Automatic Drupal Registration and Login From VBA / VB6 / .Net

Hi All

I'm not really sure where to start with this... I have an application written in VBA - users can be uniquely identified.  What I want to do is grant automatic access to a private user forum.

The user forum is based on Drupal 7 Commons Community by Acquia and requires a login.

Basically I want the ability to create (or trigger the creation of) new users from within VBA and thereafter automatically log the user in whenever they use the VBA application.

Interested in finding out how this could be achieved and security considerations.  Also, I'm not looking to reinvent the wheel, if there is a solution that already does this, I'd be happy to hear about it.

LVL 15
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Drupal 7 has the user_save() API. This allows you to call the function from a PHP script and it will do the dynamics of creating a user onto the Drupal system for you. You can make of use of this by:

1. Create a simple PHP page which calls the user_save() api

Include the file modules/user/user.module.php
  $edit = array(
    'name' => $_GET["username"],
    'pass' => $_GET["password"],
    'mail' => $_GET["email"],
    'status' => 1,
    'language' => 'en',
    'init' => $_GET["email"],
    'roles' => array(2 => 'authenticated user'),

  echo user_save(NULL, $edit);

Open in new window

Now, this PHP script (by using HTTP_GET_VARS) assumes that the data is coming in either via a querystring parameter (or use $_POST for a post parameter).

2. Call the PHP page from you VBA code, sending the necessary parameters

Add a reference to the Microsoft WinHTTP Services library in your VBA Project (Tools -> References).
    Set request = CreateObject("WinHttp.WinHttpRequest.5.1")
    request.Open "GET", "http://myServer/myDrupal/myCustomUserCreationPage.php?username=user1&password=user1&" 'we are using $_GET in the PHP, so we send via querystring
    MsgBox request.ResponseText

Open in new window

Something like that. This code has NOT been tested. I don't have a Drupal instance, you'll need to do more research.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ray PaseurCommented:
I don't have a solution here, just a comment and a warning.

For anyone considering the use of HTTP_GET_VARS, this variable has been considered an anti-practice for about a decade.  Level up your PHP knowledge.  Don't do that.

PHP external variables are typically presented to the script in superglobal variables.  These include $_GET and $_POST.  The names correspond to the HTTP request methods.  

It's important to understand the difference between GET and POST.  A GET request must be both idempotent and nullipotent.  Failure to observe this rule is among the greatest security exposures yet "invented" by novice programmers.

In the code example shown here, it is suggested that you can use GET to create an authorized user in the Drupal population.  When that code is deployed, anyone with a web browser can inject authorized users into your Drupal population.  That also means that anyone who can write a script to simulate a web browser can do the same.  My guess is that you will have no more than a day or two before a flood of attack 'bots has polluted your Drupal installation beyond any hope of recovery.

Drupal is written in PHP, and PHP has a security page - worthy reading for anyone who would expose a PHP script to public access.  Since single-sign-on has been something of a "holy grail" for web developers, there are also myriad online resources that discuss single-sign-on.  Worth a Google search.  At this writing, Facebook and Twitter sign-ons seem to be popular, as is OAuth.  You might look at the general design patterns that are used by these processes and model your own single-sign-on after those which seem to work fairly well, with a minimum amount of security risk.  You might also consider using a CAPTCHA whenever an automated registration is requested.

Best of luck with your project, ~Ray

I agree with you on the use of HTTP_GET_VARS. It has been deprecated as of PHP 4.1 and I should not have made reference to it. You will notice that the code example given uses $_GET instead. And yes, for semantic correctness, $_POST should rather have been used.

Though to be honest, I think in this case, the difference between $_GET and $_POST is not the biggest security risk at all (a man-in -the-middle could collect this information or fake the calls anyhow, POST offers only marginal security here). Yes, GET is less secure, due to the fact that GET parameters are stored in server logs, website URLs (search engine crawlers etc) and browser history, etc, but the macro is already sitting in an insecure workbook, and that would be the easiest attack vector if anyone wanted to see what information is being exchanged between macro and server, just get the VBA code (Excel passwords have been known to be cracked). IMHO there is no concern over search engine crawlers etc in this case because this is not a published hyperlink.

I agree, the most secure thing to do here is to not expose the PHP script at all (regardless of the semantics of whether incorrectly using GET or correctly using POST). A CAPTCHA would be great!
DrTribosAuthor Commented:
Thanks for your comments... will take time to digest and respond. Cheers
DrTribosAuthor Commented:
Hi guys,

I just wrote a whole message explaining that Bitdefender & EE's SSL cert were not playing nice on my PC and I was unable to close this due to inability to connect to EE for several weeks (also I didn't notice any email from EE telling me to close it), and then EE - Chrome - Karma decided to delete it before I posted...

Anyway, follow-up question here:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.