amresmat Posted April 23, 2014 Share Posted April 23, 2014 HelloI have a PHP script which take the username and password, send it to python script to hash iti didn't write the php script i found it on the internet, i'm novice in php the php script is a simple form so users can insert their username and passsword, php took these inputs from the form and send it to the pythin script. my problem is with when the password contain $$ or in general $ it get translated to random number when sent to the script for example PA$$W0RD will be PA2356W0RD, if in the password field i surrounded password with single quotes the password got passed to python script as it is, so how to make php script take the dollar sign as it is without converting to number, or how to make the php script surrounds the password with single quotes when passing it to the python script. PHP Code <?php /////////////////////////////////////////////////////////////// // PHP script to change Linux password // SEE following URL mor more info: // http://www.cyberciti.biz/tips/change-linux-or-unix-system-password-using-php-script.html // Written by nixCraft <http://www.cyberciti.biz/> // Distributed under GNU/GPL v2.0+ /////////////////////////////////////////////////////////////// // change .. me! - shell script name $shellscript = "python /home/rconfig/www/test1.py"; // Make sure form is submitted by user if(!(isset($_POST['pwdchange']))) { // if not display them form writeHead("Hash password"); writeForm(); writeFoot(); } else { // try to change the password $callshell=true; // get username and password $_POST['username'] = stripslashes(trim($_POST['username'])); $_POST['passwd'] = stripslashes(trim($_POST['passwd'])); // if user skip our javascript ... // make sure we can only change password if we have both username and password if(empty($_POST['username'])) { $callshell=false; } if(empty($_POST['passwd'])) { $callshell=false; } if ( $callshell == true ) { // command to change password $cmd="$shellscript " . $_POST['username'] . " " . $_POST['passwd']; // call command // $cmd - command, $output - output of $cmd, $status - useful to find if command failed or not exec($cmd,$output,$status); if ( $status == 0 ) { // Success - password Hash writeHead("Password Hashed"); echo '<h3>Password Hashed</h3>Setup a <a href='. $_SERVER['PHP_SELF'] . '>new password</a>'; writeFoot(); } else { // Password failed writeHead("Password hashing failed"); echo '<h3>Password hashing failed</h3>'; echo '<p>System returned following information:</p><pre>'; print_r($output); echo '</pre>'; echo '<p><em> Please try again, if the the propblem still exist contact the concerned team for more info <a href='.$_SERVER['PHP_SELF'].'again</a></em></p>'; writeFoot(); } } else { writeHead("Something was wrong -- Please try again"); echo 'Error - Please enter username and password'; writeForm(); writeFoot(); } } // display html head function writeHead($title) { echo ' <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title> ' .$title. '</title> <style type="text/css" media="screen"> .passwdform { position: static; overflow: hidden; } .passwdleft { width: 25%; text-align: right; clear: both; float: left; display: inline; padding: 4px; margin: 5px 0; } .passwdright { width: 70%; text-align: left; float: right; display: inline; padding: 4px; margin: 5px 0; } .passwderror { border: 1px solid #ff0000; } .passwdsubmit { } </style> </head> <body>'; } // display html form function writeForm() { echo ' <h3>Use following form to change password:</h3> <script> function checkForm() { if (document.forms.changepassword.elements[\'username\'].value.length == 0) { alert(\'Please enter a value for the "User name" field\'); return false; } if (document.forms.changepassword.elements[\'passwd\'].value.length == 0) { alert(\'Please enter a value for the "Password" field\'); return false; } return true; } </script> <div class="contactform"> <form action="' . $_SERVER[PHP_SELF]. '" method="post" onSubmit="return checkForm()" name="changepassword"> <div class="passwdleft"><label for="lblusername">User Name: </label></div> <div class="passwdright"><input type="text" name="username" id="lblusername" size="30" maxlength="50" value="" /> (required)</div> <div class="passwdleft"><label for="lblpasswd">Password: </label></div> <div class="passwdright"><input type="password" name="passwd" id="lblpasswd" size="30" maxlength="50" value="" /> (required)</div> <div class="passwdright"><input type="submit" name="Submit" value="Change password" id="passwdsubmit" /> <input type="hidden" name="pwdchange" value="process" /></div> </form> </div> '; } // display footer function writeFoot(){ echo '</body> </html> '; } ?> i can post the python script if needed. Thanks Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/ Share on other sites More sharing options...
