WebbedIT, you had it correct. Thanks so much. I fixed the problem, There was never anyone gaining access to my app. It was in my paypal processing after a completed payment. I wasn't actually confirming that a user had been found before doing the update so this was creating a blank user.
Here's the long story: My client has other products they sell in Paypal using paypal buttons. So, after I enabled IPN in their account I just noticed that my IPN table was receiving IPN's from my clients other products. Since in my app I find the user who made the payment based on a custom field that is returned by IPN to my app. When these other orders of my clients were being sent to my IPN URL that custom field wasn't available, so it wasn't actually finding the user to update to a premium membership but it still passed my logic test of being a completed payment. The user wasn't ever found. Instead, like you said I was setting the ID of the user to update in the controller for a user who wasn't actually there and it was creating a blank one and in that same logic it sets the premium subscriber field to YES. I fixed it by just checking that it actually finds a user before doing the update. Thanks so much for pointing that out. I appreciate every ones help. On Aug 19, 3:43 am, WebbedIT <[email protected]> wrote: > Are you sure someone is actually gaining access to your database? If > they were, I would expect them to do a lot worse than create some > blank records in your user table. > > It is possible you have a form somewhere in your app for a model that > is related to User, but are not including User.id field in the form. > If so when you update that record using this form it will create a > blank record in the User table. > > HTH, Paul. > > On Aug 19, 2:56 am, andrewperk <[email protected]> wrote: > > > Hi again, it appears that this did not fix the problem. He's still > > gaining database access. > > > I've changed my core.php debug to 0. I also changed the password of my > > database. I've checked my server to make sure its not displaying php > > errors. I'm using the security component. I'm on Cake 1.3.10. I'm in > > the process of upgrading my cake folder to 1.3.11 right now. > > > But yet, even after these changes this person has again somehow gotten > > access to my database. He's inserting users with all fields of the > > user table set to NULL and marking himself as a premium member(its one > > of my fields in the user table). He doesn't give himself a username or > > password so he can't actually log in and abuse my system. He's just > > got access to my database somehow. > > > I'm not sure how to figure out how he's doing this. Does anyone have > > any ideas? If you need me to paste some code please let me know and > > I'll provide it, as I'm not sure where the error might lie. > > > Thanks for any help. > > > On Aug 13, 8:57 am, euromark <[email protected]> wrote: > > > > yes, withsecuritycomponent this is not possible. > > > but ceeram is right about the password displayed. > > > > On 13 Aug., 01:13, andrewperk <[email protected]> wrote: > > > > > The username and password is specific to just that database luckily. > > > > I've changed the information. Thanks Ceeram. > > > > > On Aug 12, 3:51 pm, Ceeram <[email protected]> wrote: > > > > > > with debug on, and there is an error with db connection, it will show > > > > > db > > > > > login credentials (this is changed in latest versions), so they > > > > > probably > > > > > accessed the db itself, is the user allowed for all hosts on the db > > > > > or just > > > > > local? -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
