bitfreak!'s BTC-SCI

[jopo]

Hey guys,

i'm trying to get bitfreak!'s SCI running (actually on my local XAMPP). But when I try to donate something it doesn't show anything else than a white page. When i remove this part from the payment.php it shows the deposit address.

Code:

// check for potential errors before proceeding
if (empty($_GET['u'])) {

  $check_result = bitsci::check_payment($_SESSION['total_price'], $pubAdd, $confirm_num);

  if ($check_result === 'e1') {
    invalid_input('Block Explorer API is offline. Please try again later.');
  } elseif ($check_result === 'e2') {
    invalid_input('The address is corrupt. Please go back and try again.');
  } elseif ($check_result === 'e3') {
    invalid_input('An unknown error occured. Please try again later.');
  } elseif ($check_result === true) {
    confirm_transaction('ipn-control.php?sid='.$sid, $pubAdd, $sec_str);
  }
}

What is wrong in this part? And: It doesn't generate a private key into the CSV-File.

Hope you can help me getting this thing running,

thanks alot,

- jopo

[mjc]

This is not an answer to your question, just an observation.

You are checking those parameters right?  Other wise someone could attack your system by injecting commands into your script.

You are concatenating user parameters into your code.  Particularly the sid parameter.  The way is written its ripe for a remote file include.

Not a perfect example but relevane
https://www.owasp.org/index.php/Top_10_2007-Malicious_File_Execution