Bitcoin Forum

Other => Beginners & Help => Topic started by: jopo on January 22, 2013, 10:04:25 PM


Title: bitfreak!'s BTC-SCI
Post by: jopo on January 22, 2013, 10:04:25 PM
Hey guys,

i'm trying to get bitfreak!'s SCI running (actually on my local XAMPP). But when I try to donate something it doesn't show anything else than a white page. When i remove this part from the payment.php it shows the deposit address.

Code:
// check for potential errors before proceeding
if (empty($_GET['u'])) {

  $check_result = bitsci::check_payment($_SESSION['total_price'], $pubAdd, $confirm_num);

  if ($check_result === 'e1') {
    invalid_input('Block Explorer API is offline. Please try again later.');
  } elseif ($check_result === 'e2') {
    invalid_input('The address is corrupt. Please go back and try again.');
  } elseif ($check_result === 'e3') {
    invalid_input('An unknown error occured. Please try again later.');
  } elseif ($check_result === true) {
    confirm_transaction('ipn-control.php?sid='.$sid, $pubAdd, $sec_str);
  }
}

What is wrong in this part? And: It doesn't generate a private key into the CSV-File.

Hope you can help me getting this thing running,

thanks alot,

- jopo

Title: Re: bitfreak!'s BTC-SCI
Post by: mjc on January 23, 2013, 02:56:30 AM
This is not an answer to your question, just an observation.

You are checking those parameters right?  Other wise someone could attack your system by injecting commands into your script.

You are concatenating user parameters into your code.  Particularly the sid parameter.  The way is written its ripe for a remote file include.

Not a perfect example but relevane
https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines