[Pre Alpha] PHPCoin

I'm starting a new project to go GPL OpenSource, I named it PHPCoin.

Here's the draft idea:

Basically it is a PHP frontend to bitcoind, which can be used for the local user or in a multiuser (mybitcoin-like) environment, operating as a bitcoin concentrator.
The modular system will allow also to attach modules as MtGox/TradeHill/etc analyzers.
The cron system will allow features as recurring payments or coin forwarding.
Allows creation of multiple accounts for the same user. Say: Account 1 - regular account, Account 2 - savings account... and so on. Each account will have different bitcoin addresses.
Bitcoin transactions are all moved to a central account, the movements and balance are recorded and managed by MySQL.

So far I'm finishing the login and register functions, but need a designer's help. If you interested, PM me.

As password security is the subject of the moment, due that MtGox thing, here's my system's function for it:

Code:

<?php
       $salt = md5(rand().$name.microtime());
       $passh = hash("ripemd160",$pass.$salt);
       mysql_query("INSERT INTO users(user,pass,name,email) VALUES('$user','$passh','$name','$email')");
       $myuid = mysql_insert_id();
       mysql_query("INSERT INTO salt(uid,salt) VALUES($myuid,'$salt')");
       $success = "You're now registered to this system";
?>

Pre-Alpha can be downloaded from:

http://www.bcommerce.biz/phpcoin-pre-alpha-release.zip

Is there a 1 - 1 ratio of gambling apps to developers in the BtC Community? hehe

Are you just looking for a designer? or other PHP programmers?

Im looking for projects

What is the eventual goal/vision of this project? Sounds interesting.

By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.

The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin.

Quote from: BCEmporium on July 14, 2011, 01:50:32 PM

Been looking for something like this for quite a while,
please let us know when its up.

Cheers

Quote from: BCEmporium on July 14, 2011, 12:26:06 PM

As password security is the subject of the moment, due that MtGox thing, here's my system's function for it:

Code:

<?php
       $salt = md5(rand().$name.microtime());
       $passh = hash("ripemd160",$pass.$salt);
       mysql_query("INSERT INTO users(user,pass,name,email) VALUES('$user','$passh','$name','$email')");
       $myuid = mysql_insert_id();
       mysql_query("INSERT INTO salt(uid,salt) VALUES($myuid,'$salt')");
       $success = "You're now registered to this system";
?>

Your method is not good enough (not mentioning it seems you are not escaping properly variables when passing them to mysql).

I could do 50000 iterations of ripemd160 in 94.16ms without any optimization. I'd suggest you at least add some iterations to make bruteforcing harder.

Hi M'Tux,

Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.

About SQLi, vars are passed this way:

Code:

<?php
isset($_POST['user']) && trim($_POST['user']) ? $user = makeSQLSafe(trim($_POST['user'])) : $e[] = "Username missing!";
//... which means to call the function bellow
  function makeSQLSafe($str){
      if(get_magic_quotes_gpc()) $str = stripslashes($str);
      return mysql_real_escape_string($str);
  }
?>

Quote from: BCEmporium on July 15, 2011, 01:01:24 AM

Code:

<?php
isset($_POST['user']) && trim($_POST['user']) ? $user = makeSQLSafe(trim($_POST['user'])) : $e[] = "Username missing!";
//... which means to call the function bellow
  function makeSQLSafe($str){
      if(get_magic_quotes_gpc()) $str = stripslashes($str);
      return mysql_real_escape_string($str);
  }
?>

Got any screen shots?

How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...

Quote from: SgtSpike on July 15, 2011, 07:32:05 AM

How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...

What is bitcoin-php? The only thing I know by such name is a class.

@smoothie

Not yet. Will put as soon as the basic functions are done. I'm around editing own account at the moment.

Quote from: BCEmporium on July 14, 2011, 12:26:06 PM

I'm starting a new project to go GPL OpenSource, I named it PHPCoin.

Great! The PHP/bitcoin world needs more open source projects.

Quote from: BCEmporium on July 14, 2011, 01:50:32 PM

With all due respect: Good intentions are nice, but released code is what makes an open source project alive.

Release the code early and often. Don't worry about ugly code, don't worry about bugs. Those things can and will be fixed down the road. Nothing will get messed up.

DO worry about your project turning into vaporware if you don't release code soon.

If you're interested in browsing some bitcoin-related PHP open source projects:

https://github.com/mikegogulski/bitcoin-php
- Bitcoin library for PHP
- a basic PHP class for interacting with bitcoind
- Hasn't been updated for a while, but still usable

https://github.com/zamgo/bitcoin-webskin
- an open source PHP web interface to bitcoind
- my own project Wink

and a lot more out there on github and other places...

While start to draft the most important part of the site, the CRON, here're two screens of it so far:

Let me explain also how I had this idea: I want to move my coins to a "minimalistic" Debian VM, and this is a way to access and manage the wallet on that VM.

