Important Validation Security Problem

Hello everyone. We have a problem with our classifieds website, specifically at the publishing form.

Let’s start with de Ad model, we have a set of validation rules ir order to control forbidden words or phone numbers. The validation rules works fine directly through the website form, but it seems someone is trespassing these rules with some kind of post request (i supose) sent with curl.

This is one of the phone validation rules:

public function rules() {

 return array(


  array('telephone', 'notbannedphone',

                'on' => array('postvalidation', 'postmx', 'postco', 'postit')





public function notbannedphone($attribute, $params) {                        

  if ($this->$attribute != "") {                                	

    if (Yii::app()->db->createCommand()



                    ->where('ban_phone = :phone AND FIND_IN_SET("publish", ban_type)>0', array(':phone' => $this->$attribute))

                    ->queryRow()) {   	                		

      $this->addError($attribute, 'Banned');




And here the resumed controller part:

if (isset($_POST['Ad'])) {

  $model->attributes = $_POST['Ad'];

  if ($model->validate()) {



    // Other stuff



In essence, that’s the code.

Another "funny" thing is the fact that you cannot save changes in the rows that trespasses the validation rules, because in that case, the rules are applied and you cannot save, but… how could they reach into de DB? Any clues? Is that person sending some kind of header through CURL that causes the telephone string to not match its value in the table (but once stored the validation rule works)?

This has non sense for me, so i need help.

As additional info, we are using:


PHP 5.2.11

Mysql 5.0.92