OpenEx: Progress Report - 95% launching this week

[r3wt]

demo:
http://dev3.openex.pw/

We will be launching later this week.

exchange is 100 percent working. tweaking some code here and there and making some final optimizations.

about all thats left to do as far as basic functionality is fix a small bug. when a user withdraws all coins, the balance record for that coin remains. when the user buys more of that currency or deposits more, a duplicate balance entry is entered, causing the account page to list the first result, which will always be the original balance which was zero upon withdrawal. a fix for this, is to delete the balance upon withdrawal if the remaining balance is zero. should be simple enough, and shouldn't take more than a day to test in different scenarios.

see you all soon. thanks for the help, support, and suggestions.

[knowitnothing]

Did you forget to include the link to the open source code, some repo, or anything at all ? Because, you know, otherwise it is not open source.

[r3wt]

Did you forget to include the link to the open source code, some repo, or anything at all ? Because, you know, otherwise it is not open source.

That's an excellent question. the code will be open source the day the exchange is launched. in its current form and incompleteness, i am not ready to opensource it yet.

Justin is currently modifying the market system of the database to add an identifier for currency pairs. then we will probably switch that to its own database for an extra security measure.

the project is currently at a conservative 60% completion-- saying that,  its fully functional except the withdrawal system, but there are many bugs to work out and adequate security measures to add, plus an api for off site trading.

personally, i am working on porting a version of goosh to the site for commandline based trading, something that should be a unix nerds wet dream.


i'll keep this updated as much as possible. going to a party tonight, check back tommorrow.

[r3wt]

i have decided i will go ahead and begin opensourcing the exchange.

in today's update, i will be adding a mobile site, and modifying the way php identifies devices to include a class for mobile devices. after that i will begin building the admin interface. when i have installed the basic admin interface, i will break with programming and install an LNMP(Linux, Nginx, MySQL, PHP)stack on my local unix system and begin using it as the test server.

this system will be the basis for future updates, and will be the testing ground for our project. updates to the openex website will no longer be processed automatically, except for a manual process of updating the files through git as opposed to straight sftp interaction from the test server to the server @ openex.

additionally if time permits i will begin work on building the user privileged actions class in php, with a separate class system for admins. instead of the normal id based class interaction, an asyncronous class will be created for each class in order to verify and regulate the class defacto class interaction system of the php/mysql platform. this is imperative as it sets a hardcoded limit on what users can accomplish with quote "privilege escalation" exploits. think of it as a security by execution of php scripts through a window that monitors and approves each interaction a a script with the php parser using:

-custom rule sets
-XSS prevention private function keys
-script execution window through uses of keys previously mentioned, expiring imediately by being added to the database as processed request record.
-double salt function applied to all json interactions
-key based  32,768 bit encryption of communications between the wallet servers(called "clients" as each one hosts a specific wallet) utilizing an encryption system i have developed in php using keys stored on wallet servers. the way it works is, information will be sent from the main server through a php page encrypting the json and other information. the client server will receive and before decoding, it will return the key also encrypted with the prototype algorithm. the double salting function reduces hash collision and create random, secure keys for each interaction, meaning these interactions can be neither decoded, understood, or repeatable because the window for execution of the command will be uninitiated by the requestor, in this case a malicous attack who wishes to reproduce a transaction to his withdrawal address, by forging a second transaction or attempting to intercept the encrypted command and keys and resubmit the already processed interaction which has a decaying window to be approved.



i'll update this thread as each task is completed.

i haven't contacted justin today as he is in school, but i would expect an update on his progress with multi market and the fee execution process modification, fixing a vulnerability that allows for doublespending within a users exchange account. thats about it for now.

r3wt

[r3wt]

got quite a bit done today.

justin worked on an administration interface, while i:

- built the framework for the mobile site. tomorrow is on to the css of the mobile site.
- finalized attributes of password strength indicator.
- added a configuration script to easily disable the login and registration systems.
- played with some javascript in firefox 25's version of the site. meny.js div's look ugly in looks ugly in firefox. adding some firefox logic to the css            tomorrow to fix it.

[r3wt]

Another busy night coding. Sorry guys, still no market pages yet justin is writing a new trade engine, and all the test trades have cleared from the database. the plan will be to work with Chart.js for the market chart display on the homepage. we will be utiilizing an extra, js based database to store the last 120 trades from each market. we will use PDO to query each market and return an array of Datapoints. we will use php inside of our javascript to get the data array into Chart.js, which will take over the leg work from there.

Time for some pics before bed.

Account Page

Support System


Registration



Admin(Don't laugh to hard) lol

[r3wt]

oh by the way, that password strength is pure js/css.

here's the js if you want it for a project. i'm all about code reuse.

Code:

function passwordStrength(password)
{
	var desc = new Array();
	
	desc[0] = "Too Short";
	desc[1] = "Weak";
	desc[2] = "Terrible";
	desc[3] = "Better";
	desc[4] = "Good";
	desc[5] = "Strong";
	desc[6] = "Secure";
	desc[7] = "Legendary";

	var score   = 0;
	
	if (password.length > 8) score++;
	if (password.match(/\d+/)) score++;
	if (password.match(/([a-zA-Z])/) && password.match(/([0-9])/))  score++;
	if (password.match(/([!,%,&,@,#,$,^,*,?,_,~])/))  score++;
	if (password.match(/(.*[!,%,&,@,#,$,^,*,?,_,~].*[!,%,&,@,#,$,^,*,?,_,~])/)) score++;
	if (password.length > 13) score++;
	if (password.length > 20 && password.match(/(.*[!,%,&,@,#,$,^,*,?,_,~].*[!,%,&,@,#,$,^,*,?,_,~])/)) score++;
	
	

	document.getElementById("passwordDescription").innerHTML = desc[score];
	document.getElementById("passwordStrength").className = "strength" + score;
}

[r3wt]

New Screenshots.

Market Overview



Admin--Query User



Admin--ServerStats



Admin--Coin Monitor(Basic Interface for monitoring each wallet/network.



