BTW, those "hacker forums" are normally like those guys who finish high school virgins; they make the hardest and most long shot attack look like the easiest thing around, yet they never actually did any, just like those boys who never actually got anyone but will jump on claim to had half of the school girls.

Ok, lets state some facts that i found:

1) Entire system is exploitable with XSS.
2) Entire system lacks CSRF protection.
3) Messy structure, mixed frontend/backend could lead to mistakes and issues.
4) Stupid not to filter _ALL_ inputs, not just the ones that does SQL-queries. (It's easier and safer)
6) Never ever trust ANYTHING a user enters. That includes amounts(!) and lengths of all inputs.
6.1) I've seen DDoS attacks with users entering huge amount of data to make the server do 50000 hashes on a string thats a couple of MBs.

For fuck sake, cannot SOMEONE learn to develop correctly structured PHP?
It's not _THAT_ hard. Implement a MVC structure or base the project on some open source frameword (CI, Symfony, Zend or whatever)
This will also take care of 90% of the security you guys are talking about.

CI have a neat implementation of prepared statments (that's really easy to use) and Symfony/Zend have similar ORM's.

Advices from someone that have actually developed PHP for the past.... many years.

I was going to donate, but it looks like you guys have earned over your ransom amount! 

doesnt work to good. i just use mtgox calculator. but good job anyways

I don't understand your derp...   Bitcoin Forum is running on SMF...

other way around. like how much money equals bitcoins minus fee.

Here is my second full month bill.  I started with 3 cards on May 29 and gradually built up to 25 cards today.

I... I...

No. Just no. 

Any mirror for that video? It says the user deleted it 

I'd rather see Paypal and eBay die a horrible, horrible death.

No, that line means:

If no account is selected, then select <account Prefix from config>_<user id>_<first account - which is ALWAYS 1>

if you do this, and taken $account_id isn't set, will mean PC_1_<nothing here... empty>

Just created a GitHub repo: https://github.com/BCEmporium/PHPCoin

@Xephan;
Fair enough, I'm not up to waste time in those sort of discussions. But to the end, if one gets your db, other than a dump:

mysql_query("UPDATE users SET `password` = '$mynewHash' WHERE uid = $target_id");

or, moving with money:

mysql_query("UPDATE users SET `balance` = 10000000 WHERE uid = $my_id");

Bottom line, "assuming that someone can get the database" isn't security. If someone gets the db is already too late... only solution probably: sudo /etc/init.d/mysql stop && shutdown -hP now

 if(!isset($_SESSION['btaccount'])) $_SESSION['btaccount'] = $config['account_prefix']['value'] ."_" . $_SESSION['id'] . "_1";

Sorry... damn! Changing OS is a pain 
Tried with VirtualBox to fire my Debian VM, but it was eating 100% CPU, means this was slower than a turtle with a broken leg. Then software; 1st try: Geany, now trying Aptana Studio. Coding the Admin block now.

are you the same guy that scammed me over $800? can you please fukin pay me that amount back? and even if you're not him, can you pay me that amount back anyways for his actions? all scammers are the same to me. it left a really bitter taste in my mouth paying with non-reversible bitcoins to purchase items. that was my very first BTC transaction too