Credits Script Interface

F

Fahad

Guest
Please could we have a HTTP GET interface for transferring credits, so that I could write a script to do it?
The format of the script would be:
username, password, amount of credits, who to transfer to.
That way, I could start a pay-per-click advertising scheme.
 
Livewire

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
fahadsadah said:
Please could we have a HTTP GET interface for transferring credits, so that I could write a script to do it?
The format of the script would be:
username, password, amount of credits, who to transfer to.
That way, I could start a pay-per-click advertising scheme.
Click to expand...

Did you just say you wanted an HTTP GET with the PASSWORD EXPOSED?

Cause that seems a bit...Well bad to say the least. What's stopping me from doing this with your link:

httptrans.html?uname=fahadsadah&pass=yourpasswordwhichigotfromoneofyourlinks&creds=481&transto=Livewire

Seriously; thats probably why it's not there already - your password CANNOT be exposed in an HTTP GET or anyone who wants it just has to cut and paste. Especially with the transfer script.


And I know what you're thinking - you could easily track me down for using that link and get your credits back.

But what if I'm not the one who clicked it? What if I make that same link but substitute GamingX for Livewire? Any tracking information available for who clicked the link, even if it's by IP, won't stand up well - I could just go to any public place so the IP'd come back to anyone else in the same building (head to the college and it'd show up under one of any of their four ip's - tracking that down to a single user would be difficult at best - tracking ME down would be impossible since you'd have an ip not tied to a username).


It's a good idea and all, but theres also a reason it's not there yet - you can't expose personal information via HTTP GET cause it's a highlight+copy away from being stolen.


Edit: Sorry for putting the name GamingX in there too; was the first name I could think of besides Corey >_<
 
Last edited:
F

Fahad

Guest
It's not like any links with this page would be exposed.
All usage would be contained within a php script.
Edit:
Also, why not an encrypted password?
 
Last edited by a moderator:
Livewire

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
fahadsadah said:
It's not like any links with this page would be exposed.
All usage would be contained within a php script.
Click to expand...

Now you've got me confused; how would the PHP script get the username/password, the amount of credits, and the person to transfer to if it's all contained in the script?

Back to macro, the HTTP GET, which is as easy as "copy link location" and paste into notepad; even php documents can have GET stuff:

My URL Bar said:
newreply.php?do=newreply&p=283229
Click to expand...

You need a way to give the php script the username and password. The problem is giving that script the username and password without actually exposing it - anything with HTTP get is simply "Copy link location" and go...

fahadsadah said:
Edit:
Also, why not an encrypted password?
Click to expand...

That could work actually, but I'd worry about the kind of encryption used - keep in mind that if it can be encrypted, at some point it can also be decrypted.




One thing I CAN see though is a system where someone clicks the link and it adds them to a "points queue" for you to validate - you'd still have to manually send the points out, but instead of it requiring your username and password you'd have something more like this:

credit_trans.php?amt=5&offer=1, which might take you to a page where you input your forum name.

Then it shows up in a queue, which might show stuff like this:

Livewire - 5 - Referral click[send]
GamingX-10 - Referral click[send]
Corey-999999 - I am God, gimme all your credits ;) [send]

At least then it's not automatic - it'd still require you to verify that the points being requested are actually _valid_ requests. It'd at least take the worry out of "ok, can someone click that link 100 times and have it transfer all my credits out of my account," even if you'd still have to manually send them out.



I dunno, I just can't think of an automatic way to do this without giving out the username and password - thats the main problem I can see with it being automatic. Anything where you'd still have to validate it would be fine - just take the password out of the equation and you're good to go.
 
F

Fahad

Guest
I don't think you understand what sort of script I'm talking about. Example:
PHP: 
<?
//code goes here to make account, check for clones, maybe check for
//refererid fixing
fclose(fopen("http://forums.x10hosting.com/credstransfer.php?un=fahadsadah&pw=hello123&transferto="..$_POST['refererid']."&creds=10","r"))
echo("You have successfully signed up")
?>
This script would be executed whenever someone signs up to my site with a refererid POST variable. The user never sees anything.

As for encryption, MD5 twice then SHA2 on top is incredibly strong.
 
Last edited by a moderator:
Livewire

Livewire

Abuse Compliance Officer
Staff member
Messages
18,169
Reaction score
216
Points
63
!

NOW I get it.


I thought you meant something like this:

http://bogus.nothere.thisisfake.net.com.co.uk.tv.us.fake/credtrans.php?uname=haha&pw=OMGHAX

And I couldn't figure out how you meant to somehow hide the password >_<



NOW it makes perfect sense; PHP executes the GET on the server, so even if the user was watching packets, wouldn't matter cause the server wouldn't be sending it via the client.


Gotcha; that'd work, but I'm curious how many users would still use it the way I've got it above (cause that'd be bad obviously) >_<
 
F

Fahad

Guest
Glad to know you understand.
Could someone from the staff give me a view on it?
 
You must log in or register to reply here.
Top