Fix WORDSPLIT issues in for loops (HIGH priority)

Converted unsafe 'for var in $list' loops to 'while read' loops
to properly handle items with spaces in names.

reference-db.sh (4 fixes):
- Line 172: Database iteration (SHOW DATABASES)
- Line 330: Server alias iteration (space-separated aliases)
- Line 345: Domain iteration (get_user_domains)
- Line 414: WordPress config file paths (find results)

user-manager.sh (4 fixes):
- Line 396: Domain iteration in cPanel log paths
- Line 404: Domain iteration in Plesk log paths
- Line 410: Domain iteration in InterWorx log paths
- Line 632: User iteration (list_all_users)

Pattern changes:
- for item in $list → while IFS= read -r item
- Added [ -z "$item" ] && continue for safety
- Used echo "$list" | while or piped commands directly

This prevents word splitting on spaces in database names,
domain names, file paths, and usernames.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

lib/reference-db.sh

@@ -166,11 +166,12 @@ build_databases_section() {
         mysql_cmd="mysql -uadmin -p${plesk_mysql_pass}"
     fi
 
-    local all_dbs=$($mysql_cmd -Ns -e "SHOW DATABASES" 2>/dev/null | grep -v "^information_schema$\|^mysql$\|^performance_schema$\|^sys$" || true)
-    local total_dbs=$(echo "$all_dbs" | wc -l)
+    local total_dbs=$($mysql_cmd -Ns -e "SHOW DATABASES" 2>/dev/null | grep -v "^information_schema$\|^mysql$\|^performance_schema$\|^sys$" | wc -l)
     local current=0
 
-    for db in $all_dbs; do
+    # Use while read to safely iterate over database names (handles spaces)
+    $mysql_cmd -Ns -e "SHOW DATABASES" 2>/dev/null | grep -v "^information_schema$\|^mysql$\|^performance_schema$\|^sys$" | while IFS= read -r db; do
+        [ -z "$db" ] && continue
         current=$((current + 1))
         show_progress $current $total_dbs "Indexing databases..."
 
@@ -328,7 +329,8 @@ build_domains_section() {
 
                 # Also add aliases as separate entries
                 if [ -n "$server_alias" ]; then
-                    for alias in $server_alias; do
+                    # Convert space-separated aliases to newline-separated for safe iteration
+                    echo "$server_alias" | tr ' ' '\n' | while IFS= read -r alias; do
                         [ -z "$alias" ] && continue
                         [ -n "${seen_domains[$alias]:-}" ] && continue
 
@@ -341,9 +343,9 @@ build_domains_section() {
         else
             # Fallback for non-cPanel or if userdata not available
             local primary_domain=$(get_user_domains "$user" | head -1)
-            local all_domains=$(get_user_domains "$user")
 
-            for domain in $all_domains; do
+            # Use while read to safely iterate over domains (handles spaces)
+            get_user_domains "$user" | while IFS= read -r domain; do
                 [ -z "$domain" ] && continue
                 [ -n "${seen_domains[$domain]:-}" ] && continue
 
@@ -409,10 +411,9 @@ build_domains_section() {
 build_wordpress_section() {
     echo "[WORDPRESS]" >> "$SYSREF_DB"
 
-    # Find all wp-config.php files
-    local wp_configs=$(find $SYS_USER_HOME_BASE -name "wp-config.php" -type f 2>/dev/null)
-
-    for wp_config in $wp_configs; do
+    # Find all wp-config.php files and iterate safely (handles spaces in paths)
+    find "$SYS_USER_HOME_BASE" -name "wp-config.php" -type f 2>/dev/null | while IFS= read -r wp_config; do
+        [ -z "$wp_config" ] && continue
         local wp_dir=$(dirname "$wp_config")
 
