> At 05:58 2002-04-16 +0800, Zing Yang wrote: > >$AltPassphrase="xxxxxxxxxxxx"; > > Do you keep the actual pass phrase in there or its hash? If I recall > correctly, you need to use the hash of the alt pp rather than the pp > itself. But it is not quite clear what the xxxxxx stands for (not that > it should be :) ).
Yes, that was it! We had put the actual passphrase there, while it should have been the hash. We quickly calculated the hash of the passphrase at https://www.e-gold.com/acct/md5check.html (thanks Jay!), and had to remove the chop command (don't quite understand why it was there in the first place), and now IT WORKS! :-) For the record, here's the final code: ------------------------------------- $AltPassphrase="hash_of_alt_passphrase"; $handshake=uc(md5_hex qq!$INPUT{'PAYMENT_ID'}:$INPUT{'PAYEE_ACCOUNT'}:$INPUT{'PAYMENT_AMOUNT'}:$INPUT{'PAYMENT_UNITS'}:$INPUT{'PAYMENT_METAL_ID'}:$INPUT{'PAYMENT_BATCH_NUM'}:$INPUT{'PAYER_ACCOUNT'}:$AltPassphrase:$INPUT{'ACTUAL_PAYMENT_OUNCES'}:$INPUT{'USD_PER_OUNCE'}:$INPUT{'FEEWEIGHT'}:$INPUT{'TIMESTAMPGMT'}!); if ($handshake ne $INPUT{'V2_HASH'}) { &to_the_end(); } # here follows what to do if the verification was successful ------------------------------------- Actually, looks pretty easy! And it's going to save a lot of time... no more manual verifications of payments! The next step is going to be the automation of prize payments on our part. Before we get to that, does anyone want to test our current system for loopholes? We're now covered against the following, which had plagued us before implementing the hash: * payments in different, almost worthless currencies e.g. spanish pesetas * payments made to a different account * faked form submissions to the results URL Actually, we had developed workarounds against the first two (by adding an explicit verification of currency and recipient account), but there was really nothing to protect against the third one other than the hash verification! If you've got a few minutes (and $1), try our game at http://OffshoreGamers.com Then try to find a way to fool the system, i.e. to generate a prize without actually sending an e-gold transfer that would result in a legitimate prize calculation procedure. Sincerely Zing -- Get your free email from www.uymail.com Powered by Outblaze --- You are currently subscribed to e-gold-tech as: archive@jab.org To unsubscribe send a blank email to [EMAIL PROTECTED] Use e-gold's Secure Randomized Keyboard (SRK) when accessing your e-gold account(s) via the web and shopping cart interfaces to help thwart keystroke loggers and common viruses.