Awesome! I'll be doing that right now... I've always wanted a donate subdomain. I'm getting: INVALID_ADDR: 'https://lavacraftserver.buycraft.net' should not be an IP/ URL for CNAME record. (host name: donate)
My old server just used the BuyCraft store and iframed it onto our website. Worked perfectly! I wouldn't trust anything other than BuyCraft lol XD
In honest opinion I would like to host it on my own website. Not let BuyCraft host it. Then I would be able to have all the features I could want. I might take this up in my free time. Make something simple.
Open source money transfer is a bad idea, really bad. Tell a bank to create you an open-source account so you can use your own home-made security to keep the hackers away.
I'm working on a little something that is exactly that. Builds of it are already located in the downloads section of it's GitHub and documentation is available on it's GitHub wiki, if you're interested. I'm not here to try and sell my plugin to you people though, and the OP has already been satisified, so I see no reason to keep a discussion going on BuyCraft.
I would like to point out that my plugin is basically brand new and the ipn given is an example ipn with some sql injection prevention which should prevent any basic stuff, although in reality any time there is user input into a sql query there is a possibility of sql injection regardless of what you do. I am not as familiar with php as I am with java so the ipn is still a work in progress. Although thankyou for pointing out that foreign transactions will not work, I had suspected such but was unable to test it as I cannot do the foreign transactions myself.... Although in the future rather than just criticizing I would appreciate if you were to maybe notify me of the shortcomings so I can improve and eliminate them. Maybe you could start with telling me the sql injections you spotted? Just btw to everyone, looking at that "Donator" plugin it has little to no sql injection prevention, as their input is placed directly into the database. [Edit] Just realized I made the mistake of sending a non-array value into a function that processes array values.... [Edit 2] Honestly the only thing I could think of to completely prevent sql injection would be to do a check on 'http://www.minecraft.net/haspaid.jsp?user=PLAYERNAME' to make sure its a valid minecraft username before processing But that would be horribly inefficient.
Would just like to comment on this quote here, that is actually incorrect. Using MysqlI or just using mysql_real_escape_string() will remove all possibilities of SQL injection. I advise using an active record approach to eliminate SQL injection in a proper and secure way.
So why wouldn't my: Code: function anti_injection($sql) { foreach ($sql as &$value) { if (!is_array($value)) { $value = mysql_real_escape_string(stripslashes(trim($value))); //get all data into shape for db insert without sql injection attacks } } unset($value); return $sql; } Stop it then? I run this on all the Post Variables.
I have spent the last week deep in the thousands of paypal ipn pages, and I am now sure that foreign transactions will work fine as I used 'mc_gross' Not 'payment_gross' and so it takes the final net payment to your paypal account. Regardless of currency. So your statement is false.