Quote from: MagicalTux on July 15, 2011, 12:01:40 AM

Your method is not good enough...

But your method was.. Roll Eyes

Too bad people only learn after the trouble... Tongue

Quote from: BCEmporium on July 15, 2011, 01:01:24 AM

Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual for more info.

Well, this could be extremely useful for a project I have coming up! Here's to hoping you get it finished up soon.

Quote from: naturallaw on July 15, 2011, 04:04:07 PM

PDO requires PDO and PECL, that's already alone dirtiest than dirt can be. Wink

As I'm off now for a while, here's the incomplete code of the cron (it should run like each 5 minutes by php-cgi or so), hope this already gives you a better clue of what I'm working on:

Code:

<?php
  define("_V",1);
  //This file must NOT be accessible from the Web!
  $coin_install_path = "/web/default/public_html";
  include($coin_install_path ."/sys/config.php");
  include($coin_install_path ."/inc/general_functions.php");
  error_reporting(E_ALL);
  ini_set("display_errors",1);
  include($coin_install_path ."/classes/jsonRPCClient.php");
  
  //Starting CRON sequence
  
  $b = new jsonRPCClient("http://$btc_user:$btc_pass@127.0.0.1:8332");
  
  //Checking for new deposits
  $accounts = $b->listaccounts((int)$config['confirmations']['value']);
  
  foreach($accounts as $k => $a){
      if($a == 0) continue; //Nothing to do
      $acc = explode("_",$k);
      if(!is_array($acc) || sizeof($acc) != 3) continue; //Invalid account identifier
      //Get the account
      $sql = "SELECT * FROM accounts WHERE uid = {$acc[1]} AND account_id = {$acc[2]}";
      $q = mysql_query($sql);
      if(!mysql_num_rows($q)) continue; //Account not found
      $act = mysql_fetch_assoc($q);
      $b->move($k,$config['central_account']['value'],$a);
      $prevBal = 0;
      $sql = "SELECT balance FROM movements WHERE account_id = {$act['id']} ORDER BY id DESC LIMIT 0,1";
      $q = mysql_query($sql);
      if(mysql_num_rows($q)){
          $pbal = mysql_fetch_assoc($q);
          $prevBal = $pbal['balance'];
      }
      $newBal = $prevBal + $a;
      mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Bitcoin deposit',$a,1,$newBal)");
      mysql_query("UPDATE accounts SET balance = balance + $a WHERE id = {$act['id']}");
      
      //Check if account is forwarded
      if($act['forward'] == 1){
          $isValid = $b->validateaddress($act['forward_to']);
          if($isValid['isvalid'] != 1){
              $invBTC = makeSQLSafe($act['forward_to']);
              mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid address to forward your deposits to :: $invBTC. Amount remains in your account!')");
          }elseif($isValid['ismine'] == 1){
              //It's forward to a local address, so we just move the balance
              $recAct = explode("_",$isValid['account']);
              
              if(!is_array($recAct) || sizeof($recAct) != 3){
                mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account is not an user account :: $invBTC. Amount remains in your account!')");    
              }else{
                $sql = "SELECT * FROM accounts WHERE uid = {$recAct[1]} AND account_id = {$recAct[2]}";
                $q = mysql_query($sql);
                if(!mysql_num_rows($q)){
                    mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account not found :: $invBTC. Amount remains in your account!')");                            
                }else{
                    $receiver = mysql_fetch_assoc($q);  
                    $nextBal = $newBal - $a;    
                    mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Forward to {$act['forward_to']}',$a,0,$nextBal)");
                    mysql_query("UPDATE accounts SET balance = balance - $a WHERE id = {$act['id']}"); 
                    //A small issue; re-forwarded accounts will not forward to prevent loop attacks.
                    
                    
                    
                }
              }
          }
         // $nextBal = $newBal - $a;
         // $b->sendfrom();
      }
  }
?>

Will it be usable to mine namecoins too? Shocked

This salt method of storing passwords would still leave you open to the same type attack MtGox had. If the attack is based on getting a copy of the database, every account in database is at risk with current code.

Best option is two-factor auth. (ubikey, RSA key)

@btcash,

The project is open source, when I release it you're welcome to implement whatever procedure to store passwords you want.

@smoothie

This isn't usable to mine anything, it's a storage frontend, not a mining one. Can be used, with some changes, to store namecoins also.

Quote from: BCEmporium on July 15, 2011, 04:20:55 PM

PDO requires PDO and PECL, that's already alone dirtiest than dirt can be. Wink

PHP 5.1.0 and newer comes with PDO already.

@AnnihilaT I keep saying the most important feature of password security is you to *know* your db was compromised, encryption will only make you gain some time to do something about... but they don't believe it.

Now... while waiting another deposit to get 6 blocks, to test deposit forwarding, here're some screens of what has been made so far:

Database "config" table look:

Roadmap to PreAlpha: Withdraw functions - once done I'll pre-release it by my website. Alpha will be at SourceForge or GitHUB