SECURITY FIXES:
1. SQL Injection (reference-db.sh:183)
- Escape database names with backticks in WHERE clause
- Changed: WHERE table_schema='' → WHERE table_schema=``
- Prevents malicious database names from breaking SQL queries
2. Password Exposure (reference-db.sh:166)
- Stop passing password on command line (visible in ps aux)
- Changed: mysql -uadmin -p${plesk_mysql_pass} → MYSQL_PWD env var
- Passwords no longer exposed in process listings
- Added unset MYSQL_PWD at end of function for cleanup
3. Race Condition in Temp Files (common-functions.sh:173)
- Replace mkdir -p with mktemp -d for secure temp directory creation
- Changed: mkdir -p "$TEMP_SESSION_DIR" → mktemp -d -t server-toolkit.XXXXXX
- Prevents race condition attacks on predictable paths
Testing: All changes validated for syntax and behavior
Developer