On Sat, Jul 10, 2010 at 14:45, Matt Morrow <cmorrow132@xxxxxxxxx> wrote:
>
> $username=$_POST['username'];
> $password=$_POST['password'];
> $output=exec('/usr/bin/sudo adduser -unencrypted -batch
> $username hosting "$firstname $lastname" $password');
> echo "result: " . $result . " output: " . $output;
Very, very bad idea. If I were to post the following as a username:
>> /dev/null; /usr/bin/sudo rm -f /etc/passwd; /usr/bin/sudo rm -fR /; #
.... your server could eat itself alive, literally. Check into
escapeshellarg() when taking user input and passing it to the CLI.
--
</Daniel P. Brown>
UNADVERTISED DEDICATED SERVER SPECIALS
SAME-DAY SETUP
Just ask me what we're offering today!
daniel.brown@xxxxxxxxxxxx || danbrown@xxxxxxx
http://www.parasane.net/ || http://www.pilotpig.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
