r3wt (OP)
|
|
October 29, 2013, 06:37:35 PM Last edit: January 06, 2014, 01:23:31 PM by r3wt |
|
demo: http://dev3.openex.pw/We will be launching later this week. exchange is 100 percent working. tweaking some code here and there and making some final optimizations. about all thats left to do as far as basic functionality is fix a small bug. when a user withdraws all coins, the balance record for that coin remains. when the user buys more of that currency or deposits more, a duplicate balance entry is entered, causing the account page to list the first result, which will always be the original balance which was zero upon withdrawal. a fix for this, is to delete the balance upon withdrawal if the remaining balance is zero. should be simple enough, and shouldn't take more than a day to test in different scenarios. see you all soon. thanks for the help, support, and suggestions.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
knowitnothing
|
|
October 29, 2013, 10:15:55 PM |
|
Did you forget to include the link to the open source code, some repo, or anything at all ? Because, you know, otherwise it is not open source.
|
|
|
|
r3wt (OP)
|
|
October 29, 2013, 10:56:58 PM |
|
Did you forget to include the link to the open source code, some repo, or anything at all ? Because, you know, otherwise it is not open source.
That's an excellent question. the code will be open source the day the exchange is launched. in its current form and incompleteness, i am not ready to opensource it yet. Justin is currently modifying the market system of the database to add an identifier for currency pairs. then we will probably switch that to its own database for an extra security measure. the project is currently at a conservative 60% completion-- saying that, its fully functional except the withdrawal system, but there are many bugs to work out and adequate security measures to add, plus an api for off site trading. personally, i am working on porting a version of goosh to the site for commandline based trading, something that should be a unix nerds wet dream. i'll keep this updated as much as possible. going to a party tonight, check back tommorrow.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
October 30, 2013, 05:19:22 PM |
|
i have decided i will go ahead and begin opensourcing the exchange.
in today's update, i will be adding a mobile site, and modifying the way php identifies devices to include a class for mobile devices. after that i will begin building the admin interface. when i have installed the basic admin interface, i will break with programming and install an LNMP(Linux, Nginx, MySQL, PHP)stack on my local unix system and begin using it as the test server.
this system will be the basis for future updates, and will be the testing ground for our project. updates to the openex website will no longer be processed automatically, except for a manual process of updating the files through git as opposed to straight sftp interaction from the test server to the server @ openex.
additionally if time permits i will begin work on building the user privileged actions class in php, with a separate class system for admins. instead of the normal id based class interaction, an asyncronous class will be created for each class in order to verify and regulate the class defacto class interaction system of the php/mysql platform. this is imperative as it sets a hardcoded limit on what users can accomplish with quote "privilege escalation" exploits. think of it as a security by execution of php scripts through a window that monitors and approves each interaction a a script with the php parser using:
-custom rule sets -XSS prevention private function keys -script execution window through uses of keys previously mentioned, expiring imediately by being added to the database as processed request record. -double salt function applied to all json interactions -key based 32,768 bit encryption of communications between the wallet servers(called "clients" as each one hosts a specific wallet) utilizing an encryption system i have developed in php using keys stored on wallet servers. the way it works is, information will be sent from the main server through a php page encrypting the json and other information. the client server will receive and before decoding, it will return the key also encrypted with the prototype algorithm. the double salting function reduces hash collision and create random, secure keys for each interaction, meaning these interactions can be neither decoded, understood, or repeatable because the window for execution of the command will be uninitiated by the requestor, in this case a malicous attack who wishes to reproduce a transaction to his withdrawal address, by forging a second transaction or attempting to intercept the encrypted command and keys and resubmit the already processed interaction which has a decaying window to be approved.
i'll update this thread as each task is completed.
i haven't contacted justin today as he is in school, but i would expect an update on his progress with multi market and the fee execution process modification, fixing a vulnerability that allows for doublespending within a users exchange account. thats about it for now.
r3wt
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
October 31, 2013, 06:55:17 AM |
|
got quite a bit done today.
justin worked on an administration interface, while i:
- built the framework for the mobile site. tomorrow is on to the css of the mobile site. - finalized attributes of password strength indicator. - added a configuration script to easily disable the login and registration systems. - played with some javascript in firefox 25's version of the site. meny.js div's look ugly in looks ugly in firefox. adding some firefox logic to the css tomorrow to fix it.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 02, 2013, 08:46:24 AM |
|
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 02, 2013, 08:51:17 AM |
|
oh by the way, that password strength is pure js/css. here's the js if you want it for a project. i'm all about code reuse. function passwordStrength(password) { var desc = new Array(); desc[0] = "Too Short"; desc[1] = "Weak"; desc[2] = "Terrible"; desc[3] = "Better"; desc[4] = "Good"; desc[5] = "Strong"; desc[6] = "Secure"; desc[7] = "Legendary";
var score = 0; if (password.length > 8) score++; if (password.match(/\d+/)) score++; if (password.match(/([a-zA-Z])/) && password.match(/([0-9])/)) score++; if (password.match(/([!,%,&,@,#,$,^,*,?,_,~])/)) score++; if (password.match(/(.*[!,%,&,@,#,$,^,*,?,_,~].*[!,%,&,@,#,$,^,*,?,_,~])/)) score++; if (password.length > 13) score++; if (password.length > 20 && password.match(/(.*[!,%,&,@,#,$,^,*,?,_,~].*[!,%,&,@,#,$,^,*,?,_,~])/)) score++;
document.getElementById("passwordDescription").innerHTML = desc[score]; document.getElementById("passwordStrength").className = "strength" + score; }
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 07, 2013, 09:40:59 AM |
|
New Screenshots. Market OverviewAdmin--Query UserAdmin--ServerStatsAdmin--Coin Monitor(Basic Interface for monitoring each wallet/network.Trade Page(now with graphs etc)Trade Page with Chat OpenIssues-withdraws still do not work. --No one is assigned -chat still isn't functional. --zelles is assigned -need alternate style sheets for non webkit or mobile users.this can easily be accomplished with js and alternate stylesheets. -- i am assigned -trade engine -- justin is assigned -jquery/ajax page requests --No one is assigned -Market Data arrays controllers and functions for charts -- I am assigned -API --No one is assigned -Pen Testing --Gorgo rom is assigned If you wish to join the project, do not hesitate to contact me.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
crazy_rabbit
Legendary
Offline
Activity: 1204
Merit: 1001
RUM AND CARROTS: A PIRATE LIFE FOR ME
|
|
November 07, 2013, 09:45:56 AM |
|
Very cool, watching this!
|
more or less retired.
|
|
|
r3wt (OP)
|
|
November 07, 2013, 09:49:54 AM |
|
Very cool, watching this!
thank you for your support! you are more than welcome to contribute ideas, tips, or pointers.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
elambert
Legendary
Offline
Activity: 1696
Merit: 1008
|
|
November 07, 2013, 09:56:08 AM |
|
Godspeed rewt!
|
|
|
|
Hazard
Legendary
Offline
Activity: 980
Merit: 1000
|
|
November 07, 2013, 10:00:32 AM |
|
I like.
|
|
|
|
betacoindev
|
|
November 07, 2013, 11:27:50 AM |
|
Wow, very nice project!
|
http://betaco.in Betacoin | SHA256 | POW | 4min | 32mln + 0,39% annual | fair launch
|
|
|
mercSuey
|
|
November 07, 2013, 01:28:48 PM |
|
I'm just now seeing this, been too busy! Looks awesome, mate. Good luck.
|
|
|
|
Sustainable
Member
Offline
Activity: 70
Merit: 10
|
|
November 07, 2013, 01:31:08 PM |
|
Really well done so far, very cool idea and interesting prospect. Thanks for helping the community!
|
Cloud Mining - Mine when your computer is not on. Mine if you don't have the appropriate hardware or operating system! Mine when you are asleep! ---> https://cex.io/r/1/Sustainable/0/
|
|
|
daybyter
Legendary
Offline
Activity: 965
Merit: 1000
|
|
November 07, 2013, 02:07:41 PM |
|
I work on java trading stuff. Do you have an API, that I could implement, so my code could trade on your site?
|
|
|
|
gorgorom
Full Member
Offline
Activity: 238
Merit: 100
Inject Its Venom Into Your Veins
|
|
November 07, 2013, 04:19:15 PM |
|
Very nice brother. Seems to be gaining traction. I will run another series of tests today, will update you in skype when it's complete.
|
|
|
|
unfocus
|
|
November 07, 2013, 04:36:14 PM |
|
Very nice! Thanks.
|
|
|
|
r3wt (OP)
|
|
November 13, 2013, 06:12:10 AM |
|
a small update: over the weekend, i purchased a couple additional domains( Openex.info, home of the forums, and Openex.mobi home of the mobile version of the site) and security certificates for each, and finalized a deal for hosting of the site. the site will be launched on the following hardware:Dell Poweredge Dual 6 core Xeon 5639's 48 GB ECC DDR3 Dual 1 tb sata with raid 100mbit port, firewalled google pagespeed cdn+google shield upgrade plans: phase1: -move wallets to server 2(Quad Opteron, 32 gb ddr2, dual 100 mbit port, firewalled) -move openex.mobi(mobile site) to server 3(Core i7, 8 gb dd3, 1 gbit port, firewalled) -launch openex.info(the forums) phase2: an upgrade with Alpheus moves us into tier 2 hosting, where we share the benefit of the following: 4x 100 gbit CISCO CRS-3 single port with 140G Cisco FPG Tommorow, the site will go back online at the vps, and we will begin rigorously working on its completion. we have a tentative goal of December, however much of it will hinge on how confident i am in the security of the site. i am typically cautious and would like to err on the side of caution rather than to produce a bad exchange. stay tuned folks
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
muddafudda
Legendary
Offline
Activity: 1008
Merit: 1022
|
|
November 13, 2013, 06:16:40 AM |
|
In all honesty the dev had admitted to previous scams and the title should be given the appropriate scam warning.
|
|
|
|
r3wt (OP)
|
|
November 13, 2013, 06:26:26 AM |
|
I work on java trading stuff. Do you have an API, that I could implement, so my code could trade on your site?
there are definite plans for an api. it may not be ready by the time the site launches, but it will definitely happen eventually.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 13, 2013, 06:32:52 AM |
|
a couple of coins i would like to run by you guys as i feel like several of the coins presently listed are probably not worthy of the exchange.i am also considering removing the litecoin market completely, although i probably won't, especially if devcoin is listed on the exchange.
Some coins i am interested in:
Devcoin Gridcoin Protoshares Curecoin
Some coins i am cooling on:
Inkacoin Netcoin
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
daybyter
Legendary
Offline
Activity: 965
Merit: 1000
|
|
November 13, 2013, 11:48:34 AM |
|
Why remove litecoin? btc-e needs some competition!
|
|
|
|
templar77
|
|
November 13, 2013, 04:20:55 PM |
|
If you wish to join the project, do not hesitate to contact me.
Hi man, I want to join the project. I'm from Mexico. I'm Mid Level PHP dev, but I can also help with design, PR, advertising, and all that cool stuff. So plz tell me if I can help with something.
|
|
|
|
r3wt (OP)
|
|
November 13, 2013, 06:25:26 PM |
|
so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong?
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
templar77
|
|
November 14, 2013, 12:03:00 AM |
|
so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong? Well that's my last name. And I'm caucasian btw, but yeah I was born in Mexico xD I don't see what could possibly go wrong :S I just what to help and learn from your project. So what do you think?
|
|
|
|
r3wt (OP)
|
|
November 14, 2013, 01:25:05 AM |
|
so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong? Well that's my last name. And I'm caucasian btw, but yeah I was born in Mexico xD I don't see what could possibly go wrong :S I just what to help and learn from your project. So what do you think? i'll be updating the github later with the latest version of the source. you are invited to fork it and make modifications, submit pull requests, etc. perhaps you were hoping for root access
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 16, 2013, 06:16:51 AM |
|
Source has been updated on Git https://github.com/r3wt/openexnot included directories /chat /admin
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 17, 2013, 06:02:21 AM |
|
I would like to ask for donations or sell a few shares to help fund development/server costs.
what is the best way to go about this?
Not looking for egregious amounts, but some small donations would go a long way.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 17, 2013, 08:48:29 AM |
|
1.Trade's fixed! -trade now takes trade fee % (.089 percent) on buys and sells. no withdraw or deposit fee(except network fee for withdrawal) server side and client side now in unison 2. Withdraws work-withdraw fixed. now works for withdraws 3. Error/Success confirmation divs-now shows messages on registration, logout, trade submitted, invalid trade, invalid amount. TO DO: 1. Bug in cancel trade script amount back + fee. 2. Trade engine to be revamped 3. Litecoin market 4. Chat 5. Api 6. Move to server, compile client, launch site. 7. minor gui improvements/code review as time goes by. 8. mobile site/forum launch
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 17, 2013, 09:06:20 PM |
|
Trade Engine nearing completion!
Details: PHP/Chron based- executes on 1 second intervals Low Latency- can {theoretically}handle 890k trades per second Fast- Executes queries(Post trade, Get Trades, Get Trade equivalent, Execute trade) and terminates threads upon success. Secure- Stores all trades in a temporary database. if error occurs, trade engine is paused trade is reversed and executed again.
Json/Wallet system Revamped! More details to come.
SMTP- Mail functions are nearing completion.
To Do-
1.Trade engine testing, Json vulnerability testing. 2.Script key generation to prevent XSS attacks.(or could use htaccess) 3.API 4.Chat
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 18, 2013, 04:38:23 AM |
|
Trade Engine and Wallet system complete
To Do:
Automate trade page with ajax Chat API
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
adoalli
|
|
November 18, 2013, 04:45:24 AM |
|
good job
|
|
|
|
daybyter
Legendary
Offline
Activity: 965
Merit: 1000
|
|
November 18, 2013, 10:08:58 AM |
|
If you need help with the API, let me know.
|
|
|
|
Spoetnik
Legendary
Offline
Activity: 1540
Merit: 1011
FUD Philanthropist™
|
|
November 18, 2013, 10:16:13 AM |
|
is having an open-source exchange / web site a good idea from a security stand point ?
and sorry but if there is an api for bots + auto-sell i won't be using it.
i do wish ya luck though.. not trying to flame ya
|
FUD first & ask questions later™
|
|
|
r3wt (OP)
|
|
November 18, 2013, 10:38:50 AM |
|
is having an open-source exchange / web site a good idea from a security stand point ?
and sorry but if there is an api for bots + auto-sell i won't be using it.
i do wish ya luck though.. not trying to flame ya
API === TRUE; AUTOSELL === FALSE;
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
daybyter
Legendary
Offline
Activity: 965
Merit: 1000
|
|
November 18, 2013, 10:45:49 AM |
|
is having an open-source exchange / web site a good idea from a security stand point ?
and sorry but if there is an api for bots + auto-sell i won't be using it.
So you don't any exchanges with an API? Are there any?
|
|
|
|
Spoetnik
Legendary
Offline
Activity: 1540
Merit: 1011
FUD Philanthropist™
|
|
November 18, 2013, 10:48:32 AM |
|
please establish a game plan for when or if your exchange gets hacked. (and have it public too some what) like if people had their coins stolen from a site hacking will you state in an FAQ or seomthing your would pay them back ? see where i'm goin' with this ? place an emphasis on security as much as possible
|
FUD first & ask questions later™
|
|
|
Spoetnik
Legendary
Offline
Activity: 1540
Merit: 1011
FUD Philanthropist™
|
|
November 18, 2013, 10:49:29 AM |
|
is having an open-source exchange / web site a good idea from a security stand point ?
and sorry but if there is an api for bots + auto-sell i won't be using it.
