Bitcoin Forum
December 15, 2024, 04:56:06 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Accept Bitcoin easily and save the blockchain. Use Inputs.io  (Read 3133 times)
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 03, 2013, 12:35:54 PM
Last edit: July 30, 2013, 11:44:33 PM by TradeFortress
 #1

It takes 30 seconds to register for an Inputs.io account. It takes about 5 minutes to start accepting Bitcoin.

Assuming you have an average LAMP (linux apache mysql php) website, with a MySQL database of users and their balances, this script will work for you - name it callback.php and set the full path as your callback:

Quote
$mysqli = new mysqli("localhost", "user", "password", "databasename");
$apikey = "my_api_key";
$pin = "1234";
if($_SERVER["REMOTE_ADDR"] == "50.116.37.202"){
   if(isset($_GET["note"])){
      $note = $mysqli->real_escape_string($_GET["note"]);
      $amount = $mysqli->real_escape_string($_GET["amount"]);
      $userExistsQ = $mysqli->query("SELECT COUNT(*) FROM users WHERE username='$note'");
      if($userExistsQ->fetch_row()[0] === "0"){
         // user does not exist. send the coins back
         $sendBackTo = urlencode($_GET["from"]);
         $returnNote = urlencode("Error: Username not found. Please include exactly your username in the notes field.");
         $url = "https://inputs.io/api?key=$apikey&action=send&address=$sendBackTo&amount={$_GET['amount']}&note=$returnNote&pin=$pin";
         if(substr($note, 0, 7) != "Error: "){
            // do not callback error messages
            file_get_contents($url);
         }
      } else {
         $mysqli->query("UPDATE users SET balance=balance+$amount WHERE username='$note'");
      }
      echo "*OK*";
   } else {
      // Someone sent to our Bitcoin address. This shouldn't happen if we don't post it anywhere.
   }
}

For more info, see our API. https://inputs.io/api

Feel free to ask any questions here or to support@inputs.io
Jaxkr
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


View Profile
July 03, 2013, 12:54:57 PM
 #2

It takes 30 seconds to register for an Inputs.io account. It takes about 5 minutes to start accepting Bitcoin.

Assuming you have an average LAMP (linux apache mysql php) website, with a MySQL database of users and their balances, this script will work for you - name it callback.php and set the full path as your callback:

Quote
$mysqli = new mysqli("localhost", "user", "password", "databasename");
$apikey = "my_api_key";
$pin = "1234";
if($_SERVER["REMOTE_ADDR"] == "50.116.37.202"){
   if(isset($_GET["note"])){
      $note = $mysqli->real_escape_string($_GET["note"]);
      $amount = $mysqli->real_escape_string($_GET["amount"]);
      $userExistsQ = $mysqli->query("SELECT COUNT(*) FROM users WHERE username='$note'");
      if($userExistsQ->fetch_row()[0] === "0"){
         // user does not exist. send the coins back
         $sendBackTo = urlencode($_GET["from"]);
         $returnNote = urlencode("Error: Username not found. Please include exactly your username in the notes field.");
         $url = "https://inputs.io/api?key=$apikey&action=send&address=$sendBackTo&amount={$_GET['amount']}&note=$returnNote&pin=$pin";
         if(substr($note, 0, 7) != "Error: "){
            // do not callback error messages
            file_get_contents($url);
         }
      } else {
         $mysqli->query("UPDATE users SET balance=balance+$amount WHERE username='$note'");
      }
   } else {
      // Someone sent to our Bitcoin address. This shouldn't happen if we don't post it anywhere.
   }
}

For more info, see our API. https://inputs.io/api

Feel free to ask any questions here or to support@inputs.io
What safety features are in place to unsure you don't steal money? Client side crypto or something else.
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 04, 2013, 12:14:03 AM
 #3

All APIs have access to your private key - including Blockchain.info
lexxus
Sr. Member
****
Offline Offline

Activity: 309
Merit: 250


View Profile
July 04, 2013, 05:53:56 AM
 #4

All APIs have access to your private key - including Blockchain.info

That doesn't mean it should stay like this forever, right?
K1773R
Legendary
*
Offline Offline

Activity: 1792
Merit: 1008


/dev/null


View Profile
July 04, 2013, 05:59:58 AM
 #5

haha, look at this:
Code:
$returnNote = urlencode("Error: Username not found. Please include exactly your username in the notes field.");
there is alot to encode! typicall do magic developers  Angry

