Also, this is not happening locally when I develop. I would think if I had a form somewhere creating blank users it should happen locally as well. This is only happening on my remote server.
I don't know how to fix this. =( On Aug 19, 9:46 am, andrewperk <[email protected]> wrote: > Hi WebbedIT, The reason I think someone is having access to my db is > that in my user table, I have a field called subscriber(varchar) and > by default(SQL default) when a user is created this field is populated > with the word NO in it. The blank user fields that are being created > have the subscriber field marked as YES. > > If my form was doing what you say, shouldn't the subscriber field also > be marked as NULL? Instead all fields except subscriber are NULL and > the subscriber fields is marked as YES. The only logic I have that > messes with the subscriber field is my paypal update which gets the > user who made the payment and updates their subscriber field to yes. > > Thanks. > > On Aug 19, 3:43 am, WebbedIT <[email protected]> wrote: > > > Are you sure someone is actually gaining access to your database? If > > they were, I would expect them to do a lot worse than create some > > blank records in your user table. > > > It is possible you have a form somewhere in your app for a model that > > is related to User, but are not including User.id field in the form. > > If so when you update that record using this form it will create a > > blank record in the User table. > > > HTH, Paul. > > > On Aug 19, 2:56 am, andrewperk <[email protected]> wrote: > > > > Hi again, it appears that this did not fix the problem. He's still > > > gaining database access. > > > > I've changed my core.php debug to 0. I also changed the password of my > > > database. I've checked my server to make sure its not displaying php > > > errors. I'm using the security component. I'm on Cake 1.3.10. I'm in > > > the process of upgrading my cake folder to 1.3.11 right now. > > > > But yet, even after these changes this person has again somehow gotten > > > access to my database. He's inserting users with all fields of the > > > user table set to NULL and marking himself as a premium member(its one > > > of my fields in the user table). He doesn't give himself a username or > > > password so he can't actually log in and abuse my system. He's just > > > got access to my database somehow. > > > > I'm not sure how to figure out how he's doing this. Does anyone have > > > any ideas? If you need me to paste some code please let me know and > > > I'll provide it, as I'm not sure where the error might lie. > > > > Thanks for any help. > > > > On Aug 13, 8:57 am, euromark <[email protected]> wrote: > > > > > yes, withsecuritycomponent this is not possible. > > > > but ceeram is right about the password displayed. > > > > > On 13 Aug., 01:13, andrewperk <[email protected]> wrote: > > > > > > The username and password is specific to just that database luckily. > > > > > I've changed the information. Thanks Ceeram. > > > > > > On Aug 12, 3:51 pm, Ceeram <[email protected]> wrote: > > > > > > > with debug on, and there is an error with db connection, it will > > > > > > show db > > > > > > login credentials (this is changed in latest versions), so they > > > > > > probably > > > > > > accessed the db itself, is the user allowed for all hosts on the db > > > > > > or just > > > > > > local? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
