E-Junkie Forum

E-Junkie Forum http://www.e-junkie.com/bb/ E-Junkie Forum RSS en-us Copyright 2012, 19.5 Degrees. All rights reserved. webmaster@e-junkie.com webmaster@e-junkie.com Sat, 3 Jul 2010 03:19:36 GMT Fri, 10 Feb 2012 16:16:28 GMT 681 E-JUNKIE 5 E-Junkie Forum http://www.e-junkie.com/bb/ http://www.e-junkie.com/ej/logo.gif 290 104 Post #5 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 Sat, 3 Jul 2010 03:19:36 GMT E-junkie Discussions; WayneAtWriteLog Post #4 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 Fri, 4 Jun 2010 19:44:35 GMT E-junkie Discussions; E-junkieNinja Post #3 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 Thu, 3 Jun 2010 13:20:49 GMT
How about adding the POST data to the md5 parameters, that way at least we can guarantee a unique handshake for each request and that the POST parameters have not been tampered with.]]> E-junkie Discussions; ClickTilt Post #2 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 Mon, 22 Oct 2007 21:14:15 GMT
As for storing the password in the script, as you said you can simply just store it's md5 in the php script. Better yet, you can simply store the shared secret in the php file.

That said, we will eventually start passing HMAC hash as well but handshake will stay the same to be backward compatible.]]> E-junkie Discussions; E-JunkieExpert Post #1 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 http://www.e-junkie.com/bb/topic/80/pg/0#post14801 Mon, 22 Oct 2007 21:12:15 GMT I was just reading http://www.e-junkie.com/ej/help.selling-codes.php and I really liked the way you had the registration codes set up. That is, until I looked at it further.

Based on the example, the handshake is _always_ going to be the same. Therefore, very easy for someone to spoof.
Also, the idea of having the ejunkie login/password embedded in the php file makes me cringe (although, you could figure out the md5 of the pw and just use that). Would it be possible to make it a little more sophisticated? I was thinking along the lines of using a 'shared secret' key + hmac. The handshake would then be: hmac('shared secret', 'transaction id') If php is your thing, there is code here: http://www.php.net/sha1 This will prevent someone from just spoofing the handshake.

What are your thoughts about this? The current implementation is rather weak. Unless I'm missing something??
Thanks, I look forward to hearing back from you!]]> E-junkie Discussions; GuestUser