Trade Page(now with graphs etc)



Trade Page with Chat Open



Issues

-withdraws still do not work.
 --No one is assigned

-chat still isn't functional.
 --zelles is assigned

-need alternate style sheets for non webkit or mobile users.this can easily be accomplished with js and alternate stylesheets.
-- i am assigned

-trade engine
-- justin is assigned

-jquery/ajax page requests
--No one is assigned

-Market Data arrays controllers and functions for charts
-- I am assigned

-API
--No one is assigned

-Pen Testing
--Gorgo rom is assigned

If you wish to join the project, do not hesitate to contact me.

[crazy_rabbit]

Very cool, watching this!

[r3wt]

Very cool, watching this!

thank you for your support!

you are more than welcome to contribute ideas, tips, or pointers.

[elambert]

Godspeed rewt!

[Hazard]

I like.

[betacoindev]

Wow, very nice project!

[mercSuey]

I'm just now seeing this, been too busy!  Looks awesome, mate.  Good luck.

[Sustainable]

Really well done so far, very cool idea and interesting prospect. Thanks for helping the community!

[daybyter]

I work on java trading stuff. Do you have an API, that I could implement, so my code could trade on your site?

[gorgorom]

Very nice brother. Seems to be gaining traction. I will run another series of tests today, will update you in skype when it's complete.

[unfocus]

Very nice! Thanks.

[r3wt]

a small update:

over the weekend, i purchased a couple additional domains(Openex.info, home of the forums, and Openex.mobi home of the mobile version of the site) and security certificates for each, and finalized a deal for hosting of the site.


the site will be launched on the following hardware:

Dell Poweredge

Dual 6 core Xeon 5639's

48 GB ECC DDR3

Dual 1 tb sata with raid

100mbit port, firewalled

google pagespeed cdn+google shield

upgrade plans:

phase1:

-move wallets to server 2(Quad Opteron, 32 gb ddr2, dual 100 mbit port, firewalled)
-move openex.mobi(mobile site) to server 3(Core i7, 8 gb dd3, 1 gbit port, firewalled)
-launch openex.info(the forums)


phase2:

an upgrade with Alpheus moves us into tier 2 hosting, where we share the benefit of the following:

4x 100 gbit CISCO CRS-3 single port with 140G Cisco FPG


Tommorow, the site will go back online at the vps, and we will begin rigorously working on its completion. we have a tentative goal of December, however much of it will hinge on how confident i am in the security of the site. i am typically cautious and would like to err on the side of caution rather than to produce a bad exchange.

stay tuned folks

[muddafudda]

In all honesty the dev had admitted to previous scams and the title should be given the appropriate scam warning.

[r3wt]

I work on java trading stuff. Do you have an API, that I could implement, so my code could trade on your site?

there are definite plans for an api. it may not be ready by the time the site launches, but it will definitely happen eventually.

[r3wt]

a couple of coins i would like to run by you guys as i feel like several of the coins presently listed are probably not worthy of the exchange.i am also considering removing the litecoin market completely, although i probably won't, especially if devcoin is listed on the exchange.


Some coins i am interested in:

Devcoin
Gridcoin
Protoshares
Curecoin

Some coins i am cooling on:

Inkacoin
Netcoin

[daybyter]

Why remove litecoin? btc-e needs some competition!

[templar77]

If you wish to join the project, do not hesitate to contact me.

Hi man, I want to join the project. I'm from Mexico. I'm Mid Level PHP dev, but I can also help with design, PR, advertising, and all that cool stuff. So  plz tell me if I can help with something.

[r3wt]

so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong? 

[templar77]

so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong?  

Well that's my last name. And I'm caucasian btw, but yeah I was born in Mexico xD

I don't see what could possibly go wrong :S I just what to help and learn from your project.

So what do you think?

[r3wt]

so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong?  

Well that's my last name. And I'm caucasian btw, but yeah I was born in Mexico xD

I don't see what could possibly go wrong :S I just what to help and learn from your project.

So what do you think?

i'll be updating the github later with the latest version of the source. you are invited to fork it and make modifications, submit pull requests, etc.

perhaps you were hoping for root access 

[r3wt]

Source has been updated on Git

https://github.com/r3wt/openex

not included directories

/chat

/admin

[r3wt]

I would like to ask for donations or sell a few shares to help fund development/server costs.

what is the best way to go about this?

Not looking for egregious amounts, but some small donations would go a long way.

[r3wt]

1.Trade's fixed!
-trade now takes trade fee % (.089 percent) on buys and sells. no withdraw or deposit fee(except network fee for withdrawal)

server side and client side now in unison

2. Withdraws work
-withdraw fixed. now works for withdraws

3. Error/Success confirmation divs
-now shows messages on registration, logout, trade submitted, invalid trade, invalid amount.


TO DO:

1. Bug in cancel trade script amount back + fee.

2. Trade engine to be revamped

3. Litecoin market

4. Chat

5. Api

6. Move to server, compile client, launch site.

7. minor gui improvements/code review as time goes by.

8. mobile site/forum launch

[r3wt]

Trade Engine nearing completion!

Details:
  PHP/Chron based- executes on 1 second intervals
  Low Latency- can {theoretically}handle 890k trades per second
  Fast- Executes queries(Post trade, Get Trades, Get Trade equivalent, Execute trade) and terminates threads upon success.
  Secure- Stores all trades in a temporary database. if error occurs, trade engine is paused trade is reversed and executed again.


Json/Wallet system Revamped!
 More details to come.

SMTP- Mail functions are nearing completion.


To Do-

1.Trade engine testing, Json vulnerability testing.
2.Script key generation to prevent XSS attacks.(or could use htaccess)
3.API
4.Chat

 

[r3wt]

Trade Engine and Wallet system complete

To Do:

Automate trade page with ajax
Chat
API

[adoalli]

good job

[daybyter]

If you need help with the API, let me know.

[Spoetnik]

is having an open-source exchange / web site a good idea from a security stand point ?

and sorry but if there is an api for bots + auto-sell i won't be using it.

i do wish ya luck though.. not trying to flame ya

[r3wt]

is having an open-source exchange / web site a good idea from a security stand point ?

and sorry but if there is an api for bots + auto-sell i won't be using it.

i do wish ya luck though.. not trying to flame ya

API === TRUE;

AUTOSELL === FALSE;

[daybyter]

is having an open-source exchange / web site a good idea from a security stand point ?

and sorry but if there is an api for bots + auto-sell i won't be using it.

