开发者

Is this postwwwacct script safe/ideal?

问答 作者:

I'm setting up a postwwwacct script to set up a WordPress installation with some content pre-populated, plugins preinstalled etc. if a certain plan is chosen when creating an account in WHM.

This WordPress installation is essentially cloned from a default one that I can change/update as my default requirements change.

I'm probably an intermediate level PHP developer, but I'm new to this sort of root-level hashbang PHP stuff, so what I want to know is whether the script I've written is safe, and whether there are any obvious things that should be done better/differently.

Here's what I've got:

#!/usr/bin/php -q
<?php
/**
 * This script will automatically set up a mirror of default.example.com in a newly created account
**/


// Set up our variables to be usable by PHP
$opts = array();
$argv0 = array_shift($argv);

while(count($argv)) {
    $key = array_shift($argv);
    $val开发者_开发知识库ue = array_shift($argv);
    $opts[$key] = $value;
}

// Only do it if the plan is "WP Unlimited"
if($opts['plan'] !== "WP Unlimited") exit();

// Set up a few variables
$db_user = 'root';
$db_pass = 'ROOTPASSWORD';
$db_create = $opts['user'] . '_wp';

// Copy files recursively from /home/default/public_html/
exec("cp -R /home/default/public_html/* /home/{$opts['user']}/public_html; chown -R {$opts['user']}:{$opts['user']} /home/{$opts['user']}/public_html/*");

// Set up database
$conn = mysql_connect('localhost', $db_user, $db_pass);
mysql_query("CREATE DATABASE $db_create", $conn);

// Dump data from default.example.com into new DB
exec("mysqldump -h localhost -u $db_user -p$db_pass default_wp | mysql -h localhost -u $db_user -p$db_pass $db_create");

// Use WordPress' built-in configuration file maker to write config file
$_POST['dbname'] = $db_create;
$_POST['uname']  = $opts['user'];
$_POST['pwd']    = $opts['pass'];
$_POST['dbhost'] = 'localhost';

shell_exec("/home/{$opts['user']}/public_html/wp-admin/setup-config.php?step=2");

?>

I'm asking here both because I'm unsure about the safety of the shell_exec()s in the script, and also because I have to create accounts in order to test this, and I'd rather avoid any dumb mistakes I may have made and not have a billion fake accounts on my server :)

Thanks!

Anything that has shell commands like exec is not safe just to answer your question. With that being said, there is not an elegant way to communicate with WHM etc. You could however enclose your POST variables in mysql_real_escape_string to prevent SQL injection attacks.

$_POST['dbname'] = mysql_real_escape_string($db_create);
$_POST['uname']  = mysql_real_escape_string($opts['user']);
$_POST['pwd']    = mysql_real_escape_string($opts['pass']);
$_POST['dbhost'] = 'localhost';

继续阅读:phpwordpress

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9