So you don't any exchanges with an API? Are there any? there should be and i bet it would be popular.. i go to trade not fight bots .
|
FUD first & ask questions later™
|
|
|
r3wt (OP)
|
|
November 18, 2013, 10:50:37 AM |
|
please establish a game plan for when or if your exchange gets hacked. (and have it public too some what) like if people had their coins stolen from a site hacking will you state in an FAQ or seomthing your would pay them back ? see where i'm goin' with this ? place an emphasis on security as much as possible really?
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
gorgorom
Full Member
Offline
Activity: 238
Merit: 100
Inject Its Venom Into Your Veins
|
|
November 18, 2013, 01:29:58 PM |
|
so you're from mexico, have 12 posts, and your email address is crt.ferguson@gmail, a caucasian last name, and you would like to work on the exchange. what could possibly go wrong? Plus one this
|
|
|
|
ahmed_bodi
|
|
November 18, 2013, 02:45:43 PM |
|
hurry up with openex!
|
Bitrated user: ahmedbodi.
|
|
|
r3wt (OP)
|
|
November 20, 2013, 06:03:25 AM |
|
We're moving into the home stretch people! Updates:jquery ui and page transition animations are functional look nice! rebuilt admin interface. built debug mode navigation system. trade engine has been tested and works great. wallet system works as expected as well. Now for an insight into our work log To Do: 1. Withdrawals priority: extremely high -withdrawal requests are sent into a queue for admin approval. -once admin approval occurs, withdraw is processed. **ive built a template for you: pages/withdraw.php
2.password reset page priority: high -users need a way to reset passwords -add mysql and functions. **ive built a template for you: pages/reset.php
3.API priority: low -priority on this is : low **template pages/api.php
4.access_denied.php priority: high -add mysql to gather information about the user(ive documented it for you nicely so this should be a 5 minute job tops). -add logic to increment number of times a user has seen this page. -add table `access violations` row(s) `username` `ip` `count` <-number of violations. **template access_denied.php **when you finish this, i will build a page for us to track this table and add it to the admin pages.
5.json priority: high -fix this so that our withdraw/deposit functions work. -ensure the security of this. -investigate if this is compatible with rpcssl flag of clients(i think it is as the traffic should be automatically encrypted/decrypted by the server.
6.create function to prevent Sitebanned users from logging in. priority: medium -add a row for this to database.
7.Add option to pages/admin.php to click and ban users(both chatban and siteban). priority: medium
8.Chat priority: low
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 20, 2013, 03:41:52 PM |
|
bump
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 21, 2013, 01:22:58 PM |
|
Beta version of the chat has been completed! woo! that was kind of exhausting but i learned to use ajax, so on the plus side, i now can make the trade page dynamic.
we still have a ways to go but things are looking nice.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 23, 2013, 03:36:55 PM Last edit: November 24, 2013, 01:40:52 AM by r3wt |
|
Updated Work Log.
1. Withdrawals priority: extremely high -withdrawal requests are sent into a queue for admin approval. -once admin approval occurs, withdraw is processed. **ive built a template for you: pages/withdraw.php
2.password reset page priority: high -users need a way to reset passwords -add mysql and functions. **ive built a template for you: pages/reset.php
3.API priority: low -priority on this is : low **template pages/api.php
5.json priority: high -fix this so that our withdraw/deposit functions work. -ensure the security of this. -investigate if this is compatible with rpcssl flag of clients(i think it is as the traffic should be automatically encrypted/decrypted by the server.
6.create function to prevent Sitebanned users from logging in. priority: medium -add a row for this to database.
7.Add option to pages/admin.php to click and ban users(both chatban and siteban). priority: medium
8.Chat --check input with jquery --sanitize mysqli priority: mediumDone!
9. XSS formkeys --ive created the class and functions. you can find it in funcs.general.php --just need to add them to forms and then validate them in each script. --this should eliminate session jacking/cross site scripting hacks. priority: low
10.Fee shares. --ability to track fee shares in account page. --automate fee shares. priority: low comment: we can work on this after the site launches.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
unfocus
|
|
November 24, 2013, 04:31:27 AM |
|
Updated Work Log.
1. Withdrawals priority: extremely high -withdrawal requests are sent into a queue for admin approval. -once admin approval occurs, withdraw is processed. **ive built a template for you: pages/withdraw.php
I don't know why withdrawal can't be automated. Why would it need any approval??
|
|
|
|
r3wt (OP)
|
|
November 24, 2013, 04:55:58 AM |
|
Updated Work Log.
1. Withdrawals priority: extremely high -withdrawal requests are sent into a queue for admin approval. -once admin approval occurs, withdraw is processed. **ive built a template for you: pages/withdraw.php
I don't know why withdrawal can't be automated. Why would it need any approval?? security measure just in case an exploit occurs, wallets go offline automatically while database is rolledback. if attacker exploits db somehow he won't be able to withdraw unless he can bruteforce the rpcssl connection, which is unlikely. whereas, with automated withdrawal attacker could squeeze the funds out before we'd know what hit us. this is why we are hiring so much staff.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
bob131313
|
|
November 25, 2013, 12:05:08 AM |
|
How about posting some bug bounties. Peeking at the github, this would be fun once it goes live.
Maybe bounties ranging from 0.1 btc to 1 btc.
Hate for you to go live with this one a shiny new server that winds up with a shell the first day.
|
|
|
|
r3wt (OP)
|
|
November 25, 2013, 12:14:31 AM |
|
How about posting some bug bounties. Peeking at the github, this would be fun once it goes live.
Maybe bounties ranging from 0.1 btc to 1 btc.
Hate for you to go live with this one a shiny new server that winds up with a shell the first day.