So you don't any exchanges with an API? Are there any?

[Spoetnik]

please establish a game plan for when or if your exchange gets hacked. (and have it public too some what)
like if people had their coins stolen from a site hacking will you state in an FAQ or seomthing your would pay them back ?
see where i'm goin' with this ?

place an emphasis on security as much as possible

[Spoetnik]

is having an open-source exchange / web site a good idea from a security stand point ?

and sorry but if there is an api for bots + auto-sell i won't be using it.

So you don't any exchanges with an API? Are there any?

there should be and i bet it would be popular.. i go to trade not fight bots .

[r3wt]

please establish a game plan for when or if your exchange gets hacked. (and have it public too some what)
like if people had their coins stolen from a site hacking will you state in an FAQ or seomthing your would pay them back ?
see where i'm goin' with this ?

place an emphasis on security as much as possible

really?

[gorgorom]

so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong? 

Plus one this

[ahmed_bodi]

hurry up with openex!

[r3wt]

We're moving into the home stretch people!  

Updates:

jquery ui and page transition animations are functional look nice!

rebuilt admin interface.

built debug mode navigation system.

trade engine has been tested and works great.

wallet system works as expected as well.


Now for an insight into our work log

To Do:
1. Withdrawals
priority: extremely high
-withdrawal requests are sent into a queue for admin approval.
-once admin approval occurs, withdraw is processed.
**ive built a template for you: pages/withdraw.php


2.password reset page
priority: high
-users need a way to reset passwords
-add mysql and functions.
**ive built a template for you: pages/reset.php


3.API
priority: low
-priority on this is : low
**template pages/api.php

4.access_denied.php
priority: high
-add mysql to gather information about the user(ive documented it for you nicely so this should be a 5 minute job tops).
-add logic to increment number of times a user has seen this page.
-add table `access violations` row(s) `username` `ip` `count` <-number of violations.
**template access_denied.php
**when you finish this, i will build a page for us to track this table and add it to the admin pages.

5.json
priority: high
-fix this so that our withdraw/deposit functions work.
-ensure the security of this.
-investigate if this is compatible with rpcssl flag of clients(i think it is as the traffic should be automatically encrypted/decrypted by the server.

6.create function to prevent Sitebanned users from logging in.
priority: medium
-add a row for this to database.

7.Add option to pages/admin.php to click and ban users(both chatban and siteban).
priority: medium

8.Chat
priority: low

[r3wt]

bump

[r3wt]

Beta version of the chat has been completed! woo! that was kind of exhausting but i learned to use ajax, so on the plus side, i now can make the trade page dynamic.

we still have a ways to go but things are looking nice.

[r3wt]

Updated Work Log.

1. Withdrawals
priority: extremely high
-withdrawal requests are sent into a queue for admin approval.
-once admin approval occurs, withdraw is processed.
**ive built a template for you: pages/withdraw.php


2.password reset page
priority: high
-users need a way to reset passwords
-add mysql and functions.
**ive built a template for you: pages/reset.php


3.API
priority: low
-priority on this is : low
**template pages/api.php

5.json
priority: high
-fix this so that our withdraw/deposit functions work.
-ensure the security of this.
-investigate if this is compatible with rpcssl flag of clients(i think it is as the traffic should be automatically encrypted/decrypted by the server.

6.create function to prevent Sitebanned users from logging in.
priority: medium
-add a row for this to database.

7.Add option to pages/admin.php to click and ban users(both chatban and siteban).
priority: medium

8.Chat
--check input with jquery
--sanitize mysqli
priority: mediumDone!

9. XSS formkeys
--ive created the class and functions. you can find it in funcs.general.php
--just need to add them to forms and then validate them in each script.
--this should eliminate session jacking/cross site scripting hacks.
priority: low

10.Fee shares.
--ability to track fee shares in account page.
--automate fee shares.
priority: low
comment: we can work on this after the site launches.

[unfocus]

Updated Work Log.

1. Withdrawals
priority: extremely high
-withdrawal requests are sent into a queue for admin approval.
-once admin approval occurs, withdraw is processed.
**ive built a template for you: pages/withdraw.php

I don't know why withdrawal can't be automated. Why would it need any approval??

[r3wt]

Updated Work Log.

1. Withdrawals
priority: extremely high
-withdrawal requests are sent into a queue for admin approval.
-once admin approval occurs, withdraw is processed.
**ive built a template for you: pages/withdraw.php

I don't know why withdrawal can't be automated. Why would it need any approval??

security measure just in case an exploit occurs, wallets go offline automatically while database is rolledback. if attacker exploits db somehow he won't be able to withdraw unless he can bruteforce the rpcssl connection, which is unlikely. whereas, with automated withdrawal attacker could squeeze the funds out before we'd know what hit us. this is why we are hiring so much staff.

[bob131313]

How about posting some bug bounties. Peeking at the github, this would be fun once it goes live.

Maybe bounties ranging from 0.1 btc to 1 btc. 

Hate for you to go live with this one a shiny new server that winds up with a shell the first day.

[r3wt]

How about posting some bug bounties. Peeking at the github, this would be fun once it goes live.

Maybe bounties ranging from 0.1 btc to 1 btc.  

Hate for you to go live with this one a shiny new server that winds up with a shell the first day.

the github is pretty far behind the current version of the site. we're pretty confident in the live version. we're looing for two penetration/bug/vuln tester for the site. this is a paid staff position. the previous guy we had lined up has went AWOL.

see the first post here https://bitcointalk.org/index.php?topic=344084.msg3686527#msg3686527

[cryptohunter]

this is quite awesome

[r3wt]

Alot has changed in the past few days.

Tasks now complete:

Chat backend.
-Banned users now may not post.( a message is shown: " system: <user> has been banned from chat."
-moderators are orange, admins are blue, and users are black.

Mod class:
-created the mod users and isUserMod() function.
-moderators may hand down chat bans from the mod screen.

Chatbanned class
-chatbanned user class
-isUserCBanned() function;

Access Denied:
-timestamps are logged along with ip, user account, and browser string. i'll give you a peak at the code this is a very complex script.