Psycho Posted April 23, 2014 Share Posted April 23, 2014 (edited) How are you verifying "where" the dollar signs are getting modified? I can think of no reason why PHP would modify the value in that manner, so my guess is that the problem is with how the dollar sign is interpreted in Python. I don't know Python at all, but a quick Google search found several pages regarding special string interpretations for dollar signs within strings for Python. If having single quotes around the value works and does not change the value that Python interprets, you could add quotes around the value before you pass it. If not, then you really need to be looking for a Python solution. But, why are you using Python to hash the password when you can do it within PHP anyway. Seems like an over-complication. Edited April 23, 2014 by Psycho Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477090 Share on other sites More sharing options...
amresmat Posted April 23, 2014 Author Share Posted April 23, 2014 How are you verifying "where" the dollar signs are getting modified? I can think of no reason why PHP would modify the value in that manner, so my guess is that the problem is with how the dollar sign is interpreted in Python. I don't know Python at all, but a quick Google search found several pages regarding special string interpretations for dollar signs within strings for Python. If having single quotes around the value works and does not change the value that Python interprets, you could add quotes around the value before you pass it. If not, then you really need to be looking for a Python solution. But, why are you using Python to hash the password when you can do it within PHP anyway. Seems like an over-complication. thanks for your reply, yes if the password is surrounded by single quotes it will be taken as it is, if a user entered the password between single quotes it will work fine with no mistakes but it would be wierd to ask users to write their passwords surrounded by single quotes, i think yes it is python problem with dollar sign not php that why i want php to enclose the password in single quotes then pass it to the python script I know i can hash and do all stuff with php, but i know python, i don't know php that's why i did this with python. Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477101 Share on other sites More sharing options...
Jacques1 Posted April 23, 2014 Share Posted April 23, 2014 $cmd="$shellscript " . $_POST['username'] . " " . $_POST['passwd']; ... exec($cmd,$output,$status); Seriously, WTF? Do you understand that this piece of code gives any website visitor direct access to a system shell? This script is malware. It's a backdoor. You need to delete it right now. You can't just download some PHP code you found on some fishy website. Do you not understand how dangerous this is? I mean, you wouldn't download an executable file from an untrusted source, would you? If you don't know PHP, then either learn it or don't use it. But downloading random PHP code from the Internet is definitely not an option. Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477105 Share on other sites More sharing options...
amresmat Posted April 23, 2014 Author Share Posted April 23, 2014 $cmd="$shellscript " . $_POST['username'] . " " . $_POST['passwd']; ... exec($cmd,$output,$status); Seriously, WTF? Do you understand that this piece of code gives any website visitor direct access to a system shell? This script is malware. It's a backdoor. You need to delete it right now. You can't just download some PHP code you found on some fishy website. Do you not understand how dangerous this is? I mean, you wouldn't download an executable file from an untrusted source, would you? If you don't know PHP, then either learn it or don't use it. But downloading random PHP code from the Internet is definitely not an option. i know anybody can try to execute something since the php code is used to execute shell script, like for example adding semicolon then add a script or command but dun't worry this won't be used for public accessibilty at all, it is just private for other purposes, no risk at all i'm not that stupid Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477106 Share on other sites More sharing options...
Jacques1 Posted April 23, 2014 Share Posted April 23, 2014 Passing uncontrolled input to a shell isn't a good idea on any planet. I wouldn't be surprised if the issue with the dollar signs is a symptom of this severe bug. If you think you should keep the script, I can't stop you from doing that. Unfortunately, there are no laws against terrible code. But if you care just a tiny, tiny bit about things like quality or correctness, flush this sh*t down the toilet. Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477113 Share on other sites More sharing options...
Solution Psycho Posted April 23, 2014 Solution Share Posted April 23, 2014 (edited) . . . it would be wierd to ask users to write their passwords surrounded by single quotes, i think yes it is python problem with dollar sign not php that why i want php to enclose the password in single quotes then pass it to the python script And, why would you ask the user to put the quotes? You should do it programatically. $_POST['passwd'] = "'" . stripslashes(trim($_POST['passwd'])) . "'"; Although I'm not real confident that will really work. You are trying to fix the problem in the wrong place and it would probably be best achieved within the Python script. Plus, to Jacques1 point, you state this is for 'private' purpose, but yet you state you have users that you don't want to have to dictate format. Rather than ignore the comments given you really need to take them into serious consideration. If you need help - then ask. But, I will ask the same question as before. Why are you using a Python script to hash the password when you can do that easier in PHP? EDIT: Never mind, I see you are changing a Linux password. I thought this was a password for the user in the DB. Although, I would look for a way to do it in PHP if possible. I really don't have knowledge of something like that. Edited April 23, 2014 by Psycho Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477114 Share on other sites More sharing options...