the github is pretty far behind the current version of the site. we're pretty confident in the live version. we're looing for two penetration/bug/vuln tester for the site. this is a paid staff position. the previous guy we had lined up has went AWOL. see the first post here https://bitcointalk.org/index.php?topic=344084.msg3686527#msg3686527
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
cryptohunter
Legendary
Offline
Activity: 2100
Merit: 1167
MY RED TRUST LEFT BY SCUMBAGS - READ MY SIG
|
|
November 25, 2013, 12:33:09 AM |
|
this is quite awesome
|
|
|
|
r3wt (OP)
|
|
November 26, 2013, 08:44:21 AM |
|
Alot has changed in the past few days. Tasks now complete: Chat backend. -Banned users now may not post.( a message is shown: " system: <user> has been banned from chat." -moderators are orange, admins are blue, and users are black. Mod class: -created the mod users and isUserMod() function. -moderators may hand down chat bans from the mod screen. Chatbanned class -chatbanned user class -isUserCBanned() function; Access Denied: -timestamps are logged along with ip, user account, and browser string. i'll give you a peak at the code this is a very complex script. require_once("models/config.php"); $account = $loggedInUser->display_username; if(strpos($_SERVER['HTTP_USER_AGENT'], 'MSIE') !== FALSE) { $u_agent = mysql_real_escape_string("Internet Explorer"); } elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Chrome') !== FALSE) { $u_agent = mysql_real_escape_string("Google Chrome"); } elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Opera Mini') !== FALSE) { $u_agent = mysql_real_escape_string("Opera Mini"); } elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Opera') !== FALSE) { $u_agent = mysql_real_escape_string("Opera"); } elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Firefox/25.0') == TRUE) { $u_agent = mysql_real_escape_string("Mozilla Firefox"); } elseif(strpos($_SERVER['HTTP_USER_AGENT'], 'Safari') !== FALSE) { $u_agent = mysql_real_escape_string("Safari"); } else { $u_agent = mysql_real_escape_string("Unknown"); } $ip = mysql_real_escape_string(getIP()); //get user ip //show the access denied message no matter what echo "<style>html { width:100%; height:100%; background:url(assets/img/access_denied.gif) center center no-repeat; background-color: #00000 !important;}</style>";
//check if user is logged in if(isUserLoggedIn) { //get user info's if ($account != null) { $account = $loggedInUser->display_username; } else { $account = mysql_real_escape_string("Guest/Not Logged In"); } } //log with mysql $date = date("F j, Y, g:i a"); $sql = @mysql_query("INSERT INTO access_violations (username, ip, user_agent, time) VALUES ('$account', '$ip', '$u_agent', '$date');");
//--support system--// last night, i spent time pouring through viewticket.php, the threaded view of a support ticket and all responses. i refactored the code and built a new css layout thats very user friendly and pleasant to look at now. i think you will like it. next i will reflect the changes in new ticket, just so that the theme is nice and consistent within the support system. I'll try and update everyone a bit later on the updated work log. Right now, i'm working on: -mod functions to ban, and adding a table to show who the user was banned by, so mods will be able to see who is banned at anygiven time as well as who the ban was given by. Next I'll be working on: -converting the entire site to mysqli OOP prepared statements for maintainability and peace of mind. Other participants: -Don't know what justin's working on. he's supposed to be helping with sql and such but i find he's doing less and less contributing and more and more talking, which is never good, this is a business, and freeloading is not tolerated, talented programmer or not. last i heard he was going to build a permission system in order to make our functions more flexible and changeable at anytime. -Ivan Peter. I have outsourced some jquery animations for the index, animation and scrolling functions of the chat, and ajax for the trade page to this guy. We'll see what happens with it.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
wtman
Legendary
Offline
Activity: 1030
Merit: 1000
|
|
November 26, 2013, 10:16:29 PM |
|
Pretty good going so far. Can you tell me who among the staff are actual coders? Would you be willing to take any suggestions privately via chat? Good luck!
|
|
|
|
r3wt (OP)
|
|
November 26, 2013, 10:21:54 PM |
|
Pretty good going so far. Can you tell me who among the staff are actual coders? Would you be willing to take any suggestions privately via chat? Good luck! justin and i do all of the coding. and yes, i know we need to stop concatenating strings together and switch to PDO. this is like the roughdraft.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
November 27, 2013, 08:24:50 AM |
|
the exchange is 95% complete!
new features:
view server load.
view all servers.
ping servers, restart servers, restart coin clients.
user agreement added to registration page.
index.php trimmed of fat, all procedural code converted into functions and moved to funcs.general.php
change passwords.
send activation emails.
reset passwords by mail.
jquery loading animations complete(update spinner, slide up slide down)
chat scrolling animations fixed. works great now.
json wallet class complete and ready for beta testing.
withdrawal page completed with password confirmation. justin is working on email confirmations.
sitebanning. sitebanned users may no longer log in
lowered fee's: trade fee is .5%, withdrawal fee .1%
Tasks remaining:
click to ban users from mod page
Ajax handling of trade page, so tables are updated in real time.
order stacking(order, combine)
comprehensive vulnerability testing
beta test rpc
beta test trade engine(again)
MISC low priority tasks(either before or after launch depends on how much time we have.
API
General site improvements
Responsive layout.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
muddafudda
Legendary
Offline
Activity: 1008
Merit: 1022
|
|
November 27, 2013, 11:11:57 AM |
|
Considering the team consists of two devs which coins have failed what reassurance when shit for wrong that the team will not bail on their responsibilities like they did with their alts?
|
|
|
|
r3wt (OP)
|
|
November 29, 2013, 03:26:27 AM |
|
I started building a new gui this morning for launch. i was supposed to be taking a break for thanksgiving, but i just couldn't help myself. i ended up doing something no one has ever accomplished before, utilizing jquery to style the viewport with css3 animations. i think you're gonna like it, it looks pretty sick. think windows metro 8 start screen ;P
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
muddafudda
Legendary
Offline
Activity: 1008
Merit: 1022
|
|
November 29, 2013, 03:37:55 AM |
|
Withdrawals are not automated because no one knows how
|
|
|
|
r3wt (OP)
|
|
November 29, 2013, 03:52:29 AM |
|
Withdrawals are not automated because no one knows how
you're so right muddafudda. we built a trade engine that handles 900,000 queries per second and we can't figure out for the life of us how to handle withdrawals with jsonRPCphp... <?php ... $id = mysql_real_escape_string($_GET["id"]);
$sql = mysql_query("SELECT * FROM Wallets WHERE `id`='$id'");
$coin = mysql_result($sql,0,"Acronymn");
$ip = mysql_result($sql,0,"ip");
$port = mysql_result($sql,0,"port");
$bitcoin = establishRPCConnection($ip,$port); $bitcoin->sendfromaccount($loggedInUser->display_username);
?>
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
muddafudda
Legendary
Offline
Activity: 1008
Merit: 1022
|
|
November 29, 2013, 04:52:25 AM |
|
Did someone say mcx now?
|
|
|
|
muddafudda
Legendary
Offline
Activity: 1008
Merit: 1022
|
|
November 29, 2013, 04:53:43 AM |
|
Openex insurance soon available. Insure yourself against running devs coming soon.
|
|
|
|
wtman
Legendary
Offline
Activity: 1030
Merit: 1000
|
|
November 30, 2013, 02:51:34 PM |
|
Openex insurance soon available. Insure yourself against running devs coming soon.
trolololol
|
|
|
|
newflesh
|
|
December 01, 2013, 02:22:15 PM |
|
Hey, any updates on Openex?
|
|
|
|
r3wt (OP)
|
|
December 01, 2013, 05:37:32 PM |
|
Hey, any updates on Openex?
yep. you can track current progress @ http://dev.openex.pw
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
slavo
|
|
December 04, 2013, 03:43:47 PM |
|
We need quark for openex release !
Is it hard to make it work ?
That would be awesome. It can be traded with lot of volume soon.
|
|
|
|
r3wt (OP)
|
|
December 04, 2013, 03:45:53 PM |
|
We need quark for openex release !
Is it hard to make it work ?
That would be awesome. It can be traded with lot of volume soon.
no, it isn't anymore different than the rest of the coins
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
slavo
|
|
December 07, 2013, 07:23:15 AM |
|
If another mod is needed for openex chat I can do it.
Any launch date ? An estimation is fine ^^
|
|
|
|
r3wt (OP)
|
|
December 07, 2013, 07:27:29 AM |
|
If another mod is needed for openex chat I can do it.
