The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy. I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you. I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba. |
|
|
|
I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.
Ditto Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive. |
|
|
|
Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.
That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well. I'll be following on twitter for updates. well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project. |
|
|
|
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
i don't know how to use them. i tried, but it makes getting results harder. i have < 6 months experience. maybe one of you really smart guys would like to join the staff in a paid position as dev # 3? if not, maybe you would like to be paid nicely to convert all our queries to PDO? I'm willing to accept that i don't know everything there is to know, and that one of you take our work and make it alot better. any takers? |
|
|
|
|
as the author of the exchange in question:
1). sha1 was replaced by sha512, we just haven't updated the git yet.
2). you can't double spend coins on this exchange, we worked very hard to make it impossible. the base code of this exchange first existed on our first attempt at an exchange, called iceycrypt, and the main problem was double spending trades.
3). mysql may be considered deprecated, but its still much easier to use and contrary to popular belief you can prevent sql injection with mysql_* functions. i think you've been reading to much stackoverflow and been taking it as the straight gospel. prepared statements are the way to go, and once we've finished the code and have it working, we will work back through and replace our db interfacing with more secure options, such as the mysqli functions i am already using in the chat, which runs on its separate php process and database user.
4.) mysql_real_escape_string is not all that is used to prevent against database injection, its the first line of defense. maybe you should browse to the models directory and start dissecting code there. this will give you a keen understanding of how userCake handles queries.
5.) we haven't released the exchange yet. It is still a work in progress. I would gladly invite your criticism once our doors open, but this is clearly a fud attack against our exchange in an effort to hurt our business.
6.) in its present state, this exchange is superior to the 3 major exchanges currently open and operating on node.js with security vulnerabilities a plenty. I understand your frustrations with cryptsy, but taking them out on Our project isn't fair.
7.) there are functions that have been built i just havent migrated over to the exchange source yet that will prevent database overload. eventually we will move to a sharded model where reads are done from 3 slave servers and writes are done to the master db server. we have a function called optimize tables, and a cronjob that shuts the trade engine down for 5 minutes every 6 hours and performs table optimization and audit of trade history.
8.) we are working towards moving away from cron job, to a proprietary daemon based system called "alien-php". i have been working on this on the site for a few weeks. its similar to node.js in that it can deploy, activate, and deactivate servers as necessary based on system load of the main server. it also features a daemon architechture in place of cronjobs, meaning there are several long running php processes in the background handling the trade engine and maintenance functions of the exchange.
9.) as far as the future, we still have lots of work to do before the exchange is enterprise level stable, however most of the basic functionality is in place. we are very much interested in hiring a 3rd developer to be a part of our team, but talk is cheap. put up or shut up if you want in. you will get paid.
|
|
|
|
that sounds great r3wt, but what about forged ip address in http headers? great question. functiong getIP()--this makes it difficult to cloak or forge the ip address. <?php
function getIP()
{
foreach (array(
'HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_X_CLUSTER_CLIENT_IP',
'HTTP_FORWARDED_FOR',
'HTTP_FORWARDED',
'REMOTE_ADDR'
) as $key) {
if (array_key_exists($key, $_SERVER) === true) {
foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
return $ip;
}
}
}
}
}
?>
Works IF a user does not use a Proxy that does not send HTTP_X_FORWARD Headers or a VPN. I could not post this here at the time (newbie)but please read this: https://bitcointalk.org/index.php?topic=374922.0It doesn't matter if the user is using a proxy, the autoincrementing function will ban ip's without prejudice. i read your dissection and agree. however you, were looking at an extremely old primitive release. would love for you to come poke around the new code since i have updated it. we generally do not release updates to github immediately. you will not be able to doublespend coins on the exchange. we've done extensive testing to insure of this. if you are serious about programming, you are welcome to join the team, if not get the fuck out, we got this. you have to understand, we started from userCake. alot of the functions(password generation being one of them) are old and out of date. we are slowly building onto it. i'll push and update later today so you can see what has changed. |
|
|
|
we have discussed this privately, and we will only take one more coin. Currently we are researching on what coin is worthy.
r3wt : I guess there is no harm in me asking if SBC could be included in that research for the 'one more coin'. Dev is back on it and working to get the additional features into it & bitcointalk thread is well attended. Either way, good luck with the release!  Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not. |
|
|
|
I added a new feature today, building on the access violation system that i previously built into the application. now, for every 10 access violations per unique ip address, an ip is banned. access violation history is recorded on a per instance basis, and the count feature of mysql is used to sort the count of each violation per ip address. access_denied.php<?php
require_once("models/config.php");
$account = $loggedInUser->display_username;
$uagent = mysql_real_escape_string(getuseragent()); //get user agent
$ip = mysql_real_escape_string(getIP()); //get user ip
if(isUserLoggedIn) {
if ($account != null) {
$account = mysql_real_escape_string($loggedInUser->display_username);
}
else {
$account = mysql_real_escape_string("Guest/Not Logged In");
}
}
$date = mysql_real_escape_string(gettime());
$sql = @mysql_query("INSERT INTO access_violations (username, ip, user_agent, time) VALUES ('$account', '$ip', '$uagent', '$date');");
$getcountip = mysql_query("SELECT ip,COUNT(*) as count FROM access_violations GROUP BY ip ORDER BY count DESC;");
while($row = mysql_fetch_assoc($getcountip)) {
if($row['count'] > 10) {
$factors = $row['ip'];
$sql2 = mysql_query("SELECT ip FROM bantables_ip WHERE ip = '$factors';");
$number_of_rows = mysql_num_rows($sql2);
if ($number_of_rows > 0) {
/*--Do nothing--*/
}else {
$date2 = mysql_real_escape_string(gettime());
$ip_address = mysql_real_escape_string($row['ip']);
$sqlxz = mysql_query("INSERT INTO bantables_ip (ip, date) VALUES ( '$ip_address', '$date2');");
}
}
}
echo "<style>html { width:100%; height:100%; background:url(assets/img/access_denied.gif) center center no-repeat; background-color: #00000 !important;}</style>";
echo '<link rel="icon" type="image/x-icon" href="assets/img/the_eye.ico" />';
?>
when an ip address has more than 10 violations, the application checks the database table if a record exists in the bantable for the ip. if it does, nothing is done. if it does not exist, the ip is added. a function, isIPbanned(), checks to see if a visitor is in the ban table. if he is, he is greeted with a message that his ip address is banned. if he is not banned, he is greeted with the normal index page. function isIPbanned()<?php
function isIPbanned() {
$ipvars = mysql_real_escape_string(getIP());
$sqlxyzr = mysql_query("SELECT * FROM bantables_ip WHERE `ip`='$ipvars'");
if (mysql_num_rows($sqlxyzr) > 0) {
return true;
}else{
return false;
}
}
?>
that sounds great r3wt, but what about forged ip address in http headers? great question. functiong getIP()--this makes it difficult to cloak or forge the ip address. <?php
function getIP()
{
foreach (array(
'HTTP_CLIENT_IP',
'HTTP_X_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_X_CLUSTER_CLIENT_IP',
'HTTP_FORWARDED_FOR',
'HTTP_FORWARDED',
'REMOTE_ADDR'
) as $key) {
if (array_key_exists($key, $_SERVER) === true) {
foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
return $ip;
}
}
}
}
}
?>
|
|
|
|
Do you have a windows qt?
sorry about that, i think the site i had them on originally got taken down. for future reference, all the nanotoken builds/source is here. I know thats a wierd url but i'm a cryptography enthusiast. the name means "hash-joke-7kilobytes http://ffe4hjk7kb.tk/Nanotoken.phpIt doesn't work out of sync It freezes halfway through downloading the chain. closing the client should solve the issue. I just synched the client on 3 different computers, no problems here. showing a difficulty of .2 atm, so its possible that there could be a fork, but i don't see it on any of my clients or on the server. let me know if you need assistance. I'm Korean. my english is poor sorry. yes,these is a fork and out of sync window qt ,is it work? YES can you contact https://www.coins-e.com/ to update the wallet? i don't know how to contact him i can't deposit nan I just deposited 50 NAN an hour ago and its in my account. perhaps you didn't delete the blockchain before you upgraded wallets? |
|
|
|
Quark Coin needs to be put on the major list. It's a very promising alt coin and is definitely a major coin in the market right now. Also this list needs to be updated badly.
Quarkcoin is a scam and always will be. |
|
|
|
|
The coin is back to life, and starting to generate a bit of interest. The folks at cryptsy wish to re add it and trade it once more, and I have received an offer to transfer my duties as lead developer. Camodude009 will be taking over the Nanotoken project. He has some exciting ideas and plans for making it a viable, currency with real world services. I think this is a good move for the future of NAN, and more importantly it free's my time to focus on OpenEx and providing long term support on OSC.
Thanks and have a great one.
r3wt
|
|
|
|
Those who have an idea, know that I am right. All these idiots, well your just displaying your lack of knowledge, competence and thought.
Pay no attention to this guy, he just has a bad attitude because all his coins he has released basically died really quickly. Just jealously that's all. I have no idea but if Hydroponica Muddafudda is trashing it, it might just have a chance. ~BCX Spots dump your pussy arse or what?? Better go fix COL again. I hear its about to fork  |
|
|
|
|
the cpu's have arrived for our main server. it should be setup in 72 hours. then i will install the webserver and application and begin building and syncing the wallets. at the same time, justin will start the tradeserver and clear all the testing info from the database. we hope to launch by monday. woot! there may be some problems with the system at first, so we've setup the database to store every transaction and trade history in case of serious flaws, so that we will be able to roll back the db and restore balances in that situation should it arise.
thank's to the fee share holders who supported us and have helped make this dream a reality! i'm pretty excited about the future of this exchange.
|
|
|
|
maybe build with UPNP support next time?
Actually managed to compile this one with UPNP, but haven't confirmed if it is working yet. I don't think it is man. I haven't been able to get a connection yet. Don't take that as a failure on your part though, some coins just don't use UPNP well for some reason. i had the same problem with Nanotokens. When i get home in a little bit, i'm going to fork your repo, and investigate some small changes that should allow it to utilize upnp. i'll report back my findings. |
|
|
|
|
maybe build with UPNP support next time?
|
|
|
|
Just make sure that you have enough servers once released, unless you want to be Cryptsy 2.0.
hush right now kid, the adults are speaking. |
|
|
|
Maybe I am just lucky because I have had zero issues with Cryptsy other than some lag.
~BCX~
I've had zero issues as well. coincidentally, i haven't been trading since the last time it took 3 days to withdraw bitcoin |
|
|
|
|
Show Posts
