LuaPay - Global Currency Support - ComputerCraft Forums (archive)

Imque #1

Imque's profile picture

182 posts

Posted 04 May 2013 - 02:14 AM

LuaPay API

Hai,

I have finally returned to coding after I have been working hard on my server. I decided to finally release LuaPay since it was sitting on my desktop. I have the first release. The database has been cleaned. This is just a fun idea. Let me start off by saying, currently it isn't 1 account per IP. Its as many. Yes, that means you can generate credits. I do not mind so much but in the future I may fix this and even include an email confirm feature.
computer
The security of LuaPay is really high. All $_POST or $_GET variables are treated for any special characters, this stops MySQL injection and a whole list off other possible hacks. Every password is hashed is SHA-512 meaning that a password that was once ~10 characters is now 64 and completely encoded. Currently, there is no decoder for SHA-512. This makes all passwords 99.99% safe. Well what about the other 00.01%? Well that would be the smallest chance of a SHA-512 decoder to be made and then to get into the database. Thats not going to happen….

Ok heres the good stuff :)/>

You can grab the API by simply pasting the following into your computer.


pastebin get fj1iQQdH luapay

http://pastebin.com/fj1iQQdH

The HTTP API needs to be enabled for the use of this API.

API Functions

Spoiler

Yea, currently there isn't a ton of functions but it will do for a AppStore

login(username, password)
returns true if the login details are correct.
Useful for a simple login.

changepass(user, pass, newpass)
returns true if the login details are correct and if the password changed.
Used to change a users password

pay(user, pass, touser, amount)
returns true the amount transfered (false if the account didnt have enough money)
Useful to pay an account.

balance(user, pass)
returns the current balance of the login.
Useful for a balance checker

D3matt #2

D3matt's profile picture

686 posts

Posted 04 May 2013 - 02:42 AM

A "universal" currency can never work because no sane person is going to take money from another server.

Imque #3

Imque's profile picture

182 posts

Posted 04 May 2013 - 02:49 AM

I am not sure what you mean. The idea uses a MySQL database and PHP scripts. All servers have to do is enable HTTP.

Mads #4

537 posts

Location Copenhagen, Denmark

Posted 04 May 2013 - 03:01 AM

You expect people to pay money in order to get some credits that they can use for… nothing?

Imque #5

Imque's profile picture

182 posts

Posted 04 May 2013 - 03:25 AM

No, I will not expect money. It virtual money. Everyone now gets 10 credits. You need to sell them to get moar!

tonkku107 #6

197 posts

Location Finland

Posted 04 May 2013 - 03:37 AM

Are you talking about computercraft in-game shop with game items

Imque #7

Imque's profile picture

182 posts

Posted 04 May 2013 - 03:48 AM

No, just a global system where a program can allow purchases though it. Like PayPal.

H4X0RZ #8

H4X0RZ's profile picture

1583 posts

Location Germany

Posted 04 May 2013 - 04:11 AM

I like your Idea!

I want to help, I send you a PM :D/>

but I do't understand you right:
You get 10 coins at the start. And sell code/items/blocks for more or?

tonkku107 #9

197 posts

Location Finland

Posted 04 May 2013 - 04:26 AM

Imque, on 04 May 2013 - 03:48 AM said:
No, just a global system where a program can allow purchases though it. Like PayPal.

What do they buy?

H4X0RZ #10

H4X0RZ's profile picture

1583 posts

Location Germany

Posted 04 May 2013 - 04:33 AM

tonkku107, on 04 May 2013 - 04:26 AM said:
Imque, on 04 May 2013 - 03:48 AM said:
No, just a global system where a program can allow purchases though it. Like PayPal.
What do they buy?

