I have a web interface that it help me to create a profile using command in shell but actually I have something wrong in my code because my value entered in my web interface wasn't recognize in the shell srcipt this is my source code:
index.php:
<div class="inputbox">
<form id="createProfile" name="createProfile">
<label for="channelName">Group Name</label>
<br/>
<input type="text" id="groupName" name="groupName" />
<br/>
<label for="profileName">Profile Name</label>
<br/>
<input type="text" id="profileName" name="profileName" />
<input type="button" value="Create Profile" onclick="createUser()" />
</form>
</div>
script.js
function createUser(){
if ($('#groupName').val() != '' && $('#profileName').val() != ''){
$.ajax({
type:'post',
url: 'addProfile.php',
data:{group_name:$('#groupName').val()+'/'+$('#profileName').val()},
cache:false,
success: function(returndata){
$('#profilesList').append('<option value="'+ $('#groupName').val()+'/'+$('#profileName').val() +'">' + $('#groupName').val()+'/'+$('#profileName').val() + '</option>');
alert('profile added');
}
});
}
else{
alert('you must enter both group name and profile name');
}
}
addprofile.php
<?php
$var='.$_POST['group_name'].';
$output1=shell_exec('/etc/init.d/nfsen --add-profile $var expire=0 maxsize=0 shadow=1');
echo "<pre>$output1</pre>";
?>
Can you provide me what's wrong in my code?
In your PHP code you are using
'
to delimit your string. If you want$var
to be expanded into it's value, you must use"
as your string delimiter or terminate the string and concat it like this:'string start '.$var.' string end'
.Also, please be very careful about security here if this application is public. It would be very easy to submit a
group_name
that could execute any shell command.EDIT: As pointed out by @Tool in the comment of your question, the
$var=
line needs to be adjusted for the same reason.