Form and name

[ChrisMartino]

hey i would like it so in a form the user fills out there eg a form with username and password and with that data it creates the ftp account and file named after that data heres the code

<?php
echo exec('cd /home/users');
echo exec('mkdir user_name');
echo exec('useradd user_name -p your_password -d /home/users -s /bin/false');
?>

 

so how would i make it create the dir and the ftp user and password off the data submited in the form? so replace the user_name with the username they submited in the form.

anyone know please?

[thebadbad]

No offence, but if you don't know how to do that, chances are you aren't aware of the security implications of feeding user input to a function like exec().

 

You can read about variables here in the manual: http://dk.php.net/manual/en/language.variables.php

The chapter "Variables From External Sources" deals with user input from a HTML form.

 

And when you get to feeding the user input to exec(), have a look at these functions: escapeshellarg(), escapeshellcmd()

[ChrisMartino]

i thought php is server sided whats the worst they can do?

[trq]

Take control of your server.

[Garethp]

You want something like

 

$string = 'useradd ' . $_POST['username'] . ' -p ' . $_POST['password'] . ' -d /home/users -s /bin/false';

exec($string);

 

But as the guys above said, without the proper security, they could do anything and everything they wanted, if you let them. And all it takes to let them is not knowing how to deal with insecure inputs