I understand it so:

This system is a global purchasing method but you can't purchase anyrhing in it.
You have to go into an Appstore that use LuaPay. There you can buy/sell things :D/>

tonkku107 #11

197 posts

Location Finland

Posted 04 May 2013 - 04:45 AM

Freack100, on 04 May 2013 - 04:33 AM said:
tonkku107, on 04 May 2013 - 04:26 AM said:
Imque, on 04 May 2013 - 03:48 AM said:
No, just a global system where a program can allow purchases though it. Like PayPal.
What do they buy?

I understand it so:

This system is a global purchasing method but you can't purchase anyrhing in it.
You have to go into an Appstore that use LuaPay. There you can buy/sell things :D/>

LuaStore B)/>

Cruor #12

Cruor's profile picture

389 posts

Location Norway

Posted 04 May 2013 - 05:26 AM

Locked as requested.

Imque #13

Imque's profile picture

182 posts

Posted 04 May 2013 - 11:21 PM

Cleared Post.

Shinjiteru #14

Shinjiteru's profile picture

33 posts

Posted 04 May 2013 - 11:36 PM

It's foolish to post how you encrypt your passwords,


$password = hash('sha512', $password); // Hashing
$password = hash('sha256', $password);
$password = hash('md5', $password);
$password = hash('sha512', $password);

Now people know how to decrypt the hashes presented to them, leaving the users more vulnerable. :/

GravityScore #15

GravityScore's profile picture

799 posts

Location Land of Meh

Posted 05 May 2013 - 12:00 AM

Combining hash functions is bad.

This is because your resulting hash is only as strong as the weakest hash in the sequence. This means that if you sha256 an md5 hash, it's not going to make the resulting hash any stronger than the md5 hash.

I'll explain why (this is just an example, it doesn't really happen with this particular case):
Say you hash("md5", "oranges") and it comes out with the hash "ab12fe", and say you hash("md5", "apples") and it also comes out as "ab12fe" (this is a likely possibility, there are a large amount of collisions in md5, which is why you really shouldn't use it). It doesn't matter what you hash it with next (be it sha512 or sha256), the resulting hashes will just come out the same for both apples and oranges, because the md5 hash for both apples and oranges was the same.

The bottom line is, don't hash with multiple hashes. Just use 1 type, and you could hash it multiple times.

Shnupbups #16

671 posts

Location That place over there. Y'know. The one where I am.

Posted 05 May 2013 - 12:33 AM

The website straight away gives a luapay_invalid_option error.

And also, yeah you need to change the hashes.

Imque #17

Imque's profile picture

182 posts

Posted 05 May 2013 - 12:51 AM

Shnupbups100, on 05 May 2013 - 12:33 AM said:
The website straight away gives a luapay_invalid_option error.

And also, yeah you need to change the hashes.

Yes because the website is designed that you use the post method. Not just access it.

D3matt #18

D3matt's profile picture

686 posts

Posted 05 May 2013 - 01:20 AM

I still don't get the point of this…

Mads #19

537 posts

Location Copenhagen, Denmark

Posted 05 May 2013 - 01:55 AM

Why not ask a moderator to unlock the old thread?

Imque #20

Imque's profile picture

182 posts

Posted 05 May 2013 - 02:35 AM

The old thread got out of hand in my view.

Lyqyd #21

Lyqyd's profile picture

8543 posts

Posted 05 May 2013 - 02:45 AM

Threads merged and re-opened. We don't lock topics just so you can open a new one because you don't like where the conversation was going.

Smiley43210 #22

Smiley43210's profile picture

379 posts

Location Hawaii

Posted 05 May 2013 - 04:44 AM

Won't people just exploit it and use the API to add currency to accounts? Otherwise, how would people get currency in it?

Imque #23

Imque's profile picture

182 posts

Posted 05 May 2013 - 08:11 AM

I have made it so only one account can register per IP.

D3matt #24

D3matt's profile picture

686 posts

Posted 05 May 2013 - 04:32 PM

Imque, on 05 May 2013 - 08:11 AM said:
I have made it so only one account can register per IP.