Code:

require_once("models/config.php");
$account = $loggedInUser->display_username;
if(strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== FALSE) {
			$u_agent = mysql_real_escape_string("Internet Explorer");
		}
		elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Chrome') !== FALSE) {
			$u_agent = mysql_real_escape_string("Google Chrome");
		}
		elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Opera Mini') !== FALSE) {
			$u_agent = mysql_real_escape_string("Opera Mini");
		}
		elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Opera') !== FALSE) {
			$u_agent = mysql_real_escape_string("Opera");
		}
		elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Firefox/25.0') == TRUE) {
			$u_agent = mysql_real_escape_string("Mozilla Firefox");
		}
		elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Safari') !== FALSE) {
			$u_agent = mysql_real_escape_string("Safari");
		}
		else { 
			$u_agent = mysql_real_escape_string("Unknown");
		}	
$ip = mysql_real_escape_string(getIP()); //get user ip
//show the access denied message no matter what
echo "<style>html { width:100%; height:100%; background:url(assets/img/access_denied.gif) center center no-repeat; background-color: #00000 !important;}</style>"; 

//check if user is logged in
if(isUserLoggedIn) {
	//get user info's
	if ($account != null) {
		$account = $loggedInUser->display_username;
	}
	else {
		$account = mysql_real_escape_string("Guest/Not Logged In");
	}
	}
//log with mysql
	$date = date("F j, Y, g:i a");
	$sql = @mysql_query("INSERT INTO access_violations (username, ip, user_agent, time) VALUES ('$account', '$ip', '$u_agent', '$date');");

//--support system--//
last night, i spent time pouring through viewticket.php, the threaded view of a support ticket and all responses. i refactored the code and built a new css layout thats very user friendly and pleasant to look at now. i think you will like it. next i will reflect the changes in new ticket, just so that the theme is nice and consistent within the support system.


I'll try and update everyone a bit later on the updated work log.

Right now, i'm working on:

-mod functions to ban, and adding a table to show who the user was banned by, so mods will be able to see who is banned at anygiven time as well as who the ban was given by.

Next I'll be working on:
-converting the entire site to mysqli OOP prepared statements for maintainability and peace of mind.

Other participants:
-Don't know what justin's working on. he's supposed to be helping with sql and such but i find he's doing less and less contributing and more and more talking, which is never good, this is a business, and freeloading is not tolerated, talented programmer or not. last i heard he was going to build a permission system in order to make our functions more flexible and changeable at anytime.

-Ivan Peter. I have outsourced some jquery animations for the index, animation and scrolling functions of the chat, and ajax for the trade page to this guy. We'll see what happens with it.

[wtman]

Pretty good going so far. Can you tell me who among the staff are actual coders?

Would you be willing to take any suggestions privately via chat?

Good luck!

[r3wt]

Pretty good going so far. Can you tell me who among the staff are actual coders?

Would you be willing to take any suggestions privately via chat?

Good luck!

justin and i do all of the coding. and yes, i know we need to stop concatenating strings together and switch to PDO. this is like the roughdraft.

[r3wt]

the exchange is 95% complete!

new features:

view server load.

view all servers.

ping servers, restart servers, restart coin clients.

user agreement added to registration page.

index.php trimmed of fat, all procedural code converted into functions and moved to funcs.general.php

change passwords.

send activation emails.

reset passwords by mail.

jquery loading animations complete(update spinner, slide up slide down)

chat scrolling animations fixed. works great now.

json wallet class complete and ready for beta testing.

withdrawal page completed with password confirmation. justin is working on email confirmations.

sitebanning. sitebanned users may no longer log in

lowered fee's: trade fee is .5%, withdrawal fee .1%

Tasks remaining:

click to ban users from mod page

Ajax handling of trade page, so tables are updated in real time.

order stacking(order, combine)

comprehensive vulnerability testing

beta test rpc

beta test trade engine(again)

MISC low priority tasks(either before or after launch depends on how much time we have.

API

General site improvements

Responsive layout.

[muddafudda]

Considering the team consists of two devs which coins have failed what reassurance when shit for wrong that the team will not bail on their responsibilities like they did with their alts?

[r3wt]

I started building a new gui this morning for launch. i was supposed to be taking a break for thanksgiving, but i just couldn't help myself. i ended up doing something no one has ever accomplished before, utilizing jquery to style the viewport with css3 animations. i think you're gonna like it, it looks pretty sick. think windows metro 8 start screen ;P

[muddafudda]

Withdrawals are not automated because no one knows how

[r3wt]

Withdrawals are not automated because no one knows how

you're so right muddafudda. we built a trade engine that handles 900,000 queries per second and we can't figure out for the life of us how to handle withdrawals with jsonRPCphp...

Code:

<?php
...
$id = mysql_real_escape_string($_GET["id"]);

$sql = mysql_query("SELECT * FROM Wallets WHERE `id`='$id'");

$coin = mysql_result($sql,0,"Acronymn");

$ip = mysql_result($sql,0,"ip");

$port = mysql_result($sql,0,"port");

$bitcoin = establishRPCConnection($ip,$port);
$bitcoin->sendfromaccount($loggedInUser->display_username);

?>

[muddafudda]

Did someone say mcx now?

[muddafudda]

Openex insurance soon available. Insure yourself against running devs coming soon.

[wtman]

Openex insurance soon available. Insure yourself against running devs coming soon.

trolololol

[newflesh]

Hey, any updates on Openex?

[r3wt]

Hey, any updates on Openex?

yep. you can track current progress @ http://dev.openex.pw

[slavo]

We need quark for openex release !

Is it hard to make it work ?

That would be awesome. It can be traded with lot of volume soon.

[r3wt]

We need quark for openex release !

Is it hard to make it work ?

That would be awesome. It can be traded with lot of volume soon.

no, it isn't anymore different than the rest of the coins

[slavo]

If another mod is needed for openex chat I can do it.

Any launch date ? An estimation is fine ^^

[r3wt]

If another mod is needed for openex chat I can do it.

Any launch date ? An estimation is fine ^^

i know this makes me look bad since i said two weeks and its now up, but unfortunately the processors for our main server are on backorder. the host company is shooting for sometime this week. i imagine that justin and i will only need a few days to get it up and in beta mode. should everything work as planned, its reasonable to think the site could be officially launched as soon as we would like.

i think it will probably take a few days to compile and sync all the wallets though.

as soon as the servers deliverd, i could give you a better estimate.