Psycho Posted April 23, 2014 Share Posted April 23, 2014 (edited) Here is a rewrite of your script that resolves many of the problems in the logic and security. It *may* also resolve the issue with the dollar signs. The function escapeshellarg() is a PHP function to escape a value for use as a sell argument. If not, you can try adding the quotes to the value before you send it to the Python script I didn't test this, so there may be a few syntax errors to resolve <?php /////////////////////////////////////////////////////////////// // PHP script to change Linux password // SEE following URL mor more info: // http://www.cyberciti.biz/tips/change-linux-or-unix-system-password-using-php-script.html // Written by nixCraft <http://www.cyberciti.biz/> // Distributed under GNU/GPL v2.0+ /////////////////////////////////////////////////////////////// $title = ''; $resultMessage = ''; $displayForm = false; // Make sure form is submitted by user if(!(isset($_POST['pwdchange']))) { // if not display them form $title = "Hash password"; $displayForm = true; } else { // try to change the password // get username and password $username = escapeshellarg(stripslashes(trim($_POST['username']))); $password = escapeshellarg(stripslashes(trim($_POST['passwd']))); // if user skip our javascript ... // make sure we can only change password if we have both username and password if (!empty($username) && !empty($password)) { // Define shell script $shellscript = "python /home/rconfig/www/test1.py"; // command to change password $cmd = "$shellscript {$username} {$password}"; // call command // $cmd - command, $output - output of $cmd, $status - useful to find if command failed or not exec($cmd, $output, $status); if ( $status == 0 ) { // Success - password Hash $title = "Password Hashed"); $resultMessage .= "<h3>Password Hashed</h3>Setup a <a href='{$_SERVER['PHP_SELF']}'>new password</a>\n"; } else { // Password failed $title = "Password hashing failed"; $resultMessage .= "<h3>Password hashing failed</h3>\n" $resultMessage .= "<p>System returned following information:</p>\n"; $resultMessage .= "<pre>" . print_r($output, 1) . "</pre>\n"; $resultMessage .= "<p><em> Please try again, if the the propblem still exist contact the concerned team for more info"; $resultMessage .= "<a href='{$_SERVER['PHP_SELF']}'>again</a></em></p>\n"; } } else { $title = "Something was wrong -- Please try again"; $resultMessage .= "Error - Please enter username and password\n"; $displayForm = true; } } // display html form function writeForm($display) { if(!$display) { return; } echo "<h3>Use following form to change password:</h3>\n"; echo "<script>\n"; echo "function checkForm() {\n"; echo " if (document.forms.changepassword.elements[\'username\'].value.length == 0) {\n"; echo " alert(\'Please enter a value for the \"User name\" field\');\n"; echo " return false;\n"; echo " }\n"; echo " if (document.forms.changepassword.elements[\'passwd\'].value.length == 0) {\n"; echo " alert(\'Please enter a value for the \"Password\" field\');\n"; echo " return false;\n"; echo " }\n"; echo " return true;\n"; echo "}\n"; echo "</script>\n"; echo " <div class=\"contactform\">\n"; echo "<form action='{$_SERVER[PHP_SELF]}' method='pos' onSubmit='return checkForm()' name='changepassword'>\n"; echo "<div class='passwdleft'><label for='lblusername'>User Name: </label></div>\n"; echo "<div class='passwdright'><input type='text' name='username' id='lblusername' size='30' maxlength='50' value=' /> (required)</div>\n"; echo "<div class='passwdleft'><label for='lblpasswd'>Password: </label></div>\n"; echo "<div class='passwdright'><input type='password' name='passwd' id='lblpasswd' size='30' maxlength='50' value='' /> (required)</div>\n"; echo "<div class='passwdright'><input type='submit' name='Submit' value='Change password' id='passwdsubmit' />\n"; echo "<input type='hidden' name='pwdchange' value='process' /></div>\n"; echo "</form>\n"; echo " </div>\n"; } ?> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <html> <head> <title><?php echo $title; ?></title> <style type="text/css" media="screen"> .passwdform { position: static; overflow: hidden; } .passwdleft { width: 25%; text-align: right; clear: both; float: left; display: inline; padding: 4px; margin: 5px 0; } .passwdright { width: 70%; text-align: left; float: right; display: inline; padding: 4px; margin: 5px 0; } .passwderror { border: 1px solid #ff0000; } .passwdsubmit { } </style> </head> <body> <?php echo $resultMessage; ?> <?php writeForm($displayForm); ?> </body> </html> Edited April 23, 2014 by Psycho Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477115 Share on other sites More sharing options...
