Somebody is playing with my site ...?

[eluser]Twisted1919[/eluser]
Hello, i have a serious problem .
I own a site , a community based website where everyone cand register and share photos , comments,votes etc etc .
Yesterday for first time , i discovered that all the members on the site had the same profile description and the same yahoo messenger id , so i tought that may be some database error , do , i replaced everything with my backup and no problems , till second day , when same problem appears ... somebody seems to modify the description of all profiles , all profiles have the same description and the same yahoo messenger id ...
i am using just the AR class for database , and the xajax implementation , but with xajax i am using the xss filter on all my forms so i don't think that somebody can do bad things , as the xss class is pretty strong .
The admin password is pretty salted , users too , so i don't think it could be broken at all.

Another thing is that , from now , i have more then 11.000 registered users , and in my database the primary key and the indexes are build on the profile_id , but , i am taking out the users from the database , based on their username not based on their id , could this be a problem at this number of registered users ?


Any ideas ?
If would help , i can give you the website url so you can see the problem as it really is .

[eluser]Michael Wales[/eluser]
Are you logging user activity? That would be the first way to determine if it's something happening across your site (maybe a bug - like a missing WHERE clause) or some other vulnerability. Someone may also have direct access to your database (via PHPMyAdmin, SSH, etc).

Logs are your friend in this case - your hosting provider should be able to help with logging connections to the database to see what application, IP, that connection came from.

[eluser]GSV Sleeper Service[/eluser]
as Michael said, this sounds like a missing where clause. One thing that tripped me up when using the CI Db class - the where clause is reset after running an update, I discovered this the hard way, after accidentally updating ~15,000 rows instead of one, oops.

[eluser]Twisted1919[/eluser]
For all the db calls i am using a database model , so as you say i should look deeper into the structure , hope i'll find the problem .
About logging , if using CI logging utility , that may help ?

[eluser]Michael Wales[/eluser]
yup - just place a debug log after all of your SQL queries (or at least the ones involving profile edits) and dump your SQL query into that log. Sit and wait for the one missing the WHERE statement, I can almost guarantee that is what is causing the problem - it fits the bill exactly.

[eluser]garymardell[/eluser]
You'd have more luck enabling the profiler and trying all the features on your site that could possibly modify that table, and see what sql command is produced.

[eluser]Twisted1919[/eluser]
Ok , thanks for your reply , i'll come back with the result

[eluser]Michael Wales[/eluser]

You’d have more luck enabling the profiler and trying all the features on your site that could possibly modify that table, and see what sql command is produced.

Unfortunately, I completely disagree. Obviously, something is wrong with Twisted's code. During his original development cycle he would have wrote a feature, jumped to a browser and tested it. If he didn't induce this bug during that testing cycle why would he induce this bug on a live site with 11,000 users this time around? Plus, if this bug exists - what other bugs exist, why limit testing to this one table just because it's the one causing an issue right now.

Users are your guinea pigs - they will do amazingly stupid and destructive things that you would never have thought of. Let them do their job, destroy your application. Luckily, it sounds as if you have a consistent backup and recover plan - good, that's what it is for! No need having backup/recovery if you don't intend to use it.

You will discover an exponential more amount of data about your application and what it is actually doing by watching your users than you could ever dream of accomplishing in the same amount of time. Whereas you can only test one feature at a time, you have an estimated 600-1000 people on your site testing a ton of features at any given time of the day.

I'll take 288,000 tests (600 every 3 minutes, 24 hours, you are free to do what you want) per day over 240 tests per day (1 every 3 minutes, 12 hours, occupying all of your time).

[eluser]Twisted1919[/eluser]
Heh , thank you michael but it seems that i must take a copy of the website and retesting the new implemented features , because the bug , is somewhere here i think ...this is hard work and lost time ...
If you have any other suggestions i am willing to test them .