bellow
function makeSQLSafe($str){
if(get_magic_quotes_gpc()) $str = stripslashes($str);
return mysql_real_escape_string($str);
}
?>
//... which means to call the function bellow
function makeSQLSafe($str){
if(get_magic_quotes_gpc()) $str = stripslashes($str);
return mysql_real_escape_string($str);
}
?>
By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.
The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin.
The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin.
Been looking for something like this for quite a while,
please let us know when its up.
Cheers
By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.
The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin.
The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin.
Is there a 1 - 1 ratio of gambling apps to developers in the BtC Community? hehe
Are you just looking for a designer? or other PHP programmers?
Im looking for projects
What is the eventual goal/vision of this project? Sounds interesting.
Are you just looking for a designer? or other PHP programmers?
Im looking for projects
What is the eventual goal/vision of this project? Sounds interesting.
I'm starting a new project to go GPL OpenSource, I named it PHPCoin.
Here's the draft idea:
Basically it is a PHP frontend to bitcoind, which can be used for the local user or in a multiuser (mybitcoin-like) environment, operating as a bitcoin concentrator.
The modular system will allow also to attach modules as MtGox/TradeHill/etc analyzers.
The cron system will allow features as recurring payments or coin forwarding.
Allows creation of multiple accounts for the same user. Say: Account 1 - regular account, Account 2 - savings account... and so on. Each account will have different bitcoin addresses.
Bitcoin transactions are all moved to a central account, the movements and balance are recorded and managed by MySQL.
So far I'm finishing the login and register functions, but need a designer's help. If you interested, PM me.
As password security is the subject of the moment, due that MtGox thing, here's my system's function for it:
Pre-Alpha can be downloaded from:
http://www.bcommerce.biz/phpcoin-pre-alpha-release.zip
Here's the draft idea:
Basically it is a PHP frontend to bitcoind, which can be used for the local user or in a multiuser (mybitcoin-like) environment, operating as a bitcoin concentrator.
The modular system will allow also to attach modules as MtGox/TradeHill/etc analyzers.
The cron system will allow features as recurring payments or coin forwarding.
Allows creation of multiple accounts for the same user. Say: Account 1 - regular account, Account 2 - savings account... and so on. Each account will have different bitcoin addresses.
Bitcoin transactions are all moved to a central account, the movements and balance are recorded and managed by MySQL.
So far I'm finishing the login and register functions, but need a designer's help. If you interested, PM me.
As password security is the subject of the moment, due that MtGox thing, here's my system's function for it:
Code:
$salt = md5(rand().$name.microtime());
$passh = hash("ripemd160",$pass.$salt);
mysql_query("INSERT INTO users(user,pass,name,email) VALUES('$user','$passh','$name','$email')");
$myuid = mysql_insert_id();
mysql_query("INSERT INTO salt(uid,salt) VALUES($myuid,'$salt')");
$success = "You're now registered to this system";
?>
$passh = hash("ripemd160",$pass.$salt);
mysql_query("INSERT INTO users(user,pass,name,email) VALUES('$user','$passh','$name','$email')");
$myuid = mysql_insert_id();
mysql_query("INSERT INTO salt(uid,salt) VALUES($myuid,'$salt')");
$success = "You're now registered to this system";
?>
Pre-Alpha can be downloaded from:
http://www.bcommerce.biz/phpcoin-pre-alpha-release.zip
Jump to: