[solved] using data from a form in passthru()/system()

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
seth.7
Forum Newbie
Posts: 4
Joined: Thu Mar 08, 2007 7:33 am

[solved] using data from a form in passthru()/system()

Post by seth.7 »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


I am trying to do a simple form and dicto lookup, and I am running into problems again.

My form looks like:

[syntax="html"]<form method="post" action="LatinDict.php">
  Parse/Define:<input name="dictionary" type="text" /><input type="submit" />
</form>
My php:[/syntax]

Code: Select all

<?php
$dictargum = $_POST['dictionary'];
echo'<pre width="100" style="color:navy; font-family:times;">';
passthru ('words.exe $dictargum');
echo '</pre>';
?>
The form is being passed, i tested in get mode, but the result is that the "$" is stripped out of the system() line, and the dictionary looks up "dictargum" as a word.

Thanks, Seth


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Last edited by seth.7 on Fri Mar 09, 2007 2:41 pm, edited 1 time in total.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Post by Mordred »

1. In PHP variable expansion in strings happens only for strings with double quotes:

Code: Select all

"words.exe $dictargum"
2. What you did is very dangerous, the script is vulnerable to system command execution. Check the manual on passthru, there is a huge warning banner explaining why and how.
seth.7
Forum Newbie
Posts: 4
Joined: Thu Mar 08, 2007 7:33 am

Thanks

Post by seth.7 »

it works - thanks for putting up with a neophyte. I saw these issues, I will definitely be using the security precautions. at the moment I kind of need to do this.
Post Reply