3

I need to capture user input on a web form and pass it to a script to create a user account but I cannot get it to work. so far I have a add_user.sh script that reads like this:

adduser -u $NAME -p $PASS -g users -s /bin/bash

but im not sure if that's going to capture user entered data from the web form?

Improve this question
3
  • you have to pass these parameters on the php command you're using to call add_user.sh. Something like this: passthru("add_user.sh -u $NAME -p $PASS");. Commented Oct 31, 2013 at 16:55
  • 2
    if $NAME is coming from a web form, then you had make ABSOLUTELY sure that you're using proper methods to pass that to a command line app. Consider what happens if the user enters ; rm -rf / as their username... e.g. php.net/escape_shell_arg Commented Oct 31, 2013 at 16:55
  • 1
    Of course, what Marc B said is completely true. Commented Oct 31, 2013 at 16:58

2 Answers 2

Reset to default
2

You can build it into a string and then use exec If your server has it enabled

$str = 'adduser -u ' . $NAME . ' -p ' . $PASS . ' -g users -s /bin/bash';
exec(escapeshellcmd($str));

I should have probably noted before, many hosts disable this and any functions that perform command line commands for security reasons. Just because this exists doesn't make it a good idea.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Somewhat dangerous, depending on security settings and the data source of $NAME and $PASS. php.net/manual/en/function.escapeshellcmd.php php.net/manual/en/function.escapeshellarg.php
Marc B's comment to the OP applies as well. $NAME and $PASS have to be cleaned thoroughly before invoking the command.
Oh dear, this is rather dangerous :) Don't use this method
I edited my answer. quasivivo was right and I added that function in
I'd love to register with user name gniourf -g admin or something such :) Please do not use this method.
0

Write your script add_user.sh like this (mind the quotes): 

#!/bin/sh
adduser -u "$1" -p "$2" -g users -s /bin/bash

Render it executable:

me@somewhere$ chmod +x add_user.sh

And call it from within php as: 

<?php
    $command="/path/to/add_user.sh ".escapeshellarg($name)." ".escapeshellarg($pass);
    exec ($command,$output=array(),$return_value);
    if($return_value!==0) {
        # Oh dear! something bad happened
    }
?>

(I don't have php installed here, so I can't thoroughly test my answer)

If you don't want to use your auxilliary script, you can directly do: 

<?php
    $command="/path/to/adduser -u ".escapeshellarg($name)." -p ".escapeshellarg($pass)." -g users -s /bin/bash";
    exec ($command,$output=array(),$return_value);
    if($return_value!==0) {
        # Oh dear! something bad happened
    }
?>

Please make sure you test the return value (as I did). You'll have the command's output in the array $output.

Using escapeshellarg for each argument is much safer than calling escapeshellcmd on the already built in full command.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.