Any launch date ? An estimation is fine ^^
i know this makes me look bad since i said two weeks and its now up, but unfortunately the processors for our main server are on backorder. the host company is shooting for sometime this week. i imagine that justin and i will only need a few days to get it up and in beta mode. should everything work as planned, its reasonable to think the site could be officially launched as soon as we would like. i think it will probably take a few days to compile and sync all the wallets though. as soon as the servers deliverd, i could give you a better estimate. As for the mod position, we are generally looking for someone who is fluent in chinese.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
slavo
|
|
December 07, 2013, 07:40:55 AM |
|
Ok ok, keep on the good work. I am nOt fluent in chinese at all, but I was just offering my services to help openex as I can Keep us informed ! (What about mzking nxt tradable on openex ? It only have one exhange, and people start being interested in it. I assume it's not as ez as other crypto to add, but to have more people faster it can be good)
|
|
|
|
r3wt (OP)
|
|
December 07, 2013, 07:49:18 AM |
|
Ok ok, keep on the good work. I am nOt fluent in chinese at all, but I was just offering my services to help openex as I can Keep us informed ! (What about mzking nxt tradable on openex ? It only have one exhange, and people start being interested in it. I assume it's not as ez as other crypto to add, but to have more people faster it can be good) we have discussed this privately, and we will only take one more coin. Currently we are researching on what coin is worthy. I can pretty much guarantee you it wont be NXT.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
slavo
|
|
December 07, 2013, 10:18:28 AM |
|
|
|
|
|
r3wt (OP)
|
|
December 07, 2013, 06:06:25 PM |
|
we may include quarkcoin. not sure.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
December 08, 2013, 09:01:43 AM |
|
thanks to an audit by Gorgo Rom, an XSS vulnerability has been patched. this was a server level vulnerability, i think i may have stumbled into another vulnerability in the process. tomorrow i'm gonna test to see what i can do with it. may be as simple as overriding php.ini to ignore cache settings of the user browser.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
r3wt (OP)
|
|
December 17, 2013, 11:23:21 PM |
|
The github is now up to date with the project. https://github.com/r3wt/openex
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
December 18, 2013, 11:18:59 PM |
|
I added a new feature today, building on the access violation system that i previously built into the application. now, for every 10 access violations per unique ip address, an ip is banned. access violation history is recorded on a per instance basis, and the count feature of mysql is used to sort the count of each violation per ip address. access_denied.php<?php require_once("models/config.php");
$account = $loggedInUser->display_username; $uagent = mysql_real_escape_string(getuseragent()); //get user agent $ip = mysql_real_escape_string(getIP()); //get user ip if(isUserLoggedIn) { if ($account != null) { $account = mysql_real_escape_string($loggedInUser->display_username); } else { $account = mysql_real_escape_string("Guest/Not Logged In"); } } $date = mysql_real_escape_string(gettime()); $sql = @mysql_query("INSERT INTO access_violations (username, ip, user_agent, time) VALUES ('$account', '$ip', '$uagent', '$date');"); $getcountip = mysql_query("SELECT ip,COUNT(*) as count FROM access_violations GROUP BY ip ORDER BY count DESC;"); while($row = mysql_fetch_assoc($getcountip)) { if($row['count'] > 10) { $factors = $row['ip']; $sql2 = mysql_query("SELECT ip FROM bantables_ip WHERE ip = '$factors';"); $number_of_rows = mysql_num_rows($sql2); if ($number_of_rows > 0) { /*--Do nothing--*/ }else { $date2 = mysql_real_escape_string(gettime()); $ip_address = mysql_real_escape_string($row['ip']); $sqlxz = mysql_query("INSERT INTO bantables_ip (ip, date) VALUES ( '$ip_address', '$date2');"); } } } echo "<style>html { width:100%; height:100%; background:url(assets/img/access_denied.gif) center center no-repeat; background-color: #00000 !important;}</style>"; echo '<link rel="icon" type="image/x-icon" href="assets/img/the_eye.ico" />'; ?>
when an ip address has more than 10 violations, the application checks the database table if a record exists in the bantable for the ip. if it does, nothing is done. if it does not exist, the ip is added. a function, isIPbanned(), checks to see if a visitor is in the ban table. if he is, he is greeted with a message that his ip address is banned. if he is not banned, he is greeted with the normal index page. function isIPbanned()<?php function isIPbanned() { $ipvars = mysql_real_escape_string(getIP()); $sqlxyzr = mysql_query("SELECT * FROM bantables_ip WHERE `ip`='$ipvars'"); if (mysql_num_rows($sqlxyzr) > 0) { return true; }else{ return false; } } ?>
that sounds great r3wt, but what about forged ip address in http headers? great question. functiong getIP()--this makes it difficult to cloak or forge the ip address. <?php function getIP() { foreach (array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' ) as $key) { if (array_key_exists($key, $_SERVER) === true) { foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) { if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { return $ip; } } } } } ?>
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
joschua011
Member
Offline
Activity: 86
Merit: 10
|
|
December 19, 2013, 04:12:18 PM |
|
that sounds great r3wt, but what about forged ip address in http headers? great question. functiong getIP()--this makes it difficult to cloak or forge the ip address. <?php function getIP() { foreach (array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' ) as $key) { if (array_key_exists($key, $_SERVER) === true) { foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) { if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { return $ip; } } } } } ?>
Works IF a user does not use a Proxy that does not send HTTP_X_FORWARD Headers or a VPN. I could not post this here at the time (newbie)but please read this: https://bitcointalk.org/index.php?topic=374922.0
|
|
|
|
oncebitcoinedtwiceshy
|
|
December 19, 2013, 05:13:44 PM |
|
we have discussed this privately, and we will only take one more coin. Currently we are researching on what coin is worthy.
r3wt : I guess there is no harm in me asking if SBC could be included in that research for the 'one more coin'. Dev is back on it and working to get the additional features into it & bitcointalk thread is well attended. Either way, good luck with the release!
|
|
|
|
r3wt (OP)
|
|
December 19, 2013, 08:15:43 PM |
|
we have discussed this privately, and we will only take one more coin. Currently we are researching on what coin is worthy.
r3wt : I guess there is no harm in me asking if SBC could be included in that research for the 'one more coin'. Dev is back on it and working to get the additional features into it & bitcointalk thread is well attended. Either way, good luck with the release! Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
December 19, 2013, 08:21:46 PM |
|
that sounds great r3wt, but what about forged ip address in http headers? great question. functiong getIP()--this makes it difficult to cloak or forge the ip address. <?php function getIP() { foreach (array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' ) as $key) { if (array_key_exists($key, $_SERVER) === true) { foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) { if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { return $ip; } } } } } ?>
Works IF a user does not use a Proxy that does not send HTTP_X_FORWARD Headers or a VPN. I could not post this here at the time (newbie)but please read this: https://bitcointalk.org/index.php?topic=374922.0It doesn't matter if the user is using a proxy, the autoincrementing function will ban ip's without prejudice. i read your dissection and agree. however you, were looking at an extremely old primitive release. would love for you to come poke around the new code since i have updated it. we generally do not release updates to github immediately. you will not be able to doublespend coins on the exchange. we've done extensive testing to insure of this. if you are serious about programming, you are welcome to join the team, if not get the fuck out, we got this. you have to understand, we started from userCake. alot of the functions(password generation being one of them) are old and out of date. we are slowly building onto it. i'll push and update later today so you can see what has changed.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
oncebitcoinedtwiceshy
|
|
December 19, 2013, 08:43:34 PM |
|
Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.
Thanks for the feedback, we'll keep our fingers crossed and await the verdict!
|
|
|
|
mr_random
Legendary
Offline
Activity: 1288
Merit: 1001
|
|
December 19, 2013, 09:07:03 PM |
|
that sounds great r3wt, but what about forged ip address in http headers? great question. functiong getIP()--this makes it difficult to cloak or forge the ip address. <?php function getIP() { foreach (array( 'HTTP_CLIENT_IP', 'HTTP_X_FORWARDED_FOR', 'HTTP_X_FORWARDED', 'HTTP_X_CLUSTER_CLIENT_IP', 'HTTP_FORWARDED_FOR', 'HTTP_FORWARDED', 'REMOTE_ADDR' ) as $key) { if (array_key_exists($key, $_SERVER) === true) { foreach (array_map('trim', explode(',', $_SERVER[$key])) as $ip) { if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE) !== false) { return $ip; } } } } } ?>
Works IF a user does not use a Proxy that does not send HTTP_X_FORWARD Headers or a VPN. I could not post this here at the time (newbie)but please read this: https://bitcointalk.org/index.php?topic=374922.0You're really splitting hairs picking at that bit of code. I agree however that not using transactions is shocking. How did OP get so far into the project and not know what transactions are?
|
|
|
|
monsterer
Legendary
Offline
Activity: 1008
Merit: 1002
|
|
December 19, 2013, 09:10:54 PM |
|
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
|
|
|
|
r3wt (OP)
|
|
December 19, 2013, 09:25:04 PM |
|
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
i don't know how to use them. i tried, but it makes getting results harder. i have < 6 months experience. maybe one of you really smart guys would like to join the staff in a paid position as dev # 3? if not, maybe you would like to be paid nicely to convert all our queries to PDO? I'm willing to accept that i don't know everything there is to know, and that one of you take our work and make it alot better. any takers?
