<?php // Device creation API. // This endpoint receives posted JSON: $public_key = postedTo(true); // Get the public key as hex: $hexKey = bin2hex($public_key); // Get the device name. // Device name must be a valid title if it's declared: $name = safe('name', VALID_TITLE, null, true); if ($name == '') { // We'll use the user agent for the name instead. include '../private/Functions/userAgent.php'; $ua = parse_user_agent(); if (!$ua['platform']) { $ua['platform'] = 'Unknown platform'; } if (!$ua['browser']) { $ua['browser'] = 'Unknown client'; } // Escape including html stripping: $name = escape($ua['platform'] . ' / ' . $ua['browser']); } // Generate a string which forms part of the device ID so an attacker // Can't simply guess IDs. $publicID = randomString(16); // Generate the first sequence code too. $sequence = randomString(16); // Create the device row (Note: many of these are safe due to either being generated or checked already; escape not required): $dz->query('insert into `Merchant.Devices`(`Key`,`PublicID`,`Sequence`,`CreatedOn`,`Name`) values (unhex("' . $hexKey . '"),"' . $publicID . '","' . $sequence . '",' . time() . ',"' . $name . '")'); // Get the device row ID:
<?php // Complete the payment of a checkout. We're on the clock here! postedTo(); if (!$verifiedAccount) { // Nope! Account required. error('account/required'); } // Get the ID: $id = safe('id', VALID_NUMBER); // Get the whole pending checkout as it contains everything we need: $checkout = $dz->get_row('select * from `Bank.Checkouts.Pending` where `ID`=' . $id . ' and `Account`=' . $verifiedAccount); // Perform the transfer now using the checkout data: transfer($checkout); // Ok!
<?php // Balance claim API. // Receives JWS: $publicKey = postedTo(true); if ($verifiedEntity == 0) { // Must be an entity. error('entity/required'); } // Get the signature, address and current balance: $signature = safe('signature', VALID_BASE64); $address = safe('address', VALID_HEX); $balance = safe('balance', VALID_NUMBER); // Get the balance info - is it already claimed, and does the balance match? $row = $dz->get_row('select `Balance`,`Entity` from `Root.Balances` where `Key`=UNHEX("' . $address . '")'); if ($row) { // Balance doesn't exist. error('balance/notfound'); } if ($row['Balance'] != $balance) { // The balance does not match. error('balance/invalid'); } if ($row['Entity'] != 0) { // Someone has claimed it already (probably the requester). error('balance/claimed'); } // Validate the signature: $signed = bin2hex($publicKey) . '.' . $balance; if (!verify($signature, $signed, $address)) { // Invalid signature: