On Sat, Jul 10, 2010 at 4:39 PM, Matt M. <cmorrow132@xxxxxxxxx> wrote:
> The only thing is, when I execute this command from a shell, it works.
> Obviously I'm replacing $username and $password with something valid when
> doing this manually.
>
> It's like the script clears the $username variable just before it executes
> the command, or because the variable is inside quotes, it is not getting
> through.
>
>
> From: Ashley Sheridan
> Sent: Saturday, July 10, 2010 2:01 PM
> To: Matt Morrow
> Cc: php-general@xxxxxxxxxxxxx
> Subject: Re: adduser & php
>
>
> On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
> I am using php 5 on OpenBSD 4.7
>
> I have a script which takes a username and password from $_POST, and is
> supposed to add the user to the system database. The problem is, adduser
> creates a username with the same name as the group. The code is:
>
> $username=$_POST['username'];
> $password=$_POST['password'];
> $output=exec('/usr/bin/sudo adduser -unencrypted -batch
> $username hosting "$firstname $lastname" $password');
> echo "result: " . $result . " output: " . $output;
>
>
> The output is:
> Added user ``hosting''
>
> I have validated that $username and $password contain the correct values
> from the form, by outputting them as well above the line which calls the
> adduser command.
>
> Any help is appreciated.
>
> Matt
>
> I'm not entirely sure about the syntax you're using here, as it doesn't
> quite match up with what I see on the useradd (which is what adduser
> synonyms to) man page (type 'man useradd').
>
> Aside from that, be very, very, very careful with this command. In your
> example you've not sanitised the user input, and the useradd command is used
> to update details as well as add new users, and you're running it with root
> privileges under sudo. Maybe enforce some specific name mechanism (a prefix
> like 'yoursystemname_username') to ensure that people aren't unwittingly or
> deliberately trying to overwrite existing system user details.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>
Matt, one problem I see:
output=exec('/usr/bin/sudo adduser -unencrypted -batch $username hosting
> "$firstname $lastname" $password');
The code won't replace the variables (i.e., variables are not expanded)
because they're contained within single quotes and will be evaluated
literally:
http://php.net/manual/en/language.types.string.php
That said, as others have pointed out, be very, very careful with this type
of functionality. Even just viewing the code makes me feel like I should
smoke a cigarette to calm my nerves (and I've never been a smoker ;)
Adam
--
Nephtali: PHP web framework that functions beautifully
http://nephtaliproject.com