[GPG Public Key]
BTC/DVC/TRC/FRC: 1K1773RbXRZVRQSSXe9N6N2MUFERvrdu6y ANC/XPM AK1773RTmRKtvbKBCrUu95UQg5iegrqyeA NMC: NK1773Rzv8b4ugmCgX789PbjewA9fL9Dy1 LTC: LKi773RBuPepQH8E6Zb1ponoCvgbU7hHmd EMC: EK1773RxUes1HX1YAGMZ1xVYBBRUCqfDoF BQC: bK1773R1APJz4yTgRkmdKQhjhiMyQpJgfN
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 04, 2013, 12:17:45 PM
 #6

haha, look at this:
Code:
$returnNote = urlencode("Error: Username not found. Please include exactly your username in the notes field.");
there is alot to encode! typicall do magic developers  Angry
This takes less than milliseconds.
joele
Legendary
*
Offline Offline

Activity: 1022
Merit: 1000



View Profile
July 24, 2013, 03:04:10 PM
 #7

Do members have a copy of the private key?
Mooshire
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250



View Profile
July 24, 2013, 09:11:49 PM
 #8

Do members have a copy of the private key?

No.

joele
Legendary
*
Offline Offline

Activity: 1022
Merit: 1000



View Profile
July 24, 2013, 11:25:26 PM
 #9

Do members have a copy of the private key?

No.

What if site goes down then our bitcoin is inaccessible at the same time.
Mooshire
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250



View Profile
July 25, 2013, 01:53:16 AM
 #10

Do members have a copy of the private key?

No.

What if site goes down then our bitcoin is inaccessible at the same time.


That's the risk you take.

🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 25, 2013, 11:29:37 PM
 #11

You can minimize this risk by simply automatically sweeping your coins to your own address.
BitPirate
Full Member
***
Offline Offline

Activity: 238
Merit: 100


RMBTB.com: The secure BTC:CNY exchange. 0% fee!


View Profile
July 26, 2013, 06:01:27 AM
 #12

Bloody hell, finding this on someone's server would be a goldmine!

So sending coins away is as simple as one GET request? The wrong people will be drooling over this.

Unless I'm misunderstanding something, I strongly recommend you forget about advising people to automatically return funds to non-existent users, and strip all that stuff out. Read-access to a server shouldn't result in this kind of compromise.

🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 26, 2013, 06:10:53 AM
 #13

Bloody hell, finding this on someone's server would be a goldmine!

So sending coins away is as simple as one GET request? The wrong people will be drooling over this.

Unless I'm misunderstanding something, I strongly recommend you forget about advising people to automatically return funds to non-existent users, and strip all that stuff out. Read-access to a server shouldn't result in this kind of compromise.
Just like how sending coins away is just as simple as a JSON-RPC request..

Read-access to a server does give you wallet.dat
BitPirate
Full Member
***
Offline Offline

Activity: 238
Merit: 100


RMBTB.com: The secure BTC:CNY exchange. 0% fee!


View Profile
July 26, 2013, 06:17:48 AM
Last edit: July 26, 2013, 06:50:49 AM by BitPirate
 #14

Bloody hell, finding this on someone's server would be a goldmine!

So sending coins away is as simple as one GET request? The wrong people will be drooling over this.

Unless I'm misunderstanding something, I strongly recommend you forget about advising people to automatically return funds to non-existent users, and strip all that stuff out. Read-access to a server shouldn't result in this kind of compromise.
Just like how sending coins away is just as simple as a JSON-RPC request..

Read-access to a server does give you wallet.dat

Not on any server I would be doing business with!

Sending coins out should only be initiated by a trusted user. That might come at the expense of easy automation, but said automation comes at the expense of losing all your coins.

If that API key and PIN are the only things needed to spirit away coins, they have no business sitting together in a file -- conveniently next to the URL for making it happen. They belong in someone's head.

If you want to automate, you can use a hot wallet, but it looks like this wallet will be receiving coins directly from customers?

EDIT: Sorry for coming across a bit harsh, I don't mean to be a dick -- but as you say, this is intended for the "average lamp" website. Such sites normally have a massive attack surface -- they can't also contain the customer's "crown jewels", which is what this script is. :-)

Jaxkr
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250


View Profile
July 26, 2013, 06:18:25 AM
 #15

Bloody hell, finding this on someone's server would be a goldmine!

So sending coins away is as simple as one GET request? The wrong people will be drooling over this.

Unless I'm misunderstanding something, I strongly recommend you forget about advising people to automatically return funds to non-existent users, and strip all that stuff out. Read-access to a server shouldn't result in this kind of compromise.
Just like how sending coins away is just as simple as a JSON-RPC request..

Read-access to a server does give you wallet.dat
Not if the wallet.dat is encrypted.
Using inputs.io is no where near as secure as an encrypted bitcoind instance over RPC.
super3
Legendary
*
Offline Offline

Activity: 1094
Merit: 1006


View Profile WWW
July 26, 2013, 07:48:16 PM
 #16

Bloody hell, finding this on someone's server would be a goldmine!

