The only thing is, when I execute this command from a shell, it works.
Obviously I'm replacing $username and $password with something valid when doing
this manually.
It's like the script clears the $username variable just before it executes the
command, or because the variable is inside quotes, it is not getting through.
From: Ashley Sheridan
Sent: Saturday, July 10, 2010 2:01 PM
To: Matt Morrow
Cc: php-general@lists.php.net
Subject: Re: [PHP] adduser & php
On Sat, 2010-07-10 at 13:45 -0500, Matt Morrow wrote:
I am using php 5 on OpenBSD 4.7
I have a script which takes a username and password from $_POST, and is
supposed to add the user to the system database. The problem is, adduser
creates a username with the same name as the group. The code is:
$username=$_POST['username'];
$password=$_POST['password'];
$output=exec('/usr/bin/sudo adduser -unencrypted -batch
$username hosting "$firstname $lastname" $password');
echo "result: " . $result . " output: " . $output;
The output is:
Added user ``hosting''
I have validated that $username and $password contain the correct values
from the form, by outputting them as well above the line which calls the
adduser command.
Any help is appreciated.
Matt
I'm not entirely sure about the syntax you're using here, as it doesn't quite
match up with what I see on the useradd (which is what adduser synonyms to) man
page (type 'man useradd').
Aside from that, be very, very, very careful with this command. In your example
you've not sanitised the user input, and the useradd command is used to update
details as well as add new users, and you're running it with root privileges
under sudo. Maybe enforce some specific name mechanism (a prefix like
'yoursystemname_username') to ensure that people aren't unwittingly or
deliberately trying to overwrite existing system user details.
Thanks,
Ash
http://www.ashleysheridan.co.uk