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
zavtra
|
|
December 19, 2013, 09:27:32 PM |
|
Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.
That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well. I'll be following on twitter for updates.
|
|
|
|
callawey
Member
Offline
Activity: 87
Merit: 10
|
|
December 19, 2013, 09:30:48 PM |
|
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy. I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.
|
|
|
|
r3wt (OP)
|
|
December 19, 2013, 09:32:06 PM |
|
Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.
That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well. I'll be following on twitter for updates. well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
northranger79510
Sr. Member
Offline
Activity: 308
Merit: 250
Riecoin and Huntercoin to rule all!
|
|
December 19, 2013, 09:33:43 PM |
|
If you guys add Stablecoin, consider me hooked.
|
|
|
|
PGomer
Newbie
Offline
Activity: 9
Merit: 0
|
|
December 19, 2013, 09:38:42 PM |
|
Stablecoin may in fact find a home on the exchange, since we are having problems with Gridcoin and there are varying reports on whether the coin actually works as intended or not.
That's good. I would really like to see SBC listed on this exchange as well. It seems like it has a lot of potential (of course I'm a little biased towards it, but I picked it for a reason), and your exchange looks like it has a lot of potential as well. I'll be following on twitter for updates. well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project. I love your approach and attitude. Keep learning and press on!
|
|
|
|
zavtra
|
|
December 19, 2013, 10:08:43 PM |
|
well launch of the site is now postponed in the light of recent posts highlighting some security issues and lack of database transactions, and not using PDO. two things i have no experience with. i wanna do this right so for the time being we are putting launch on stand by while we search for a third dev with the security expertise necessary to complete our dev team. I've spoken with justin and we are willing to admit that we need someone with more experience to shephard us in completing the project.
Well I am glad that you are considering SBC, but it is great to see you make sure everything is working properly, rather than doing an incomplete launch and then just barely trekking along like Cryptsy has been doing.
|
|
|
|
monsterer
Legendary
Offline
Activity: 1008
Merit: 1002
|
|
December 19, 2013, 10:28:10 PM |
|
I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.
Ditto
|
|
|
|
r3wt (OP)
|
|
December 19, 2013, 10:39:04 PM |
|
I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you.
Ditto Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
December 19, 2013, 11:48:11 PM |
|
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy. I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you. I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
monsterer
Legendary
Offline
Activity: 1008
Merit: 1002
|
|
December 20, 2013, 09:15:02 AM |
|
Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.
Here is some helpful advice: you do not have the necessary knowledge to perform the task you are undertaking. Transactions are absolutely essential in a system like this, to be without them is to be asking questions like this on stack overflow - http://stackoverflow.com/questions/15026825/php-mysql-how-to-prevent-two-requests-updatePlease stop what you are doing. Do some research. Implement some unit tests on your current code to show why it will break, then move to transactions on the same test, confirm the fix and move on. Cheers, Paul.
|
|
|
|
unfocus
|
|
December 20, 2013, 09:35:33 AM |
|
A while back I stepped up to take care of another abandoned exchange project. I became aware of this project, and considered using it since it was 85% done. Anyway, private beta testing for the Scifi Coin exchange starts tonight. If you want to participate, please register to scificointalk.com and follow instruction http://scificointalk.com/index.php/topic,12.15.htmlBounty available.
|
|
|
|
callawey
Member
Offline
Activity: 87
Merit: 10
|
|
December 20, 2013, 09:45:07 AM |
|
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy. I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you. I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba. Let me give you a little example for what i mean: $PricePer = mysql_real_escape_string($_GET["price2"]); $Amount = mysql_real_escape_string($_GET["Amount2"]); $X = $PricePer * $Amount; $Total = file_get_contents("http://openex.pw/system/calculatefees.php?P=" . $X); $Fees = file_get_contents("http://openex.pw/system/calculatefees2.php?P=" . $X); $user_id = $loggedInUser->user_id; if(TakeMoney($Total,$user_id,$Currency_1) == true) { AddMoney($Fees,101,$Currency_1); mysql_query("INSERT INTO trades (`To`,`From`,`Amount`,`Value`,`User_ID`,`Type`,`Fee`,`Total`)VALUES ('$name','$Currency_1a','$Amount','$PricePer','$user_id','$name','$Fees','$Total');"); } else { echo "<p class='notify-red' id='notify'>You cannot afford that!</p>"; }
So, on below code, you have a method AddMoney, which updates a table on mysql, and below it you have an insert query. In that code, there is no guarantity that the insert will work after the update script. Update script can work, but insert may not, so this will cause you a balance issue, as you will deduct the amount from the user but there will be no trade operation. This both queries must be inside one transaction, so one fails, all rollbacks automaticaly, if all succed everything goes fine. As monsterer stated, you can find a lot of information on this by google'ing or from stackoverflow but without this it will be just a horror movie. You have to change your statements and i can say that by the view of the code, yes you have to change a lot of part on the project
|
|
|
|
r3wt (OP)
|
|
December 20, 2013, 06:25:28 PM |
|
The code posted so far here scares me. Why are you not using mysql prepared statements? You're just asking to be injection attacked.
the code scares me too, i just took a look and a lot of database queries are outside of transaction, actualy there is no transaction at all the system. In such system every single item must be inside a transaction, with this system, i can assure you, in a single lag that your server faces or on a little overload, all the balances on the system will be get crazy. I suggest you to take the progress to %60 and re-do all your db functioalities, otherwise a big horror movie awaits you. I would like you to explain this comment to me, particularly since you seem to be suggesting something that doesn't make much sense at all. After researching what has been stated in this thread, all of our queries are blocking operations, so a transaction record queue isn't necessary, but it is useful in case of unforseen error. taking this into consideration, this does not mean we have to restructure all our queries. i can just add a function that encapses the query in a try catch loop. try the query, or catch the exception and rollback. very simple. as far as pdo, yes we will have to convert to prepared statements, but as far as functionality goes, it makes no difference since mysql functions are removed but not deprecated. i'm going to ponder this for a bit, and do some more reading and investigating. i may go get a redbull and a pack of cigarettes and spend the night rewriting our queries. as far as a transaction queue goes though, its a good idea but i am not capable of implementing this alone. i will have to seek a proffessional dba. Let me give you a little example for what i mean: $PricePer = mysql_real_escape_string($_GET["price2"]); $Amount = mysql_real_escape_string($_GET["Amount2"]); $X = $PricePer * $Amount; $Total = file_get_contents("http://openex.pw/system/calculatefees.php?P=" . $X); $Fees = file_get_contents("http://openex.pw/system/calculatefees2.php?P=" . $X); $user_id = $loggedInUser->user_id; if(TakeMoney($Total,$user_id,$Currency_1) == true) { AddMoney($Fees,101,$Currency_1); mysql_query("INSERT INTO trades (`To`,`From`,`Amount`,`Value`,`User_ID`,`Type`,`Fee`,`Total`)VALUES ('$name','$Currency_1a','$Amount','$PricePer','$user_id','$name','$Fees','$Total');"); } else { echo "<p class='notify-red' id='notify'>You cannot afford that!</p>"; }
So, on below code, you have a method AddMoney, which updates a table on mysql, and below it you have an insert query. In that code, there is no guarantity that the insert will work after the update script. Update script can work, but insert may not, so this will cause you a balance issue, as you will deduct the amount from the user but there will be no trade operation. This both queries must be inside one transaction, so one fails, all rollbacks automaticaly, if all succed everything goes fine. As monsterer stated, you can find a lot of information on this by google'ing or from stackoverflow but without this it will be just a horror movie. You have to change your statements and i can say that by the view of the code, yes you have to change a lot of part on the project Well, we clearly have different definitions of what constitutes being "alot" but thanks for the heads up. now i see exactly what is going wrong and why submitting an order for a negative amount results in that amount being placed into an account. alot of the trading needs to be reworked, but in comparison with the rest of the codebase, that is not much. Are you always such a jerk? It's one thing to offer helpful advice, but to make vague negative statements is far from constructive.
