On Mon, August 14, 2006 12:25 pm, Michael Jonsson wrote: > I can run any external program like ls, cp, uptime... > But if a try to run my shell script a get error. > > $passwdexe = "sudo /usr/bin/webpasswd"; > $user=$_POST[name]; > $passwd="$passwdexe $user 123456"; > echo $passwd; > $result = system($passwd); > > Resultat from the web, "sudo /usr/sbin/webpasswd billy 12345678" > and from the error_log, "couldn't read file "./usr/sbin/webpasswd.": > no > such file or directory". In addition the the problem you know that you have, you're also blindly passing $_POST['name'] into the shell undo a sudo which is a pretty monstrous security hole... Use a full path to sudo for starters. And use escapeshellarg on $user Plus, given that it is a Un*x username, it almost for sure has a rather simple PCRE you could use on it to validate it. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