amresmat Posted April 23, 2014 Author Share Posted April 23, 2014 (edited) And, why would you ask the user to put the quotes? You should do it programatically. $_POST['passwd'] = "'" . stripslashes(trim($_POST['passwd'])) . "'"; Although I'm not real confident that will really work. You are trying to fix the problem in the wrong place and it would probably be best achieved within the Python script. Plus, to Jacques1 point, you state this is for 'private' purpose, but yet you state you have users that you don't want to have to dictate format. Rather than ignore the comments given you really need to take them into serious consideration. c But, I will ask the same question as before. Why are you using a Python script to hash the password when you can do that easier in PHP? EDIT: Never mind, I see you are changing a Linux password. I thought this was a password for the user in the DB. Although, I would look for a way to do it in PHP if possible. I really don't have knowledge of something like that. thanks that worked and solved the problem, as i said i don't know php i know python that is why i used python script, if you can tell me how to use this php to hash password with sha512 plus salt linux style and save the username and hash in a file that would be great all i want from this scrips and the users is just the hash and it won't be used for changing linux password , no user will change password or something serious also the server containing this script does not contain anything important, also nobody will have access to this hashing script form before my acknowledge. i did get that code from the link that expalin how to use it to change linux password, but all i want is the php part, i put my own script for my purpose i don't need it to change linux password "If you need help - then ask" i did ask for help and i really appreciate your helo hope these answered your questions, i'm going to read your last reply thanks again Edited April 23, 2014 by amresmat Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477116 Share on other sites More sharing options...
Psycho Posted April 23, 2014 Share Posted April 23, 2014 (edited) //Use whatever method you want for salting $combined_password = $password . $salt; $hash = hash('sha512' ,$combined_password) Edited April 23, 2014 by Psycho Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477118 Share on other sites More sharing options...
amresmat Posted April 24, 2014 Author Share Posted April 24, 2014 Thanks Psycho for your help both mothods you presented solved the dollar sign problem. i tried your modified code, the problem with it is that username and password appear on the url after pressing submit button. Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477146 Share on other sites More sharing options...
Psycho Posted April 24, 2014 Share Posted April 24, 2014 the problem with it is that username and password appear on the url after pressing submit button. Just a typo. Change this echo "<form action='{$_SERVER[PHP_SELF]}' method='pos' onSubmit='return checkForm()' name='changepassword'>\n"; to This: echo "<form action='{$_SERVER[PHP_SELF]}' method='post' onSubmit='return checkForm()' name='changepassword'>\n"; Note: the method value should be 'post' not 'pos' Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477150 Share on other sites More sharing options...
amresmat Posted April 24, 2014 Author Share Posted April 24, 2014 thanks again , one last thing sorry the javascript does not work, i tried to modify some things but it still does not work. Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477175 Share on other sites More sharing options...
Psycho Posted April 24, 2014 Share Posted April 24, 2014 echo "<h3>Use following form to change password:</h3>\n"; echo "<script>\n"; echo "function checkForm(formObj)\n"; echo "{\n"; echo " if(!formObj.elements['username'].value.length || !formObj.elements['passwd'].value.length)\n"; echo " {\n"; echo " alert('Please enter values for the \"User name\" and \"Password\" fields');\n"; echo " return false;\n"; echo " }\n"; echo " return true;\n"; echo "}\n"; echo "</script>\n"; echo " <div class='contactform'>\n"; echo "<form action='{$_SERVER[PHP_SELF]}' method='pos' onSubmit='return checkForm(this)' name='changepassword'>\n"; echo "<div class='passwdleft'><label for='lblusername'>User Name: </label></div>\n"; echo "<div class='passwdright'><input type='text' name='username' id='lblusername' size='30' maxlength='50' value='' /> (required)</div>\n"; echo "<div class='passwdleft'><label for='lblpasswd'>Password: </label></div>\n"; echo "<div class='passwdright'><input type='password' name='passwd' id='lblpasswd' size='30' maxlength='50' value='' /> (required)</div>\n"; echo "<div class='passwdright'><input type='submit' name='Submit' value='Change password' id='passwdsubmit' />\n"; echo "<input type='hidden' name='pwdchange' value='process' /></div>\n"; echo "</form>\n"; echo " </div>\n"; Quote Link to comment https://forums.phpfreaks.com/topic/287974-problem-with-dollar-sign-php-in-password-form/#findComment-1477200 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.