BCEmporium (OP)
Legendary
 Offline
Activity: 1218
Merit: 1000
|
 |
July 14, 2011, 12:26:06 PM
Last edit: July 17, 2011, 04:00:49 PM by BCEmporium |
|
I'm starting a new project to go GPL OpenSource, I named it PHPCoin. Here's the draft idea: Basically it is a PHP frontend to bitcoind, which can be used for the local user or in a multiuser (mybitcoin-like) environment, operating as a bitcoin concentrator. The modular system will allow also to attach modules as MtGox/TradeHill/etc analyzers. The cron system will allow features as recurring payments or coin forwarding. Allows creation of multiple accounts for the same user. Say: Account 1 - regular account, Account 2 - savings account... and so on. Each account will have different bitcoin addresses. Bitcoin transactions are all moved to a central account, the movements and balance are recorded and managed by MySQL. So far I'm finishing the login and register functions, but need a designer's help. If you interested, PM me. As password security is the subject of the moment, due that MtGox thing, here's my system's function for it: <?php
$salt = md5(rand().$name.microtime());
$passh = hash("ripemd160",$pass.$salt);
mysql_query("INSERT INTO users(user,pass,name,email) VALUES('$user','$passh','$name','$email')");
$myuid = mysql_insert_id();
mysql_query("INSERT INTO salt(uid,salt) VALUES($myuid,'$salt')");
$success = "You're now registered to this system";
?>
Pre-Alpha can be downloaded from: http://www.bcommerce.biz/phpcoin-pre-alpha-release.zip |
|
|
|
|
|
|
|
|
Transactions must be included in a block to be properly completed. When you send a transaction, it is broadcast to miners. Miners can then optionally include it in their next blocks. Miners will be more inclined to include your transaction if it has a higher transaction fee.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
RJau
Member
Offline
Activity: 74
Merit: 10
|
|
July 14, 2011, 01:45:46 PM |
|
Is there a 1 - 1 ratio of gambling apps to developers in the BtC Community? hehe Are you just looking for a designer? or other PHP programmers? Im looking for projects  What is the eventual goal/vision of this project? Sounds interesting. |
|
|
|
|
BCEmporium (OP)
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
July 14, 2011, 01:50:32 PM |
|
By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.
The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin.
|
|
|
|
|
idev
|
|
July 14, 2011, 08:05:27 PM |
|
By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.
The overall goal is to provide an OpenSource system able to be used locally (like SWAT for Samba for an instance), or served in the web for services like MyBitcoin.
Been looking for something like this for quite a while, please let us know when its up. Cheers |
|
|
|
|
MagicalTux
VIP
Hero Member
Offline
Activity: 608
Merit: 501
-
|
|
July 15, 2011, 12:01:40 AM |
|
As password security is the subject of the moment, due that MtGox thing, here's my system's function for it: <?php
$salt = md5(rand().$name.microtime());
$passh = hash("ripemd160",$pass.$salt);
mysql_query("INSERT INTO users(user,pass,name,email) VALUES('$user','$passh','$name','$email')");
$myuid = mysql_insert_id();
mysql_query("INSERT INTO salt(uid,salt) VALUES($myuid,'$salt')");
$success = "You're now registered to this system";
?>
Your method is not good enough (not mentioning it seems you are not escaping properly variables when passing them to mysql). I could do 50000 iterations of ripemd160 in 94.16ms without any optimization. I'd suggest you at least add some iterations to make bruteforcing harder. |
|
|
|
|
BCEmporium (OP)
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
July 15, 2011, 01:01:24 AM |
|
Hi M'Tux, Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing. About SQLi, vars are passed this way: <?php
isset($_POST['user']) && trim($_POST['user']) ? $user = makeSQLSafe(trim($_POST['user'])) : $e[] = "Username missing!";
//... which means to call the function bellow
function makeSQLSafe($str){
if(get_magic_quotes_gpc()) $str = stripslashes($str);
return mysql_real_escape_string($str);
}
?>
|
|
|
|
smoothie
Legendary
Offline
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
|
|
July 15, 2011, 07:27:06 AM |
|
Hi M'Tux, Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing. About SQLi, vars are passed this way: <?php
isset($_POST['user']) && trim($_POST['user']) ? $user = makeSQLSafe(trim($_POST['user'])) : $e[] = "Username missing!";
//... which means to call the function bellow
function makeSQLSafe($str){
if(get_magic_quotes_gpc()) $str = stripslashes($str);
return mysql_real_escape_string($str);
}
?>
Got any screen shots? |
███████████████████████████████████████
,╓p@@███████@╗╖,
,p████████████████████N,
d█████████████████████████b
d██████████████████████████████æ
,████²█████████████████████████████,
,█████ ╙████████████████████╨ █████y
██████ `████████████████` ██████
║██████ Ñ███████████` ███████
███████ ╩██████Ñ ███████
███████ ▐▄ ²██╩ a▌ ███████
╢██████ ▐▓█▄ ▄█▓▌ ███████
██████ ▐▓▓▓▓▌, ▄█▓▓▓▌ ██████─
▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌
▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─
²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩
▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀
²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`
²²²
███████████████████████████████████████
| . ★☆ WWW.LEALANA.COM My PGP fingerprint is A764D833. History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
July 15, 2011, 07:32:05 AM |
|
How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...
|
|
|
|
|
BCEmporium (OP)
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
July 15, 2011, 11:24:28 AM |
|
How will this be different from bitcoin-php? I guess your description is generic enough that I don't quite understand what the purpose of it is...