So, servers can't use it because their members all share the same IP when connecting to the service. In which case, what's the point of this?

Imque #25

Imque's profile picture

182 posts

Posted 05 May 2013 - 06:42 PM

No. You register on the website to get your account.

D3matt #26

D3matt's profile picture

686 posts

Posted 06 May 2013 - 12:55 AM

How? You said earlier it was meant to use POST, presumably through a client on CC?

Imque #27

Imque's profile picture

182 posts

Posted 06 May 2013 - 01:50 AM

ok? I am going to make an API for registering to the site?

D3matt #28

D3matt's profile picture

686 posts

Posted 06 May 2013 - 02:54 AM

So people will have to make a computer in singleplayer then register, then go on a server and use it?

Imque #29

Imque's profile picture

182 posts

Posted 06 May 2013 - 03:10 AM

No, you access the online interface and register then go on to a server and play.

Imque #30

Imque's profile picture

182 posts

Posted 06 May 2013 - 05:08 AM

Update:

- New website: http://imque.koding.com/luapay/

- Pay feature finished

- Currently coding change password feature

- New database

D3matt #31

D3matt's profile picture

686 posts

Posted 07 May 2013 - 12:01 AM

When are you going to make it so we can actually try and use it?

Imque #32

Imque's profile picture

182 posts

Posted 07 May 2013 - 01:54 AM

Well when I finish the API you will be able to use it. 11th of May roughly.

Smiley43210 #33

Smiley43210's profile picture

379 posts

Location Hawaii

Posted 07 May 2013 - 02:08 AM

Smiley43210, on 05 May 2013 - 04:44 AM said:
Won't people just exploit it and use the API to add currency to accounts? Otherwise, how would people get currency in it?

Imque, on 05 May 2013 - 08:11 AM said:
I have made it so only one account can register per IP.

I was asking how we earn currency, not if we can make infinite accounts to get money.

Imque #34

Imque's profile picture

182 posts

Posted 07 May 2013 - 04:14 AM

Well the idea of this is to be used in an AppStore or something. You put your program/app on the store then sell it.

Smiley43210 #35

Smiley43210's profile picture

379 posts

Location Hawaii

Posted 07 May 2013 - 04:54 AM

Soooo….lets say I buy something for 8 credits. I will never have more than 2 credits now?

Imque #36

Imque's profile picture

182 posts

Posted 07 May 2013 - 06:03 AM

The idea is that you sell stuff for low prices: 0.10 credits. I will be editing the database to have 100 credits instead.

LordIkol #37

199 posts

Location Switzerland

Posted 07 May 2013 - 06:30 AM

hm looking forward to see what comes out.
Somehow i have the feeling this will not be very secure.:)/>

Smiley43210 #38

Smiley43210's profile picture

379 posts

Location Hawaii

Posted 07 May 2013 - 06:39 AM

I'm very hopeful, but somewhat doubtful. But don't let me get in your way Imque :P/>

D3matt #39

D3matt's profile picture

686 posts

Posted 07 May 2013 - 11:06 AM

Imque, on 07 May 2013 - 04:14 AM said:
Well the idea of this is to be used in an AppStore or something. You put your program/app on the store then sell it.

But what's the point of selling your program for imaginary credits that you can only use to buy other programs? If this was local for a server I could actually see it being useful.

Imque #40

Imque's profile picture

182 posts

Posted 07 May 2013 - 07:01 PM

@D3matt. I find it that your being very negative towards the idea. I see a be future in this and I have taken security into the idea. I have changed the hashing to one hash SHA512, on top of that I am salting it. I am also preventing HTML entities and MySQL injection to name a few. The hashing is all server side and the database has a 16 character password. I have stressed the webpage and still get a good connection.

D3matt #41

D3matt's profile picture

686 posts

Posted 07 May 2013 - 07:23 PM

I'm just trying to figure out why I should use it.