Here is some helpful advice: you do not have the necessary knowledge to perform the task you are undertaking. Transactions are absolutely essential in a system like this, to be without them is to be asking questions like this on stack overflow - http://stackoverflow.com/questions/15026825/php-mysql-how-to-prevent-two-requests-updatePlease stop what you are doing. Do some research. Implement some unit tests on your current code to show why it will break, then move to transactions on the same test, confirm the fix and move on. Cheers, Paul. A little less condescending this time, but still a condescending douchebag. why even bother? You have no idea what knowledge, although i did not know about transactions. Instead we were trying to use a trade history table so we could manually "rollback" in case of error. i think the transaction system is probably the way to go, as both you and calleway said, although you really have yet to say anything helpful, other than being disrespectful. i read what you posted from stack overflow, but you know what? these guys there are the same way as you. they alll talk shit, but never provide any useful knowledge, or a real world example. luckily enough, i was able to find a book on it on kindle and holy crap, never knew this was such a complex subject. i'll be reading and studying up on how we can tackle this. btw, justin did some work on it again last night, moving towards oop again. to practice/learn prepared statements, i began working on building configuration functions, a switch from the variable based system to a system where a 1 or a 0 is stored in the db for each setting. I think realistically, in 1 or 2 weeks we could be done. we'll see how it goes.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
BlueDragon747
Legendary
Offline
Activity: 1509
Merit: 1030
Solutions Architect
|
|
December 21, 2013, 12:10:46 PM |
|
keep up the good work regardless of the % its all progress to the end result
|
Info: Github - Blakecoin.org - BCT Blakecoin thread - Twitter - BCS - BlakeZone Trade Blakecoin: Xeggex.com Merged Mining Pools: EU3 - NY2/AT1 - LA1Donation Addresses: BLC: Bd3jJftFbwxWSKNSNz35vkDd57kG6jHAjt PHO: BZXPMc8eF9YZcJStskkP2bVia38fv9VmuT BBTC: 2h8c4NbzXJXk6QQ89r7YYMGhe13gQUC2ajD ELT: e7cm6cAgpfhvk3Myh2Jkmi1nqaHtDHnxXb UMO: uQH9H17t7kz3eVQ3vKDzMsWCK4hn5nh2gC LIT: 8p8Z4h5fkZ8SCoyEtihKcjzZLA7gFjTdmL BTC: 1Q6kgcNqhKh8u67m6Gj73T2LMgGseETwR6
|
|
|
Sejnt
Newbie
Offline
Activity: 42
Merit: 0
|
|
December 21, 2013, 12:26:34 PM |
|
if($_SESSION["Login_Attempts"] > 4) I didn't see the whole code but this, you know it won't secure anything? A script can remove session cookie easily.
|
|
|
|
gielbier
Sr. Member
Offline
Activity: 914
Merit: 250
Making Smart Money Work
|
|
December 21, 2013, 12:34:58 PM |
|
I don't want to seem negative, but you really should not use mysql anymore. (It will be deprecated in PHP5.5) Use mysqli or PDO instead.
|
▄█████▄ ██▀ ▀██ ██ ██ ▀██▄ ▄██▀ ▄████▄ ▀███▀ ▄████▄ ▄██▀ ▀██▄▄██▀██▄▄██▀ ▀██▄ ██ ███ ███ ██ ▀██▄ ▄██▀▀██▄██▀▀██▄ ▄██▀ ▀████▀ ▄███▄ ▀████▀ ▄██▀ ▀██▄ ██ ██ ██▄ ▄██ ▀█████▀ | ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄ ▄▄ Prasaga ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄ | | | | | | | | ████████████████▄ ██████████████████▄ ████████████████████▄ █████████████████████ █████████████████████ █████████████████████ █████████████████████ █████████████████████ █████████████████████ █████████████████████ █████████████████████ █████████████████████ █████████████████████ | | WHITEPAPER ► TECH WP ► COMMERCIAL WP | | | ▐│ | |
|
|
|
antithetical
Newbie
Offline
Activity: 11
Merit: 0
|
|
December 24, 2013, 05:21:52 AM |
|
Hey dudes,
What happens with you progress 85%,
See comment #97 - 91%
See before 87%
Is it joke? Could you point true date of beta release?
|
|
|
|
btc1210
|
|
December 24, 2013, 05:31:57 AM |
|
Interesting project, thanks for doing this all public.
I know it can get stressful when faceless users make less than constructive comments, but keep it up.
|
|
|
|
datguyian
|
|
December 24, 2013, 05:42:28 AM |
|
Looks like it could be promising, and I appreciate that you're taking your time to make sure you have a stable, secure and reliable system before releasing it. Seems like there's a few here bashing on the fact that it's not out yet, but it's nice for once to see someone that is not rushing to make a few bucks and actually trying to release a solid product. Look forward to seeing it in production.
|
|
|
|
r3wt (OP)
|
|
December 27, 2013, 06:57:24 AM |
|
Got a chance to work on the site again tonight.
-Investigate the Session Logins incremental counter exploit suggested in this thread. the poster was wrong, sessions are stored on the server. only exploits are session hijacking and session fixation, neither of which are a problem in our application(session hijacking is possible, but difficult.) despite it, i identified a vulnerability in the process, of which i patched. each increment over 4 of Session 'LoginAttemps' results in an access violations. as you already know, 10 access violation results in an automatic ip ban. i'm thinking up setting an ip tracker global on the site, so that ip bans can be carried over to any account registered/logged in from that ip address. not particularly high on the priority list, but its there and its a good idea.
-Moved all configurable options to a database table, built functions to check each enabled option, as well as 1 function to disable the option, and one function to enable it.
-Fixed moderators page. mods and admins can now ban and unban posters at will. when a poster is banned or unbanned, a message immediately appears in the chat notifying of the ban or unban "system: <username> was banned from chat."
-Patched glitch that allowed Banned users to continue posting in the chat until they refreshed the page.
-Found new bug, chat messages aren't being reloaded on an interval, they are only reloaded on page refresh or form submit. seeking a jquery guru to tell me where my error is, i can't see why the setinterval timeout isn't working correctly and independantly of the reload in the callback function of the submit field.
-Pruned unnecessary files, and dispatched all procedural code from index.php into a function to clean up the index a bit.
Still a ways to go guys, sorry i'm pretty much alone here in development at the moment, working at my own pace and doing as much as i can, and revising the code as i deem necessary. i'll call it some progress. Tomorrow i will be working on the site and catching up on some much needed house chores. My mom has agreed to watch my daughter for me tomorrow so i can work. should be able to get quite a few things done tomorrow.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
Etlase2
|
|
December 27, 2013, 04:01:48 PM |
|
A little less condescending this time, but still a condescending douchebag. why even bother? You have no idea what knowledge, although i did not know about transactions.
Maybe he's condescending, but you are making absolute rook mistakes. Don't take criticism so personally. It's ok if you are not a programming super wizard, but expect better programmers to be very critical of obvious flaws. Everyone's time gets wasted otherwise. Transactions are one of the basic database primitives for maintaining database integrity, it is something you should understand. If you want to be taken seriously, you need to take yourself seriously and do your research, as has been suggested. Good luck.
|
|
|
|
r3wt (OP)
|
|
January 02, 2014, 09:02:13 AM Last edit: January 02, 2014, 11:27:25 PM by r3wt |
|
It's time again for another update. here she is http://dev3.openex.pwgithub https://github.com/r3wt/openexTrade Engine fixed, now with DB transactions and trade history tables. modern database driven configuration engine improved moderator and administrator features option to block tor access option to redirect mobile users option disable: -logins -registrations -deposits -withdrawals -markets -debug navigation -maintenance option to force ssl. new gui. improved access violations system. patched server level vulnerability. optimized code for speed. site performance is legendary. ajax updates on trade page. fixed bug in chat. high security json calls. deposits/withdrawals fully functional todo: api account history transaction history audit system bot detection csrf protection, investigate the need for and if necessary, implement a formkey system to protect against forged requests. patch session time out bug, logged out users are still able to send messages while logged in. implement rpcssl withdrawal authorization queue system maintenance daemon. wallet maintenance schedule. i'll push the changes to git tomorrow from my *nix machine.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
r3wt (OP)
|
|
January 02, 2014, 11:27:47 PM |
|
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
slavo
|
|
January 05, 2014, 09:25:30 PM |
|
any launch date ?
|
|
|
|
r3wt (OP)
|
|
January 06, 2014, 05:08:03 AM |
|
any launch date ?
to be honest, we could launch today if we wanted to. atm we're debugging some peculiar jsonRPC errors. every so often, an RPCcall fails for no apparent reason. on top of that our error log is filled with exceptions thrown by withdraw function, and to date we haven't recorded a succesful withdrawal. until we get these two mentioned issues lined out, it will not be able to be launched. once thats in place i think we would be good for launch. maybe a good once over of the code and seeing some small optimizations. Thanks to an anonymous tip, i patched a File inclusion vulnerability. I think one more, bare minimum thing needing to be addressed prior to launch is csrf keys for all forms. other than that and whats been mentioned, we're ready to roll.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
slavo
|
|
January 06, 2014, 09:22:26 AM |
|
I have 1000$ invested in you and i am NOT rich I was poker affiliator for 5 years, so maybe could I help for PR and affiliation program. btw do you have any plan for that ? It's my first day officially unemployed, i'm dedicating myself to crypto; maybe could I join. Could you contact me ? PM; we can talk on skype or anything if needed. cheers
|
|
|
|
r3wt (OP)
|
|
January 06, 2014, 01:24:54 PM |
|
See OP. we will be launching later this week. github updates will now be delayed 2 weeks.
current git version: 0.3
current dev version: 0.3.4
anticipated production version: 0.3.8 -0.4.1
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
bathrobehero
Legendary
Offline
Activity: 2002
Merit: 1051
ICO? Not even once.
|
|
January 09, 2014, 08:56:54 PM |
|
4.access_denied.php priority: high -add mysql to gather information about the user(ive documented it for you nicely so this should be a 5 minute job tops). -add logic to increment number of times a user has seen this page. -add table `access violations` row(s) `username` `ip` `count` <-number of violations. **template access_denied.php **when you finish this, i will build a page for us to track this table and add it to the admin pages.
Way to annoy users behind proxies. I can confirm that "**template access_denied.php" is working and looks good, though that's all I can see.
|
Not your keys, not your coins!
|
|
|
hamiltino
|
|
January 09, 2014, 09:11:06 PM Last edit: January 11, 2014, 06:43:22 PM by hamiltino |
|
Please add gridcoin to this exchange. http://www.gridcoin.us/
|
stacking coin
|
|
|
Satyre_Noir
Newbie
Offline
Activity: 56
Merit: 0
|
|
January 10, 2014, 03:31:02 PM |
|
How do you integrate altcoin wallets with exchange software, do you code API for each altcoin wallet or there is some other way to go around?
|
|
|
|
50cent_rapper
Legendary
Offline
Activity: 1344
Merit: 1000
|
|
January 10, 2014, 03:46:00 PM |
|
Hi r3wt! Please, look at Pandacoin: https://bitcointalk.org/index.php?topic=399127.0It's the first cryptocoin with block reward decreasing everyday + Kimoto Gravity Well diff algo. If it's intresting - please add it on your wonderful exchange.
|
|
|
|
kjaiswal
|
|
February 17, 2014, 10:02:18 AM |
|
How are the balances updated I sent a few BTCs to my wallet address and next time I see my BTC deposit address changed with no coin funded to my wallet. Does bitcoind update the balances table in openex when it receives coins?
|
|
|
|
r3wt (OP)
|
|
February 18, 2014, 09:52:42 PM |
|
How are the balances updated I sent a few BTCs to my wallet address and next time I see my BTC deposit address changed with no coin funded to my wallet. Does bitcoind update the balances table in openex when it receives coins?
did the coins ever show up?
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
kjaiswal
|
|
February 19, 2014, 12:37:28 AM |
|
Coins show up in the coins stats link but are not credited to individual account i.e. it doesnt update the balances table.
|
|
|
|
leckey
|
|
March 29, 2014, 11:01:19 PM |
|
What's the status on this now?
|
|
|
|
cryptopaths
|
|
March 29, 2014, 11:08:21 PM |
|
What's the status on this now?
R3wt said the site was hacked and the coins were stolen, in reality R3wt is the one that stole the coins.
|
|
|
|
leckey
|
|
March 30, 2014, 01:02:37 AM |
|
What's the status on this now?
R3wt said the site was hacked and the coins were stolen, in reality R3wt is the one that stole the coins. *sigh* why am I not surprised...
|
|
|
|
beetterer1
Newbie
Offline
Activity: 56
Merit: 0
|
|
March 30, 2014, 02:32:57 AM Last edit: April 11, 2014, 09:56:21 AM by beetterer1 |
|
i know this makes me look bad since i said two weeks and its now up, but unfortunately the processors for our main server are on backorder. the host company is shooting for sometime this week. i imagine that justin and i will only need a few days to get it up and in beta mode. should everything work as planned, its reasonable to think the site could be officially launched as soon as we would like.
i think it will probably take a few days to compile and sync all the wallets though.
as soon as the servers deliverd, i could give you a better estimate.
As for the mod position, we are generally looking for someone who is fluent in chinese.
|
|
|
|
TheD0ct0r
Newbie
Offline
Activity: 24
Merit: 0
|
|
March 30, 2014, 02:48:06 AM |
|
Would love to see how you defend this R3wt?I went to login Openex.pw today and found this Disturbing conversation in chat. I am still Loz.. OOops looks like some one forgot to clear logs... 1: R3wt openly admits to working with former NSA on the new exchange.. WTF if he beleives this hes a moron. Worse yet he would work with a FED! 2: R3wt Begs Justin to build him a trade engine because he doesn't know how to.... It looks like R3wt is trying to hide Justin under the name mBlanchard. Please refresh my memory isn't Justin the same (Cat) R3wt tried to pin the bad code and hack on ? Yes it is, WTFF ! 3: R3wt Openly admits hes going to build another half ass trade engine Using python he knows nothing about. Doing more searching haha https://twitter.com/_LuaPod_ Rewt wants Justins code. Looks like a internal dispute going on. You know its bad when Justin doesn't even want anything to do with R3wt. Theres some real f%CKED uped stuff going on here maybe one of you guys can figure it out..... Make sure you guys spread this on other forums so no one else get screwed on this new pos he cooking up. Ohhh wait there is more I copied the full conversation to a .txt file just encase they try to wipe the log. http://snk.to/f-cdhfbiljhere are links to the full screen caps http://imgur.com/iDV9jHL http://imgur.com/WLTeWzz http://imgur.com/l7oHqxQhttps://i.imgur.com/kNKxGXE.jpg https://i.imgur.com/mtYwgFv.jpg https://i.imgur.com/mbbea02.jpg
|
|
|
|
|