What is bitcoin-php? The only thing I know by such name is a class. @smoothie Not yet. Will put as soon as the basic functions are done. I'm around editing own account at the moment. |
|
|
|
zamgo
Newbie
Offline
Activity: 32
Merit: 0
|
|
July 15, 2011, 11:46:30 AM |
|
I'm starting a new project to go GPL OpenSource, I named it PHPCoin.
Great! The PHP/bitcoin world needs more open source projects. By now just someone with good design skills, later, as I publish it to GitHUB or SourceForge, PHP developers may join too. At this stage would mess up a bit as we may use different coding ways, making it inconsistent.
With all due respect: Good intentions are nice, but released code is what makes an open source project alive. Release the code early and often. Don't worry about ugly code, don't worry about bugs. Those things can and will be fixed down the road. Nothing will get messed up. DO worry about your project turning into vaporware if you don't release code soon. If you're interested in browsing some bitcoin-related PHP open source projects: https://github.com/mikegogulski/bitcoin-php - Bitcoin library for PHP - a basic PHP class for interacting with bitcoind - Hasn't been updated for a while, but still usable https://github.com/zamgo/bitcoin-webskin - an open source PHP web interface to bitcoind - my own project  and a lot more out there on github and other places... |
|
|
|
|
BCEmporium (OP)
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
July 15, 2011, 02:37:56 PM |
|
While start to draft the most important part of the site, the CRON, here're two screens of it so far:   Let me explain also how I had this idea: I want to move my coins to a "minimalistic" Debian VM, and this is a way to access and manage the wallet on that VM. |
|
|
|
Raoul Duke
aka psy
Legendary
Offline
Activity: 1358
Merit: 1002
|
|
July 15, 2011, 03:17:44 PM |
|
Your method is not good enough...
But your method was..  Too bad people only learn after the trouble...  |
|
|
|
|
naturallaw
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 15, 2011, 04:04:07 PM |
|
Hi M'Tux,
Yes, to go live on internet with this system I intend to create some modules, changing passwords to SHA, enforce SSL and add captchas to prevent brutteforcing.
About SQLi, vars are passed this way:
Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual for more info. |
|
|
|
|
SgtSpike
Legendary
Offline
Activity: 1400
Merit: 1005
|
|
July 15, 2011, 04:07:31 PM |
|
Well, this could be extremely useful for a project I have coming up! Here's to hoping you get it finished up soon.
|
|
|
|
|
BCEmporium (OP)
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
July 15, 2011, 04:20:55 PM |
|
Even though your way is secure (as long as you remember to call your function on all the values) I'd recommend using prepared statements with PDO, much cleaner and safer. Take a look on the PHP manual for more info. PDO requires PDO and PECL, that's already alone dirtiest than dirt can be. As I'm off now for a while, here's the incomplete code of the cron (it should run like each 5 minutes by php-cgi or so), hope this already gives you a better clue of what I'm working on: <?php
define("_V",1);
//This file must NOT be accessible from the Web!
