I’m setting up a postwwwacct script to set up a WordPress installation with some content pre-populated, plugins preinstalled etc. if a certain plan is chosen when creating an account in WHM.
This WordPress installation is essentially cloned from a default one that I can change/update as my default requirements change.
I’m probably an intermediate level PHP developer, but I’m new to this sort of root-level hashbang PHP stuff, so what I want to know is whether the script I’ve written is safe, and whether there are any obvious things that should be done better/differently.
Here’s what I’ve got:
#!/usr/bin/php -q
<?php
/**
* This script will automatically set up a mirror of default.example.com in a newly created account
**/
// Set up our variables to be usable by PHP
$opts = array();
$argv0 = array_shift($argv);
while(count($argv)) {
$key = array_shift($argv);
$value = array_shift($argv);
$opts[$key] = $value;
}
// Only do it if the plan is "WP Unlimited"
if($opts['plan'] !== "WP Unlimited") exit();
// Set up a few variables
$db_user = 'root';
$db_pass = 'ROOTPASSWORD';
$db_create = $opts['user'] . '_wp';
// Copy files recursively from /home/default/public_html/
exec("cp -R /home/default/public_html/* /home/{$opts['user']}/public_html; chown -R {$opts['user']}:{$opts['user']} /home/{$opts['user']}/public_html/*");
// Set up database
$conn = mysql_connect('localhost', $db_user, $db_pass);
mysql_query("CREATE DATABASE $db_create", $conn);
// Dump data from default.example.com into new DB
exec("mysqldump -h localhost -u $db_user -p$db_pass default_wp | mysql -h localhost -u $db_user -p$db_pass $db_create");
// Use WordPress' built-in configuration file maker to write config file
$_POST['dbname'] = $db_create;
$_POST['uname'] = $opts['user'];
$_POST['pwd'] = $opts['pass'];
$_POST['dbhost'] = 'localhost';
shell_exec("/home/{$opts['user']}/public_html/wp-admin/setup-config.php?step=2");
?>
I’m asking here both because I’m unsure about the safety of the shell_exec()
s in the script, and also because I have to create accounts in order to test this, and I’d rather avoid any dumb mistakes I may have made and not have a billion fake accounts on my server 🙂
Thanks!
Anything that has shell commands like exec is not safe just to answer your question. With that being said, there is not an elegant way to communicate with WHM etc. You could however enclose your POST variables in mysql_real_escape_string to prevent SQL injection attacks.