Automatic Drupal Registration and Login From VBA / VB6 / .Net

DrTribos used Ask the Experts™
Hi All

I'm not really sure where to start with this... I have an application written in VBA - users can be uniquely identified.  What I want to do is grant automatic access to a private user forum.

The user forum is based on Drupal 7 Commons Community by Acquia and requires a login.

Basically I want the ability to create (or trigger the creation of) new users from within VBA and thereafter automatically log the user in whenever they use the VBA application.

Interested in finding out how this could be achieved and security considerations.  Also, I'm not looking to reinvent the wheel, if there is a solution that already does this, I'd be happy to hear about it.

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Drupal 7 has the user_save() API. This allows you to call the function from a PHP script and it will do the dynamics of creating a user onto the Drupal system for you. You can make of use of this by:

1. Create a simple PHP page which calls the user_save() api

Include the file modules/user/user.module.php
  $edit = array(
    'name' => $_GET["username"],
    'pass' => $_GET["password"],
    'mail' => $_GET["email"],
    'status' => 1,
    'language' => 'en',
    'init' => $_GET["email"],
    'roles' => array(2 => 'authenticated user'),

  echo user_save(NULL, $edit);

Open in new window

Now, this PHP script (by using HTTP_GET_VARS) assumes that the data is coming in either via a querystring parameter (or use $_POST for a post parameter).

2. Call the PHP page from you VBA code, sending the necessary parameters

Add a reference to the Microsoft WinHTTP Services library in your VBA Project (Tools -> References).
    Set request = CreateObject("WinHttp.WinHttpRequest.5.1")
    request.Open "GET", "http://myServer/myDrupal/myCustomUserCreationPage.php?username=user1&password=user1&" 'we are using $_GET in the PHP, so we send via querystring
    MsgBox request.ResponseText

Open in new window

Something like that. This code has NOT been tested. I don't have a Drupal instance, you'll need to do more research.
Most Valuable Expert 2011
Top Expert 2016

I don't have a solution here, just a comment and a warning.

For anyone considering the use of HTTP_GET_VARS, this variable has been considered an anti-practice for about a decade.  Level up your PHP knowledge.  Don't do that.

PHP external variables are typically presented to the script in superglobal variables.  These include $_GET and $_POST.  The names correspond to the HTTP request methods.  

It's important to understand the difference between GET and POST.  A GET request must be both idempotent and nullipotent.  Failure to observe this rule is among the greatest security exposures yet "invented" by novice programmers.

In the code example shown here, it is suggested that you can use GET to create an authorized user in the Drupal population.  When that code is deployed, anyone with a web browser can inject authorized users into your Drupal population.  That also means that anyone who can write a script to simulate a web browser can do the same.  My guess is that you will have no more than a day or two before a flood of attack 'bots has polluted your Drupal installation beyond any hope of recovery.

Drupal is written in PHP, and PHP has a security page - worthy reading for anyone who would expose a PHP script to public access.  Since single-sign-on has been something of a "holy grail" for web developers, there are also myriad online resources that discuss single-sign-on.  Worth a Google search.  At this writing, Facebook and Twitter sign-ons seem to be popular, as is OAuth.  You might look at the general design patterns that are used by these processes and model your own single-sign-on after those which seem to work fairly well, with a minimum amount of security risk.  You might also consider using a CAPTCHA whenever an automated registration is requested.

Best of luck with your project, ~Ray

I agree with you on the use of HTTP_GET_VARS. It has been deprecated as of PHP 4.1 and I should not have made reference to it. You will notice that the code example given uses $_GET instead. And yes, for semantic correctness, $_POST should rather have been used.

Though to be honest, I think in this case, the difference between $_GET and $_POST is not the biggest security risk at all (a man-in -the-middle could collect this information or fake the calls anyhow, POST offers only marginal security here). Yes, GET is less secure, due to the fact that GET parameters are stored in server logs, website URLs (search engine crawlers etc) and browser history, etc, but the macro is already sitting in an insecure workbook, and that would be the easiest attack vector if anyone wanted to see what information is being exchanged between macro and server, just get the VBA code (Excel passwords have been known to be cracked). IMHO there is no concern over search engine crawlers etc in this case because this is not a published hyperlink.

I agree, the most secure thing to do here is to not expose the PHP script at all (regardless of the semantics of whether incorrectly using GET or correctly using POST). A CAPTCHA would be great!


Thanks for your comments... will take time to digest and respond. Cheers


Hi guys,

I just wrote a whole message explaining that Bitdefender & EE's SSL cert were not playing nice on my PC and I was unable to close this due to inability to connect to EE for several weeks (also I didn't notice any email from EE telling me to close it), and then EE - Chrome - Karma decided to delete it before I posted...

Anyway, follow-up question here:

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial