I fixed the problem, There was never anyone gaining access to my app.
It was in my paypal processing after a completed payment. I wasn't
actually confirming that a user had been found before doing the update
so this was creating a blank user.
Here's the long story:
My client has other products they sell in Paypal using paypal buttons.
So, after I enabled IPN in their account I just noticed that my IPN
table was receiving IPN's from my clients other products. Since in my
app I find the user who made the payment based on a custom field that
is returned by IPN to my app. When these other orders of my clients
were being sent to my IPN URL that custom field wasn't available, so
it wasn't actually finding the user to update to a premium membership
but it still passed my logic test of being a completed payment. The
user wasn't ever found. Instead, like you said I was setting the ID of
the user to update in the controller for a user who wasn't actually
there and it was creating a blank one and in that same logic it sets
the premium subscriber field to YES.
I fixed it by just checking that it actually finds a user before doing
the update.
Thanks so much for pointing that out. I appreciate every ones help.
On Aug 19, 3:43 am, WebbedIT <p...@webbedit.co.uk> wrote:
> Are you sure someone is actually gaining access to your database? If
> they were, I would expect them to do a lot worse than create some
> blank records in your user table.
>
> It is possible you have a form somewhere in your app for a model that
> is related to User, but are not including User.id field in the form.
> If so when you update that record using this form it will create a
> blank record in the User table.
>
> HTH, Paul.
>
> On Aug 19, 2:56 am, andrewperk <andrewp...@gmail.com> wrote:
>
> > Hi again, it appears that this did not fix the problem. He's still
> > gaining database access.
>
> > I've changed my core.php debug to 0. I also changed the password of my
> > database. I've checked my server to make sure its not displaying php
> > errors. I'm using the security component. I'm on Cake 1.3.10. I'm in
> > the process of upgrading my cake folder to 1.3.11 right now.
>
> > But yet, even after these changes this person has again somehow gotten
> > access to my database. He's inserting users with all fields of the
> > user table set to NULL and marking himself as a premium member(its one
> > of my fields in the user table). He doesn't give himself a username or
> > password so he can't actually log in and abuse my system. He's just
> > got access to my database somehow.
>
> > I'm not sure how to figure out how he's doing this. Does anyone have
> > any ideas? If you need me to paste some code please let me know and
> > I'll provide it, as I'm not sure where the error might lie.
>
> > Thanks for any help.
>
> > On Aug 13, 8:57 am, euromark <dereurom...@googlemail.com> wrote:
>
> > > yes, withsecuritycomponent this is not possible.
> > > but ceeram is right about the password displayed.
>
> > > On 13 Aug., 01:13, andrewperk <andrewp...@gmail.com> wrote:
>
> > > > The username and password is specific to just that database luckily.
> > > > I've changed the information. Thanks Ceeram.
>
> > > > On Aug 12, 3:51 pm, Ceeram <c33...@gmail.com> wrote:
>
> > > > > with debug on, and there is an error with db connection, it will show db
> > > > > login credentials (this is changed in latest versions), so they probably
> > > > > accessed the db itself, is the user allowed for all hosts on the db or just
> > > > > local?
--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
No comments:
Post a Comment