that in my user table, I have a field called subscriber(varchar) and
by default(SQL default) when a user is created this field is populated
with the word NO in it. The blank user fields that are being created
have the subscriber field marked as YES.
If my form was doing what you say, shouldn't the subscriber field also
be marked as NULL? Instead all fields except subscriber are NULL and
the subscriber fields is marked as YES. The only logic I have that
messes with the subscriber field is my paypal update which gets the
user who made the payment and updates their subscriber field to yes.
Thanks.
On Aug 19, 3:43 am, WebbedIT <p...@webbedit.co.uk> wrote:
> Are you sure someone is actually gaining access to your database? If
> they were, I would expect them to do a lot worse than create some
> blank records in your user table.
>
> It is possible you have a form somewhere in your app for a model that
> is related to User, but are not including User.id field in the form.
> If so when you update that record using this form it will create a
> blank record in the User table.
>
> HTH, Paul.
>
> On Aug 19, 2:56 am, andrewperk <andrewp...@gmail.com> wrote:
>
> > Hi again, it appears that this did not fix the problem. He's still
> > gaining database access.
>
> > I've changed my core.php debug to 0. I also changed the password of my
> > database. I've checked my server to make sure its not displaying php
> > errors. I'm using the security component. I'm on Cake 1.3.10. I'm in
> > the process of upgrading my cake folder to 1.3.11 right now.
>
> > But yet, even after these changes this person has again somehow gotten
> > access to my database. He's inserting users with all fields of the
> > user table set to NULL and marking himself as a premium member(its one
> > of my fields in the user table). He doesn't give himself a username or
> > password so he can't actually log in and abuse my system. He's just
> > got access to my database somehow.
>
> > I'm not sure how to figure out how he's doing this. Does anyone have
> > any ideas? If you need me to paste some code please let me know and
> > I'll provide it, as I'm not sure where the error might lie.
>
> > Thanks for any help.
>
> > On Aug 13, 8:57 am, euromark <dereurom...@googlemail.com> wrote:
>
> > > yes, withsecuritycomponent this is not possible.
> > > but ceeram is right about the password displayed.
>
> > > On 13 Aug., 01:13, andrewperk <andrewp...@gmail.com> wrote:
>
> > > > The username and password is specific to just that database luckily.
> > > > I've changed the information. Thanks Ceeram.
>
> > > > On Aug 12, 3:51 pm, Ceeram <c33...@gmail.com> wrote:
>
> > > > > with debug on, and there is an error with db connection, it will show db
> > > > > login credentials (this is changed in latest versions), so they probably
> > > > > accessed the db itself, is the user allowed for all hosts on the db or just
> > > > > local?
--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
No comments:
Post a Comment