So sending coins away is as simple as one GET request? The wrong people will be drooling over this.

Unless I'm misunderstanding something, I strongly recommend you forget about advising people to automatically return funds to non-existent users, and strip all that stuff out. Read-access to a server shouldn't result in this kind of compromise.
Just like how sending coins away is just as simple as a JSON-RPC request..

Read-access to a server does give you wallet.dat
Not if the wallet.dat is encrypted.
Using inputs.io is no where near as secure as an encrypted bitcoind instance over RPC.
Is there a service that offers bitcoind instances on a VPS? Might be something to look into.

Bitcoin Dev / Storj - Decentralized Cloud Storage. Winner of Texas Bitcoin Conference Hackathon 2014. / Peercoin Web Lead / Primecoin Web Lead / Armory Guide Author / "Am I the only one that trusts Dogecoin more than the Federal Reserve?"
🏰 TradeFortress 🏰 (OP)
Bitcoin Veteran
VIP
Legendary
*
Offline Offline

Activity: 1316
Merit: 1043

👻


View Profile
July 27, 2013, 12:50:50 AM
 #17

Bloody hell, finding this on someone's server would be a goldmine!

So sending coins away is as simple as one GET request? The wrong people will be drooling over this.

Unless I'm misunderstanding something, I strongly recommend you forget about advising people to automatically return funds to non-existent users, and strip all that stuff out. Read-access to a server shouldn't result in this kind of compromise.
Just like how sending coins away is just as simple as a JSON-RPC request..

Read-access to a server does give you wallet.dat
Not if the wallet.dat is encrypted.
Using inputs.io is no where near as secure as an encrypted bitcoind instance over RPC.
Where is the password stored in? On the same server? Back to where you started.

On a different server? How do you get the password from the different server? Using automated functions on the same server? Back to where you started.
Mooshire
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250



View Profile
July 27, 2013, 02:33:44 AM
 #18

osnap

BitPirate
Full Member
***
Offline Offline

Activity: 238
Merit: 100


RMBTB.com: The secure BTC:CNY exchange. 0% fee!


View Profile
July 30, 2013, 09:43:12 AM
Last edit: July 30, 2013, 09:58:40 AM by BitPirate
 #19

Bloody hell, finding this on someone's server would be a goldmine!

So sending coins away is as simple as one GET request? The wrong people will be drooling over this.

Unless I'm misunderstanding something, I strongly recommend you forget about advising people to automatically return funds to non-existent users, and strip all that stuff out. Read-access to a server shouldn't result in this kind of compromise.
Just like how sending coins away is just as simple as a JSON-RPC request..

Read-access to a server does give you wallet.dat
Not if the wallet.dat is encrypted.
Using inputs.io is no where near as secure as an encrypted bitcoind instance over RPC.
Where is the password stored in? On the same server? Back to where you started.

On a different server? How do you get the password from the different server? Using automated functions on the same server? Back to where you started.

So, you do understand the problem then! That password should never be stored on the client server, unless they are willing to take the risk to lose those BTC. Perhaps, at a stretch, they could store it in a TPM on a dedicated server. We expect tight security for CC payments, why accept anything less for Bitcoin?

I don't think this can be understated: Merchants must not store something on their server that would allow their customer's bitcoins to be trivially stolen. This is a web server we're talking about, not a vault. The server probably has a bunch of other (insecure) sites hosted on it. haven't we learned anything from all the Bitcoin hacks? e-commerce providers should be aspiring to higher security than this.

I looked at your other posts, you seem to know your stuff -- so you know that you should be promoting layers of security -- inbound customer coins should go to a cold wallet, and concerns should be separated -- give each process the minimum required permission it needs to perform it's job, and don't let it exceed those bounds. A coin receiver callback does not need to know how to send coins.

EDIT: Oh... and you missed the "OK" in the above script.
EDIT2: And you should really do $userExistsQ->free()

domob
Legendary
*
Offline Offline

Activity: 1136
Merit: 1170


View Profile WWW
July 30, 2013, 10:02:46 AM
 #20

EDIT2: And you should really do $userExistsQ->free()

Funnily, this is something I see very, very frequently in PHP code written by others.  I'm not sure whether it is just lazyness or caused by lots (?) of PHP programmers who didn't ever use a non-garbage-collected language where free'ing memory is inherent to the language much more than in PHP.

Use your Namecoin identity as OpenID: https://nameid.org/
Donations: 1domobKsPZ5cWk2kXssD8p8ES1qffGUCm | NMC: NCdomobcmcmVdxC5yxMitojQ4tvAtv99pY
BM-GtQnWM3vcdorfqpKXsmfHQ4rVYPG5pKS | GPG 0xA7330737
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!