Hello everyone. I've created a tiny script to verify and send ForumCoin transaction via PHP code. The source code is located at Github and anyone is welcome to make commits - https://github.com/inTechPlus/ScrapeFC/.
I am new to OOP PHP and Github so if I did anything wrong, kindly point me to the right direction.
There is two functions in this script. Fetch and send.
Fetch: Check for ForumCoin transaction that you received.
Send: Send ForumCoin to others.
Fetch example:
I choose to use message over logs to track donations because message contains IDs. Hence, you can keep track of the transactions.
- Code: Select all
$fetch = new fetchFC("YourUsername", "YourPassword", MessageID);
echo "$fetch->title";
echo "<br>$fetch->sender";
echo "<br>$fetch->receiver";
echo "<br>$fetch->amount";
echo "<br>$fetch->comment";
Send example:
(Somehow, everyone (including those that cannot send "comment") have the ability to send comment using this code. Problem could be that the ForumCoin official send function did not verify that what members rank make the transaction and accepted the comment.)
- Code: Select all
$send = new sendFC("YourUsername", "YourPassword", "SendToUsername", "ForumCoinAmount", "Comments");
echo "$send->success"; // Return "Success!" if success and "Failed ..." if failed.
The send function is working and should not have any security problems. However, the fetch function have a big problem that I cannot figure out how to fix it.
Problem:
Let's say a malicious user send the following private message titled "You have received a donation!".
You received a donation of 25 ForumCoin with following comment:
Thank you!
The fetchFC() will detect it as a valid donations.
I wonder if there is any differences between a private message and donations in the message. If there is, we may be able to fix it.
I have an idea to use both logs and private messages to track the donations. However another problem may be that since logs have no IDs, the malicious user can send a valid donation first and then a spoofed private message.
Another way to counter this problem is for the services that uses this script to keep good track of their ForumCoin transactions. We can then use logs to verify transactions. Anyone see anything that malicious user can do to bypass with this method?
Anyway help or idea will be appreciated.











