I'm working on a WordPress theme that includes an actual installation script of its own. So this is what happens;
1.) Users download theme.zip from mysite.
theme.zip does NOT contain the theme itself, it contains the installation script and all the required files to make the installation successful.
2.) Now the user will upload theme.zip to their server (using the WP dashboard)
3.) One they've uploaded theme.zip, they will run the installation script which requires a username and password, which is stored on MY sql db.
//the dodgy bit
Now here's what happens in the installation script.
Once the user has entered their username and password, some variables (the user's username, password and unique id number) will be sent to a php file on my server (using curl). Then my server will look into the sql db and select a certain row (using the unique id number sent earlier on) and check if the user's details are correct. If the details are correct, my server will then send some variables back (using JSON encode/decode) with a value of TRUE
. once the users server has received the TRUE
value it will continue. And if it receives a value of FALSE
, it will then stop and throw an error
Once the users has logged in successfully (my server sends back TRUE) then another CURL function will run.
This function will send a unique id to another php file on my server. The php file will then make a copy of a folder which is placed on my server and name the file with the unique id number so the duplicate folder will be called "265851654" (which contains all the themes content) then the php script (on my server) will then compress that folder into a .zip. Once the compression is complete, it will send some info(information on where the newly produced .zip is placed on the server, ready for download.) back to to users server.
The users server will then use the info it received from my server to generate the download link and begin downloading the .zip file. once the download has finished, another curl function will be ran. this function will do the same as the one just explained but instead of building the .zip ready for download, it deletes the .zip.
Now it does a load of other stuff too but thats all on the users side.
Is this safe? As this theme will be available to EVERYONE which means they will be able to see the curl functions and all the other source code which they can edit them as they please.
If it's not safe, could you give me some advice to help prevent those evil people from messing around?
Thanks!