As for the mod position, we are generally looking for someone who is fluent in chinese.

[slavo]

Ok ok, keep on the good work. I am nOt fluent in chinese at all, but I was just offering my services to help openex as I can

Keep us informed !

(What about mzking nxt tradable on openex ? It only have one exhange, and people start being interested in it. I assume it's not as ez as other crypto to add, but to have more people faster it can be good)

[r3wt]

Ok ok, keep on the good work. I am nOt fluent in chinese at all, but I was just offering my services to help openex as I can

Keep us informed !

(What about mzking nxt tradable on openex ? It only have one exhange, and people start being interested in it. I assume it's not as ez as other crypto to add, but to have more people faster it can be good)

we have discussed this privately, and we will only take one more coin. Currently  we are researching on what coin is worthy. I can pretty much guarantee you it wont be NXT.

[slavo]

http://www.googlefight.com/index.php?lang=en_GB&word1=quarkcoin&word2=tagcoin

quark indeed

[r3wt]

http://www.googlefight.com/index.php?lang=en_GB&word1=quarkcoin&word2=tagcoin

quark indeed

we may include quarkcoin. not sure.

[r3wt]

thanks to an audit by Gorgo Rom, an XSS vulnerability has been patched. this was a server level vulnerability, i think i may have stumbled into another vulnerability in the process. tomorrow i'm gonna test to see what i can do with it. may be as simple as overriding php.ini to ignore cache settings of the user browser.

[betacoindev]

Amazing project, would be great if you would add Betacoin.
http://betaco.in

[r3wt]

The github is now up to date with the project.

https://github.com/r3wt/openex

[r3wt]

I added a new feature today, building on the access violation system that i previously built into the application.

now, for every 10 access violations per unique ip address, an ip is banned. access violation history is recorded on a per instance basis, and the count feature of mysql is used to sort the count of each violation per ip address.
access_denied.php

Code:

<?php
require_once("models/config.php");

$account = $loggedInUser->display_username;
$uagent = mysql_real_escape_string(getuseragent()); //get user agent
$ip = mysql_real_escape_string(getIP()); //get user ip
if(isUserLoggedIn) {
	if ($account != null) {
		$account = mysql_real_escape_string($loggedInUser->display_username);
	}
	else {
		$account = mysql_real_escape_string("Guest/Not Logged In");
	}
}
$date = mysql_real_escape_string(gettime());
$sql = @mysql_query("INSERT INTO access_violations (username, ip, user_agent, time) VALUES ('$account', '$ip', '$uagent', '$date');");
$getcountip = mysql_query("SELECT ip,COUNT(*) as count FROM access_violations GROUP BY ip ORDER BY count DESC;");
while($row = mysql_fetch_assoc($getcountip)) {
	if($row['count'] > 10) {
		$factors = $row['ip'];
		$sql2 = mysql_query("SELECT ip FROM bantables_ip WHERE ip = '$factors';");
		$number_of_rows = mysql_num_rows($sql2);
		
		if ($number_of_rows > 0) {	
                /*--Do nothing--*/
		}else {
			$date2 = mysql_real_escape_string(gettime());
			$ip_address = mysql_real_escape_string($row['ip']);
			$sqlxz = mysql_query("INSERT INTO bantables_ip (ip, date) VALUES ( '$ip_address', '$date2');");	
		}
	}
}
echo "<style>html { width:100%; height:100%; background:url(assets/img/access_denied.gif) center center no-repeat; background-color: #00000 !important;}</style>";
echo '<link rel="icon" type="image/x-icon" href="assets/img/the_eye.ico" />';
?>

when an ip address has more than 10 violations, the application checks the database table if a record exists in the bantable for the ip. if it does, nothing is done. if it does not exist, the ip is added.

a function, isIPbanned(), checks to see if a visitor is in the ban table. if he is, he is greeted with a message that his ip address is banned. if he is not banned, he is greeted with the normal index page.
function isIPbanned()

Code:

<?php
function isIPbanned() {
	$ipvars = mysql_real_escape_string(getIP());
	$sqlxyzr = mysql_query("SELECT * FROM bantables_ip WHERE `ip`='$ipvars'");
	if (mysql_num_rows($sqlxyzr) > 0) {
		return true;
	}else{
		return false;
	}
}
?>

that sounds great r3wt, but what about forged ip address in http headers? great question.
functiong getIP()--this makes it difficult to cloak or forge the ip address.

Code:

<?php
function getIP()
{
    foreach (array(
        'HTTP_CLIENT_IP',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED',
        'HTTP_X_CLUSTER_CLIENT_IP',
        'HTTP_FORWARDED_FOR',
        'HTTP_FORWARDED',
        'REMOTE_ADDR'
    ) as $key) {
        if (array_key_exists($key, $_SERVER) === true) {
            foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
                    return $ip;
                }
            }
        }
    }
}
?>

[joschua011]

that sounds great r3wt, but what about forged ip address in http headers? great question.
functiong getIP()--this makes it difficult to cloak or forge the ip address.

Code:

<?php
function getIP()
{
    foreach (array(
        'HTTP_CLIENT_IP',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED',
        'HTTP_X_CLUSTER_CLIENT_IP',
        'HTTP_FORWARDED_FOR',
        'HTTP_FORWARDED',
        'REMOTE_ADDR'
    ) as $key) {
        if (array_key_exists($key, $_SERVER) === true) {
            foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
                    return $ip;
                }
            }
        }
    }
}
?>

Works IF a user does not use a Proxy that does not send HTTP_X_FORWARD Headers or a VPN.

I could not post this here at the time (newbie)but please read this:

https://bitcointalk.org/index.php?topic=374922.0

[oncebitcoinedtwiceshy]

we have discussed this privately, and we will only take one more coin. Currently  we are researching on what coin is worthy.

r3wt : I guess there is no harm in me asking if SBC could be included in that research for the 'one more coin'.  Dev is back on it and working to get the additional features into it & bitcointalk thread is well attended.

Either way, good luck with the release! 

[r3wt]

we have discussed this privately, and we will only take one more coin. Currently  we are researching on what coin is worthy.

r3wt : I guess there is no harm in me asking if SBC could be included in that research for the 'one more coin'.  Dev is back on it and working to get the additional features into it & bitcointalk thread is well attended.