         # Extract username from path (/home/username/...)

lib/user-manager.sh

@@ -394,7 +394,9 @@ get_user_log_files() {
 
     case "$SYS_CONTROL_PANEL" in
         cpanel)
-            for domain in $domains; do
+            # Iterate safely over domains (handles spaces in domain names)
+            echo "$domains" | while IFS= read -r domain; do
+                [ -z "$domain" ] && continue
                 echo "${SYS_LOG_DIR}/${domain}"
                 echo "${SYS_LOG_DIR}/${domain}-ssl_log"
             done
@@ -402,13 +404,17 @@ get_user_log_files() {
         plesk)
             echo "/var/www/vhosts/${username}/statistics/logs/access_log"
             echo "/var/www/vhosts/${username}/statistics/logs/error_log"
-            for domain in $domains; do
+            # Iterate safely over domains (handles spaces in domain names)
+            echo "$domains" | while IFS= read -r domain; do
+                [ -z "$domain" ] && continue
                 echo "/var/www/vhosts/${domain}/statistics/logs/access_log"
                 echo "/var/www/vhosts/${domain}/statistics/logs/error_log"
             done
             ;;
         interworx)
-            for domain in $domains; do
+            # Iterate safely over domains (handles spaces in domain names)
+            echo "$domains" | while IFS= read -r domain; do
+                [ -z "$domain" ] && continue
                 echo "/home/${username}/var/${domain}/logs/access_log"
                 echo "/home/${username}/var/${domain}/logs/error_log"
             done
@@ -628,9 +634,9 @@ get_database_owner() {
     # Database names are typically: username_dbname
     local prefix=$(echo "$db_name" | cut -d_ -f1)
 
-    # Check if this prefix matches a user
-    local users=$(list_all_users)
-    for user in $users; do
+    # Check if this prefix matches a user (iterate safely over usernames)
+    list_all_users | while IFS= read -r user; do
+        [ -z "$user" ] && continue
         if [ "$user" = "$prefix" ]; then
             echo "$user"
             return 0

modules/performance/hardware-health-check.sh

@@ -1700,7 +1700,7 @@ main() {
         touch "$MESSAGES_CACHE"
     fi
     # Cleanup cache on exit
-    trap "rm -f $MESSAGES_CACHE" EXIT
+    trap "rm -f \"$MESSAGES_CACHE\"" EXIT
 
     # Run diagnostics with progress indicators
     echo -e "${YELLOW}[1/11]${NC} Analyzing disk SMART status and predictive failure indicators..."

modules/security/bot-analyzer.sh

@@ -240,7 +240,7 @@ mkdir -p "$TEMP_DIR" || {
 }
 
 # Cleanup on exit
-trap "rm -rf $TEMP_DIR" EXIT
+trap "rm -rf \"$TEMP_DIR\"" EXIT
 
 #############################################################################
 # Bot Signature Database

modules/website/wordpress/wordpress-cron-manager.sh

@@ -379,6 +379,10 @@ case "$choice" in
 
         # Add cron job with staggered timing
         site_path=$(dirname "$wp_config")
+        if [ -z "$site_path" ]; then
+            echo -e "${RED}✗${NC} Could not determine site path"
+            continue
+        fi
         cron_cmd="cd $site_path && /usr/bin/php -q wp-cron.php >/dev/null 2>&1"
 
         # Add to user's crontab - Multi-panel support
@@ -522,6 +526,10 @@ case "$choice" in
         while IFS= read -r wp_config; do
             total=$((total + 1))
             site_path=$(dirname "$wp_config")
+            if [ -z "$site_path" ]; then
+                echo -e "${RED}✗ Could not determine site path${NC}"
+                continue
+            fi
             user=$(extract_user_from_path "$site_path")
 
             echo -e "${BOLD}Processing:${NC} $site_path (user: $user)"
@@ -898,6 +906,10 @@ case "$choice" in
         while IFS= read -r wp_config; do
             total=$((total + 1))
             site_path=$(dirname "$wp_config")
+            if [ -z "$site_path" ]; then
+                echo -e "${RED}✗ Could not determine site path${NC}"
+                continue
+            fi
             user=$(extract_user_from_path "$site_path")
 
             echo -e "${BOLD}Processing:${NC} $site_path (user: $user)"