$coin_install_path = "/web/default/public_html";
include($coin_install_path ."/sys/config.php");
include($coin_install_path ."/inc/general_functions.php");
error_reporting(E_ALL);
ini_set("display_errors",1);
include($coin_install_path ."/classes/jsonRPCClient.php");
//Starting CRON sequence
$b = new jsonRPCClient("http://$btc_user:$btc_pass@127.0.0.1:8332");
//Checking for new deposits
$accounts = $b->listaccounts((int)$config['confirmations']['value']);
foreach($accounts as $k => $a){
if($a == 0) continue; //Nothing to do
$acc = explode("_",$k);
if(!is_array($acc) || sizeof($acc) != 3) continue; //Invalid account identifier
//Get the account
$sql = "SELECT * FROM accounts WHERE uid = {$acc[1]} AND account_id = {$acc[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)) continue; //Account not found
$act = mysql_fetch_assoc($q);
$b->move($k,$config['central_account']['value'],$a);
$prevBal = 0;
$sql = "SELECT balance FROM movements WHERE account_id = {$act['id']} ORDER BY id DESC LIMIT 0,1";
$q = mysql_query($sql);
if(mysql_num_rows($q)){
$pbal = mysql_fetch_assoc($q);
$prevBal = $pbal['balance'];
}
$newBal = $prevBal + $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Bitcoin deposit',$a,1,$newBal)");
mysql_query("UPDATE accounts SET balance = balance + $a WHERE id = {$act['id']}");
//Check if account is forwarded
if($act['forward'] == 1){
$isValid = $b->validateaddress($act['forward_to']);
if($isValid['isvalid'] != 1){
$invBTC = makeSQLSafe($act['forward_to']);
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid address to forward your deposits to :: $invBTC. Amount remains in your account!')");
}elseif($isValid['ismine'] == 1){
//It's forward to a local address, so we just move the balance
$recAct = explode("_",$isValid['account']);
if(!is_array($recAct) || sizeof($recAct) != 3){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account is not an user account :: $invBTC. Amount remains in your account!')");
}else{
$sql = "SELECT * FROM accounts WHERE uid = {$recAct[1]} AND account_id = {$recAct[2]}";
$q = mysql_query($sql);
if(!mysql_num_rows($q)){
mysql_query("INSERT INTO messages(`uid`,`dtime`,`message`) VALUES({$acc[1]},'".date("Y-m-d H:i:s")."','ERROR Invalid account to forward your deposits to - local account not found :: $invBTC. Amount remains in your account!')");
}else{
$receiver = mysql_fetch_assoc($q);
$nextBal = $newBal - $a;
mysql_query("INSERT INTO movements(`account_id`,`dtime`,`description`,`amount`,`credit`,`balance`) VALUES({$act['id']},'".date("Y-m-d H:i:s")."','Forward to {$act['forward_to']}',$a,0,$nextBal)");
mysql_query("UPDATE accounts SET balance = balance - $a WHERE id = {$act['id']}");
//A small issue; re-forwarded accounts will not forward to prevent loop attacks.
}
}
}
// $nextBal = $newBal - $a;
// $b->sendfrom();
}
}
?>
|
|
|
|
smoothie
Legendary
Offline
Activity: 2492
Merit: 1473
LEALANA Bitcoin Grim Reaper
|
|
July 15, 2011, 05:46:19 PM |
|
Will it be usable to mine namecoins too?  |
███████████████████████████████████████
,╓p@@███████@╗╖,
,p████████████████████N,
d█████████████████████████b
d██████████████████████████████æ
,████²█████████████████████████████,
,█████ ╙████████████████████╨ █████y
██████ `████████████████` ██████
║██████ Ñ███████████` ███████
███████ ╩██████Ñ ███████
███████ ▐▄ ²██╩ a▌ ███████
╢██████ ▐▓█▄ ▄█▓▌ ███████
██████ ▐▓▓▓▓▌, ▄█▓▓▓▌ ██████─
▐▓▓▓▓▓▓█,,▄▓▓▓▓▓▓▌
▐▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▌
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓─
²▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓╩
▀▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▀
²▀▀▓▓▓▓▓▓▓▓▓▓▓▓▀▀`
²²²
███████████████████████████████████████
| . ★☆ WWW.LEALANA.COM My PGP fingerprint is A764D833. History of Monero development Visualization ★☆ .
LEALANA BITCOIN GRIM REAPER SILVER COINS.
|
|
|
|
brandon@sourcewerks
Member
Offline
Activity: 62
Merit: 10
|
|
July 15, 2011, 07:48:05 PM |
|
This salt method of storing passwords would still leave you open to the same type attack MtGox had. If the attack is based on getting a copy of the database, every account in database is at risk with current code.
Best option is two-factor auth. (ubikey, RSA key)
|
|
|
|
|
BCEmporium (OP)
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
July 15, 2011, 08:13:21 PM |
|
@btcash,
The project is open source, when I release it you're welcome to implement whatever procedure to store passwords you want.
@smoothie
This isn't usable to mine anything, it's a storage frontend, not a mining one. Can be used, with some changes, to store namecoins also.
|
|
|
|
naturallaw
Newbie
Offline
Activity: 56
Merit: 0
|
|
July 15, 2011, 10:58:30 PM |
|
PDO requires PDO and PECL, that's already alone dirtiest than dirt can be. PHP 5.1.0 and newer comes with PDO already. |
|
|
|
|
BCEmporium (OP)
Legendary
Offline
Activity: 1218
Merit: 1000
|
|
July 15, 2011, 11:53:05 PM
Last edit: July 16, 2011, 12:05:02 AM by BCEmporium |
|
@AnnihilaT I keep saying the most important feature of password security is you to *know* your db was compromised, encryption will only make you gain some time to do something about... but they don't believe it. Now... while waiting another deposit to get 6 blocks, to test deposit forwarding, here're some screens of what has been made so far:     Database "config" table look:  Roadmap to PreAlpha: Withdraw functions - once done I'll pre-release it by my website. Alpha will be at SourceForge or GitHUB |
|
|
|
|
