BitCoinDream (OP)
Legendary
Offline
Activity: 2324
Merit: 1204
The revolution will be digital
|
|
October 19, 2014, 06:50:00 PM |
|
Can there be any issue if I validate a bitcoin address with the following code snippet ? function validateAddress($address){ $addressURL = "https://blockchain.info/q/addressbalance/".$address; $addressBalance = file_get_contents($addressURL); $validated = is_int($addressBalance); return $validated; }
|
|
|
|
|
|
|
The Bitcoin software, network, and concept is called "Bitcoin" with a capitalized "B". Bitcoin currency units are called "bitcoins" with a lowercase "b" -- this is often abbreviated BTC.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
bitsmichel
|
|
October 19, 2014, 06:57:32 PM |
|
Yes, there could be an issue. $address could contain an XSS attack. Validate $address to be greater than the required length. Another potential attack would be a lot of processing server side. While that is very unlikely it is not unthinkable.
|
|
|
|
Ricke
|
|
October 19, 2014, 07:01:55 PM |
|
Would work most times, but you should insert a code snippet which checks if blockchain.info returns any good result, otherwise you might find yourself having false negatives when blockchain.info is down or asking your PHP script for a captcha. (Sometimes CloudFlare locks out your PHP script)
|
Verkaufe Bitcoin gegen Bargeld (Wuppertal und Düsseldorf, Handel im öffenlichen Raum, z.B. bei McDonalds), privat zu privat und völlig anonym. Konditionen im Thread; Individualabsprachen möglich (Ich mache mit Erstkontakten nur kleinere Handel, weiteres ja nach Kurs, Vertrauen, mein Bedarf, Ermessen und Situation)
|
|
|
BitCoinDream (OP)
Legendary
Offline
Activity: 2324
Merit: 1204
The revolution will be digital
|
|
October 19, 2014, 10:11:33 PM |
|
Yes, there could be an issue. $address could contain an XSS attack. Validate $address to be greater than the required length. Another potential attack would be a lot of processing server side. While that is very unlikely it is not unthinkable.
Thanks for pointing out. I think the following code may validate the address size... function validateAddress($address){ $validated = false; if(strlen($address) > 25 && strlen($address) < 35){ $addressURL = "https://blockchain.info/q/addressbalance/".$address; $addressBalance = file_get_contents($addressURL); $validated = is_int($addressBalance); } return $validated; }
Would work most times, but you should insert a code snippet which checks if blockchain.info returns any good result, otherwise you might find yourself having false negatives when blockchain.info is down or asking your PHP script for a captcha. (Sometimes CloudFlare locks out your PHP script)
Yep... the uptime of blockchain.info is now a problem. Do u know any API to check blockchain.info status ? I think simple ping check or HTTP header checking wont work as they are behind cloudflare.
|
|
|
|
gweedo
Legendary
Offline
Activity: 1498
Merit: 1000
|
|
October 20, 2014, 01:48:11 AM |
|
Here is better php validation code, which was actually created by theymos and Mike Gogulski. Should work on a stock php5 install. private static $base58chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; public static function checkAddress($addr, $addressversion = 00) { $addr = self::decodeBase58(trim($addr)); if(strlen($addr)!=50){ return false; } $version = substr($addr, 0, 2); if(hexdec($version) > hexdec($addressversion)) { return false; } $check = substr($addr, 0, strlen($addr) - 8); $check = pack("H*", $check); $check = strtoupper(hash("sha256", hash("sha256", $check, true))); $check = substr($check, 0, 8); return $check == substr($addr, strlen($addr) - 8); } private static function decodeBase58($base58) { $origbase58 = $base58;
$return = "0"; for ($i = 0; $i < strlen($base58); $i++) { $current = (string) strpos(Bitcoin::$base58chars, $base58[$i]); $return = (string) bcmul($return, "58", 0); $return = (string) bcadd($return, $current, 0); }
|
|
|
|
BitCoinDream (OP)
Legendary
Offline
Activity: 2324
Merit: 1204
The revolution will be digital
|
|
October 20, 2014, 08:59:23 AM |
|
Here is better php validation code, which was actually created by theymos and Mike Gogulski. Should work on a stock php5 install. private static $base58chars = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"; public static function checkAddress($addr, $addressversion = 00) { $addr = self::decodeBase58(trim($addr)); if(strlen($addr)!=50){ return false; } $version = substr($addr, 0, 2); if(hexdec($version) > hexdec($addressversion)) { return false; } $check = substr($addr, 0, strlen($addr) - 8); $check = pack("H*", $check); $check = strtoupper(hash("sha256", hash("sha256", $check, true))); $check = substr($check, 0, 8); return $check == substr($addr, strlen($addr) - 8); } private static function decodeBase58($base58) { $origbase58 = $base58;
$return = "0"; for ($i = 0; $i < strlen($base58); $i++) { $current = (string) strpos(Bitcoin::$base58chars, $base58[$i]); $return = (string) bcmul($return, "58", 0); $return = (string) bcadd($return, $current, 0); }
Thanks for the code snippet. I read somewhere that most of the time standalone PHP codes are unable to validate Pay2PubKeyHash addresses and Pay2ScriptHash addresses at a time. Does this validate both type of addresses ?
|
|
|
|
trattrat
|
|
October 21, 2014, 01:29:30 PM |
|
Last 4 chars of a B58 encoded address is the checksum. You can use that to validate.
|
|
|
|
|