HTH, Paul
P.S. I'm going to CakeFest Manchester for all 4 days, would love to
know who else is going .. a rare chance for us all to meet up!
On Aug 20, 5:12 am, andrewperk <andrewp...@gmail.com> wrote:
> WebbedIT, you had it correct. Thanks so much.
>
> I fixed the problem, There was never anyone gaining access to my app.
> It was in my paypal processing after a completed payment. I wasn't
> actually confirming that a user had been found before doing the update
> so this was creating a blank user.
>
> Here's the long story:
>
> My client has other products they sell in Paypal using paypal buttons.
> So, after I enabled IPN in their account I just noticed that my IPN
> table was receiving IPN's from my clients other products. Since in my
> app I find the user who made the payment based on a custom field that
> is returned by IPN to my app. When these other orders of my clients
> were being sent to my IPN URL that custom field wasn't available, so
> it wasn't actually finding the user to update to a premium membership
> but it still passed my logic test of being a completed payment. The
> user wasn't ever found. Instead, like you said I was setting the ID of
> the user to update in the controller for a user who wasn't actually
> there and it was creating a blank one and in that same logic it sets
> the premium subscriber field to YES.
>
> I fixed it by just checking that it actually finds a user before doing
> the update.
>
> Thanks so much for pointing that out. I appreciate every ones help.
>
> On Aug 19, 3:43 am, WebbedIT <p...@webbedit.co.uk> wrote:
>
>
>
>
>
>
>
> > Are you sure someone is actually gaining access to your database? If
> > they were, I would expect them to do a lot worse than create some
> > blank records in your user table.
>
> > It is possible you have a form somewhere in your app for a model that
> > is related to User, but are not including User.id field in the form.
> > If so when you update that record using this form it will create a
> > blank record in the User table.
>
> > HTH, Paul.
>
> > On Aug 19, 2:56 am, andrewperk <andrewp...@gmail.com> wrote:
>
> > > Hi again, it appears that this did not fix the problem. He's still
> > > gaining database access.
>
> > > I've changed my core.php debug to 0. I also changed the password of my
> > > database. I've checked my server to make sure its not displaying php
> > > errors. I'm using the security component. I'm on Cake 1.3.10. I'm in
> > > the process of upgrading my cake folder to 1.3.11 right now.
>
> > > But yet, even after these changes this person has again somehow gotten
> > > access to my database. He's inserting users with all fields of the
> > > user table set to NULL and marking himself as a premium member(its one
> > > of my fields in the user table). He doesn't give himself a username or
> > > password so he can't actually log in and abuse my system. He's just
> > > got access to my database somehow.
>
> > > I'm not sure how to figure out how he's doing this. Does anyone have
> > > any ideas? If you need me to paste some code please let me know and
> > > I'll provide it, as I'm not sure where the error might lie.
>
> > > Thanks for any help.
>
> > > On Aug 13, 8:57 am, euromark <dereurom...@googlemail.com> wrote:
>
> > > > yes, withsecuritycomponent this is not possible.
> > > > but ceeram is right about the password displayed.
>
> > > > On 13 Aug., 01:13, andrewperk <andrewp...@gmail.com> wrote:
>
> > > > > The username and password is specific to just that database luckily.
> > > > > I've changed the information. Thanks Ceeram.
>
> > > > > On Aug 12, 3:51 pm, Ceeram <c33...@gmail.com> wrote:
>
> > > > > > with debug on, and there is an error with db connection, it will show db
> > > > > > login credentials (this is changed in latest versions), so they probably
> > > > > > accessed the db itself, is the user allowed for all hosts on the db or just
> > > > > > local?
--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
No comments:
Post a Comment