Hi, Just to report how it is a bad idea... at least two sql injection and one shell injection in your files.
On Mon, Jun 01, 2015 at 11:49:39AM -0500, Okupandolared wrote: > Hi, > > I have an web form. > > I need send of webform to script bash > > webform.html --> PHP proces --> create.sh > > create.sh > #!/bin/ksh > # Create user > > echo "hi!! your pass $1" > crypted="$(echo -n "$1" | smtpctl encrypt )" > maildir="$3/$2/" > echo -e "$2@$3" >> recipients > echo -e "$2@$3\t$crypted" >> credentials > echo "ejabberdctl register $2 $3 $1" > echo "INSERT INTO mails (userid, domain, password, maildir) VALUES > ('$2', '$3','$crypted', '$maildir');" | mysql -umyuser -mypass mail; sql injection on $2 and $3 as "'" isn't escaped by antiyec function > example php > <?php > function antiyec($data) { > $data = trim($data); > $data = stripslashes($data); > $data = htmlspecialchars($data); > return $data; > } > $user = antiyec($_POST['user']); > $frase1 = antiyec($_POST['pass']); > $domain = antiyec($_POST['dom']); > > $out = shell_exec('ksh create.sh $frase1 $user $domain'); shell injection on user, pass and dom variables, as ";" isn't escaped by antiyec function > echo "<pre>$out</pre>"; > ?> > > > On 06/01/15 08:50, Gareth Nelson wrote: > > Everyone is missing the bigger picture here: > > > > Why is a PHP script calling the shell? 9 times out of 10, that's a bad idea > > and things should be redesigned so that it's not needed. > > yes it is a bad idea. -- Sébastien Marie