Either way, good luck with the release! 

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

[r3wt]

that sounds great r3wt, but what about forged ip address in http headers? great question.
functiong getIP()--this makes it difficult to cloak or forge the ip address.

Code:

<?php
function getIP()
{
    foreach (array(
        'HTTP_CLIENT_IP',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED',
        'HTTP_X_CLUSTER_CLIENT_IP',
        'HTTP_FORWARDED_FOR',
        'HTTP_FORWARDED',
        'REMOTE_ADDR'
    ) as $key) {
        if (array_key_exists($key, $_SERVER) === true) {
            foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
                    return $ip;
                }
            }
        }
    }
}
?>

Works IF a user does not use a Proxy that does not send HTTP_X_FORWARD Headers or a VPN.

I could not post this here at the time (newbie)but please read this:

https://bitcointalk.org/index.php?topic=374922.0

It doesn't matter if the user is using a proxy, the autoincrementing function will ban ip's without prejudice. i read your dissection and agree. however you, were looking at an extremely old primitive release. would love for you to come poke around the new code since i have updated it. we generally do not release updates to github immediately. you will not be able to doublespend coins on the exchange. we've done extensive testing to insure of this. if you are serious about programming, you are welcome to join the team, if not get the fuck out, we got this. you have to understand, we started from userCake. alot of the functions(password generation being one of them) are old and out of date. we are slowly building onto it. i'll push and update later today so you can see what has changed.

[oncebitcoinedtwiceshy]

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

Thanks for the feedback, we'll keep our fingers crossed and await the verdict!

[mr_random]

that sounds great r3wt, but what about forged ip address in http headers? great question.
functiong getIP()--this makes it difficult to cloak or forge the ip address.

Code:

<?php
function getIP()
{
    foreach (array(
        'HTTP_CLIENT_IP',
        'HTTP_X_FORWARDED_FOR',
        'HTTP_X_FORWARDED',
        'HTTP_X_CLUSTER_CLIENT_IP',
        'HTTP_FORWARDED_FOR',
        'HTTP_FORWARDED',
        'REMOTE_ADDR'
    ) as $key) {
        if (array_key_exists($key, $_SERVER) === true) {
            foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) {
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) {
                    return $ip;
                }
            }
        }
    }
}
?>

Works IF a user does not use a Proxy that does not send HTTP_X_FORWARD Headers or a VPN.

I could not post this here at the time (newbie)but please read this:

https://bitcointalk.org/index.php?topic=374922.0

You're really splitting hairs picking at that bit of code. I agree however that not using transactions is shocking. How did OP get so far into the project and not know what transactions are?

[monsterer]

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

[r3wt]

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

i don't know how to use them. i tried, but it makes getting results harder. i have < 6 months experience. maybe one of you really smart guys would like to join the staff in a paid position as dev # 3? if not, maybe you would like to be paid nicely to convert all our queries to PDO? I'm willing to accept that i don't know everything there is to know, and that one of you take our work and make it alot better. any takers?

[zavtra]

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

[callawey]

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

[r3wt]

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.

[northranger79510]

If you guys add Stablecoin, consider me hooked.

[PGomer]

Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.

That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well.

I'll be following on twitter for updates.

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.

I love your approach and attitude. Keep learning and press on!

[zavtra]

well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.

Well I am glad that you are considering SBC, but it is great to see you make sure everything is working properly, rather than doing an incomplete launch and then just barely trekking along like Cryptsy has been doing.

[monsterer]

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

Ditto

[r3wt]

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

Ditto

Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.

[r3wt]

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.

[monsterer]

Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.

Here is some helpful advice: you do not have the necessary knowledge to perform the task you are undertaking. Transactions are absolutely essential in a system like this, to be without them is to be asking questions like this on stack overflow -

http://stackoverflow.com/questions/15026825/php-mysql-how-to-prevent-two-requests-update

Please stop what you are doing. Do some research. Implement some unit tests on your current code to show why it will break, then move to transactions on the same test, confirm the fix and move on.

Cheers, Paul.

[unfocus]

A while back I stepped up to take care of another abandoned exchange project. I became aware of this project, and considered using it since it was 85% done.

Anyway, private beta testing for the Scifi Coin exchange starts tonight. If you want to participate, please register to scificointalk.com and follow instruction http://scificointalk.com/index.php/topic,12.15.html

Bounty available.

[callawey]

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.

Let me give you a little example for what i mean:

Code:

                $PricePer = mysql_real_escape_string($_GET["price2"]);
                $Amount = mysql_real_escape_string($_GET["Amount2"]);
                $X = $PricePer * $Amount;
                $Total = file_get_contents("http://openex.pw/system/calculatefees.php?P=" . $X);
                $Fees = file_get_contents("http://openex.pw/system/calculatefees2.php?P=" . $X);
                $user_id = $loggedInUser->user_id; 
                if(TakeMoney($Total,$user_id,$Currency_1) == true)
                {
                        AddMoney($Fees,101,$Currency_1);
                        mysql_query("INSERT INTO trades (`To`,`From`,`Amount`,`Value`,`User_ID`,`Type`,`Fee`,`Total`)VALUES ('$name','$Currency_1a','$Amount','$PricePer','$user_id','$name','$Fees','$Total');");
                }
                else
                {
                        echo "<p class='notify-red' id='notify'>You cannot afford that!</p>";
                }

So, on below code, you have a method AddMoney, which updates a table on mysql, and below it you have an insert query. In that code, there is no guarantity that the insert will work after the update script. Update script can work, but insert may not, so this will cause you a balance issue, as you will deduct the amount from the user but there will be no trade operation. This both queries must be inside one transaction, so one fails, all rollbacks automaticaly, if all succed everything goes fine.

As monsterer stated, you can find a lot of information on this by google'ing or from stackoverflow but without this it will be just a horror movie. You have to change your statements and i can say that by the view of the code, yes you have to change a lot of part on the project

[r3wt]

The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.

the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy.

I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.

I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.

Let me give you a little example for what i mean:

Code:

                $PricePer = mysql_real_escape_string($_GET["price2"]);
                $Amount = mysql_real_escape_string($_GET["Amount2"]);
                $X = $PricePer * $Amount;
                $Total = file_get_contents("http://openex.pw/system/calculatefees.php?P=" . $X);
                $Fees = file_get_contents("http://openex.pw/system/calculatefees2.php?P=" . $X);
                $user_id = $loggedInUser->user_id; 
                if(TakeMoney($Total,$user_id,$Currency_1) == true)
                {
                        AddMoney($Fees,101,$Currency_1);
                        mysql_query("INSERT INTO trades (`To`,`From`,`Amount`,`Value`,`User_ID`,`Type`,`Fee`,`Total`)VALUES ('$name','$Currency_1a','$Amount','$PricePer','$user_id','$name','$Fees','$Total');");
                }
                else
                {
                        echo "<p class='notify-red' id='notify'>You cannot afford that!</p>";
                }

So, on below code, you have a method AddMoney, which updates a table on mysql, and below it you have an insert query. In that code, there is no guarantity that the insert will work after the update script. Update script can work, but insert may not, so this will cause you a balance issue, as you will deduct the amount from the user but there will be no trade operation. This both queries must be inside one transaction, so one fails, all rollbacks automaticaly, if all succed everything goes fine.

As monsterer stated, you can find a lot of information on this by google'ing or from stackoverflow but without this it will be just a horror movie. You have to change your statements and i can say that by the view of the code, yes you have to change a lot of part on the project

Well, we clearly have different definitions of what constitutes being "alot" but thanks for the heads up. now i see exactly what is going wrong and why submitting an order for a negative amount results in that amount being placed into an account. alot of the trading needs to be reworked, but in comparison with the rest of the codebase, that is not much.

Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.

Here is some helpful advice: you do not have the necessary knowledge to perform the task you are undertaking. Transactions are absolutely essential in a system like this, to be without them is to be asking questions like this on stack overflow -

http://stackoverflow.com/questions/15026825/php-mysql-how-to-prevent-two-requests-update

Please stop what you are doing. Do some research. Implement some unit tests on your current code to show why it will break, then move to transactions on the same test, confirm the fix and move on.

Cheers, Paul.

A little less condescending this time, but still a condescending douchebag. why even bother? You have no idea what knowledge, although i did not know about transactions. Instead we were trying to use a trade history table so we could manually "rollback" in case of error. i think the transaction system is probably the way to go, as both you and calleway said, although you really have yet to say anything helpful, other than being disrespectful. i read what you posted from stack overflow, but you know what? these guys there are the same way as you. they alll talk shit, but never provide any useful knowledge, or a real world example. luckily enough, i was able to find a book on it on kindle and holy crap, never knew this was such a complex subject. i'll be reading and studying up on how we can tackle this. btw, justin did some work on it again last night, moving towards oop again. to practice/learn prepared statements, i began working on building configuration functions, a switch from the variable based system to a system where a 1 or a 0 is stored in the db for each setting. I think realistically, in 1 or 2 weeks we could be done. we'll see how it goes.

[BlueDragon747]

keep up the good work regardless of the % its all progress to the end result

[Sejnt]

Code:

if($_SESSION["Login_Attempts"] > 4)

I didn't see the whole code but this, you know it won't secure anything? A script can remove session cookie easily.

[gielbier]

I don't want to seem negative, but you really should not use mysql anymore. (It will be deprecated in PHP5.5) Use mysqli or PDO instead.

[antithetical]

Hey dudes,

What happens with you progress 85%,

See comment #97 - 91%

See before 87%

Is it joke? Could you point true date of beta release?

[btc1210]

Interesting project, thanks for doing this all public.

I know it can get stressful when faceless users make less than constructive comments, but keep it up.

[datguyian]

Looks like it could be promising, and I appreciate that you're taking your time to make sure you have a stable, secure and reliable system before releasing it. Seems like there's a few here bashing on the fact that it's not out yet, but it's nice for once to see someone that is not rushing to make a few bucks and actually trying to release a solid product. Look forward to seeing it in production. 

[r3wt]

Got a chance to work on the site again tonight.

-Investigate the Session Logins incremental counter exploit suggested in this thread. the poster was wrong, sessions are stored on the server. only exploits are session hijacking and session fixation, neither of which are a problem in our application(session hijacking is possible, but difficult.) despite it, i identified a vulnerability in the process, of which i patched. each increment over 4 of Session 'LoginAttemps' results in an access violations. as you already know, 10 access violation results in an automatic ip ban. i'm thinking up setting an ip tracker global on the site, so that ip bans can be carried over to any account registered/logged in from that ip address. not particularly high on the priority list, but its there and its a good idea.

-Moved all configurable options to a database table, built functions to check each enabled option, as well as 1 function to disable the option, and one function to enable it.

-Fixed moderators page. mods and admins can now ban and unban posters at will. when a poster is banned or unbanned, a message immediately appears in the chat notifying of the ban or unban "system: <username> was banned from chat."

-Patched glitch that allowed Banned users to continue posting in the chat until they refreshed the page.

-Found new bug, chat messages aren't being reloaded on an interval, they are only reloaded on page refresh or form submit. seeking a jquery guru to tell me where my error is, i can't see why the setinterval timeout isn't working correctly and independantly of the reload in the callback function of the submit field.

-Pruned unnecessary files, and dispatched all procedural code from index.php into a function to clean up the index a bit.

Still a ways to go guys, sorry i'm pretty much alone here in development at the moment, working at my own pace and doing as much as i can, and revising the code as i deem necessary. i'll call it some progress. Tomorrow i will be working on the site and catching up on some much needed house chores. My mom has agreed to watch my daughter for me tomorrow so i can work. should be able to get quite a few things done tomorrow.

[Etlase2]

A little less condescending this time, but still a condescending douchebag. why even bother? You have no idea what knowledge, although i did not know about transactions.

Maybe he's condescending, but you are making absolute rook mistakes. Don't take criticism so personally. It's ok if you are not a programming super wizard, but expect better programmers to be very critical of obvious flaws. Everyone's time gets wasted otherwise. Transactions are one of the basic database primitives for maintaining database integrity, it is something you should understand. If you want to be taken seriously, you need to take yourself seriously and do your research, as has been suggested.

Good luck.