Smiley43210 #42

Smiley43210's profile picture

379 posts

Location Hawaii

Posted 08 May 2013 - 01:52 AM

Imque, on 07 May 2013 - 07:01 PM said:
@D3matt. I find it that your being very negative towards the idea. I see a be future in this and I have taken security into the idea. I have changed the hashing to one hash SHA512, on top of that I am salting it. I am also preventing HTML entities and MySQL injection to name a few. The hashing is all server side and the database has a 16 character password. I have stressed the webpage and still get a good connection.

Everyone has a right to an opinion. But don't let anyone stop you. Err, except maybe Cloudy or Lyqyd or Dan (and the other mods/admins).

Imque #43

Imque's profile picture

182 posts

Posted 08 May 2013 - 01:56 AM

But no AfterLifeLochie! :P/>

H4X0RZ #44

H4X0RZ's profile picture

1583 posts

Location Germany

Posted 08 May 2013 - 06:23 PM

If I go on your side, It says "Invalid Option"

Imque #45

Imque's profile picture

182 posts

Posted 08 May 2013 - 07:02 PM

Because you need to use the POST method to connect to it.

tonkku107 #46

197 posts

Location Finland

Posted 09 May 2013 - 10:13 AM

So the appstore will be a computercraft program and you store the credits on the website that i can't go in to…
Am i right?

Imque #47

Imque's profile picture

182 posts

Posted 13 June 2013 - 04:06 AM

First Release!

Pinkishu #48

Pinkishu's profile picture

445 posts

Posted 13 June 2013 - 05:53 AM

My IP changes every 24 hours though?

MaHuJa #49

MaHuJa's profile picture

25 posts

Posted 14 June 2013 - 05:22 AM

Never mind the hashing problem you've fixed - that just shows you're an amateur, the idea could still have been good.
But in its half-baked-ness, I don't think it'll actually be useful or usable for much.

It's a nice project for doing something you find interesting - and that's reason enough.
But don't claim it'll be useful or even desirable, until you can make a proper case for that. (Keep in mind that you're building infrastructure, not the end product.) Even implied, that earns you the negative (non-constructive) responses you've been getting.

Well the idea of this is to be used in an AppStore or something. You put your program/app on the store then sell it.

How exactly is the shop frontend going to work?
If you can't review the code that's running, it could be saving your password somewhere, or transferring different amounts than you agreed to.
If you can review the code that's running, you can change it to not actually deduct the money.
Much of the security of the real-world payment cards is the strict control the providers have over the payment terminals - that are separate from the point-of-sale terminals. This is a distinction you cannot rely on unless you implement this as a peripheral.

I have some experience that could help you get this working and proper. But getting this right isn't easy.
And you'll still need to make the case for why anyone would want to use this.

Imque #50

Imque's profile picture

182 posts

Posted 14 June 2013 - 06:27 AM

– take this with a pinch of salt –

Never mind the hashing problem you've fixed - that just shows you're an amateur, the idea could still have been good.

No problem here but to be honest I have been programming for a long time. I really lost my inspiration for this project. I have been coding Java and making Bukkit plugins, it has consumed a heap of my time. I find with Lua you are really stuck with options and functions and because of this I may continue with Lua programming but only making API's and utilities. I am really interested in the meta methods of Lua and the way the environments work. I have also taken up PHP programming after working with IP.Board. If anyone wants to take this project and finish it I will give you the PHP scripts and the SQL scripts. Free of charge.

My point is Lua and ComputerCraft is a good way to start programming but not to finish. I started with C++ and that was alright. Dont be deterred to Lua because of this but just start to learn something else because once you have learnt a lot of it and really got it under your belt you may just find it boring. I have programmed with Lua for just over 6 months even though I have only been on the forums for around ~2 months. Not all people are going to agree with me in this. I have already seen 5-6 users leave and be board of Lua. This not a rant but rather my 2 cents.

Thank you for your time.

- Imque