[r3wt]

It's time again for another update.

here she is  

http://dev3.openex.pw

github

https://github.com/r3wt/openex

Trade Engine fixed, now with DB transactions and trade history tables.

modern database driven configuration engine

improved moderator and administrator features

option to block tor access

option to redirect mobile users

option disable:
-logins
-registrations
-deposits
-withdrawals
-markets
-debug navigation
-maintenance

option to force ssl.

new gui.

improved access violations system.

patched server level vulnerability.

optimized code for speed. site performance is legendary.

ajax updates on trade page.

fixed bug in chat.

high security json calls.

deposits/withdrawals fully functional

todo:

api

account history

transaction history

audit system

bot detection

csrf protection, investigate the need for and if necessary, implement a formkey system to protect against forged requests.

patch session time out bug, logged out users are still able to send messages while logged in.

implement rpcssl

withdrawal authorization queue

system maintenance daemon.

wallet maintenance schedule.

i'll push the changes to git tomorrow from my *nix machine.

[r3wt]

github updated.

https://github.com/r3wt/openex

[Sapereaude]

Could you please add GME?
http://game-coin.org/
http://www.gamecoinforum.com/
Thank you

[slavo]

any launch date ?

[r3wt]

any launch date ?

to be honest, we could launch today if we wanted to. atm we're debugging some peculiar jsonRPC errors. every so often, an RPCcall fails for no apparent reason. on top of that our error log is filled with exceptions thrown by withdraw function, and to date we haven't recorded a succesful withdrawal. until we get these two mentioned issues lined out, it will not be able to be launched.

once thats in place i think we would be good for launch. maybe a good once over of the code and seeing some small optimizations. Thanks to an anonymous tip, i patched a File inclusion vulnerability.

I think one more, bare minimum thing needing to be addressed prior to launch is csrf keys for all forms. other than that and whats been mentioned, we're ready to roll.

[slavo]

I have 1000$ invested in you and i am NOT rich

I was poker affiliator for 5 years, so maybe could I help for PR and affiliation program.

btw do you have any plan for that ?

It's my first day officially unemployed, i'm dedicating myself to crypto; maybe could I join.

Could you contact me ? PM; we can talk on skype or anything if needed. cheers 

[r3wt]

See OP. we will be launching later this week. github updates will now be delayed 2 weeks.

current git version: 0.3

current dev version: 0.3.4

anticipated production version: 0.3.8 -0.4.1

[bathrobehero]

4.access_denied.php
priority: high
-add mysql to gather information about the user(ive documented it for you nicely so this should be a 5 minute job tops).
-add logic to increment number of times a user has seen this page.
-add table `access violations` row(s) `username` `ip` `count` <-number of violations.
**template access_denied.php
**when you finish this, i will build a page for us to track this table and add it to the admin pages.

Way to annoy users behind proxies.

I can confirm that "**template access_denied.php" is working and looks good, though that's all I can see.

[hamiltino]

Please add gridcoin to this exchange.


http://www.gridcoin.us/

[Satyre_Noir]

How do you integrate altcoin wallets with exchange software, do you code API for each altcoin wallet or there is some other way to go around?

[50cent_rapper]

Hi r3wt!

Please, look at Pandacoin: https://bitcointalk.org/index.php?topic=399127.0
It's the first cryptocoin with block reward decreasing everyday + Kimoto Gravity Well diff algo.
If it's intresting - please add it on your wonderful exchange.

[kjaiswal]

How are the balances updated I sent a few BTCs to my wallet address and next time I see my BTC deposit address changed with no coin funded to my wallet. Does bitcoind update the balances table in openex when it receives coins?

[r3wt]

How are the balances updated I sent a few BTCs to my wallet address and next time I see my BTC deposit address changed with no coin funded to my wallet. Does bitcoind update the balances table in openex when it receives coins?

did the coins ever show up?

[kjaiswal]

Coins show up in the coins stats link but are not credited to individual account i.e. it doesnt update the balances table.

[leckey]

What's the status on this now?

[cryptopaths]

What's the status on this now?

R3wt said the site was hacked and the coins were stolen, in reality R3wt is the one that stole the coins.

[leckey]

What's the status on this now?

R3wt said the site was hacked and the coins were stolen, in reality R3wt is the one that stole the coins.

*sigh* why am I not surprised...

[beetterer1]

i know this makes me look bad since i said two weeks and its now up, but unfortunately the processors for our main server are on backorder. the host company is shooting for sometime this week. i imagine that justin and i will only need a few days to get it up and in beta mode. should everything work as planned, its reasonable to think the site could be officially launched as soon as we would like.

i think it will probably take a few days to compile and sync all the wallets though.

as soon as the servers deliverd, i could give you a better estimate.

As for the mod position, we are generally looking for someone who is fluent in chinese.

[TheD0ct0r]

Would love to see how you defend this R3wt?

I went to login Openex.pw today and found this Disturbing conversation in chat. I am still Loz.. OOops looks like some one forgot to clear logs...

1: R3wt openly admits to working with former NSA on the new exchange.. WTF if he beleives this hes a moron. Worse yet he would work with a FED!


2: R3wt  Begs Justin to build him a trade engine because he doesn't know how to.... It looks like R3wt is trying to hide Justin under the name mBlanchard.

Please refresh my memory isn't Justin the same (Cat) R3wt tried to pin the bad code and hack on ?  Yes it is, WTFF !


3: R3wt  Openly admits hes going to build another half ass trade engine Using python he knows nothing about.

Doing more searching  haha https://twitter.com/_LuaPod_ Rewt wants Justins code. Looks like a internal dispute going on.
You know its bad when Justin doesn't even want anything to do with R3wt.
Theres some real f%CKED uped stuff going on here maybe one of you guys can figure it out.....

Make sure you guys spread this on other forums so no one else get screwed on this new pos he cooking up.

Ohhh wait there is more I copied the full conversation to a .txt file just encase they try to wipe the log.   http://snk.to/f-cdhfbilj

here are links to the full screen caps  http://imgur.com/iDV9jHL    http://imgur.com/WLTeWzz    http://imgur.com/l7oHqxQ


https://i.imgur.com/kNKxGXE.jpg
https://i.imgur.com/mtYwgFv.jpg
https://i.imgur.com/mbbea02.jpg