feat(backend/wordpress): add PHP fallback for database export

- Bump plugin version to 1.0.2
- Add safe_arg() for secure shell argument escaping
- Add can_use_shell() to check shell execution availability
- Enhance handle_export() with shell-based mysqldump as primary, PHP native export as fallback
- Implement export_php_native() for memory-efficient SQL dump generation using mysqli
- Improve error handling and buffer cleaning for reliability on restricted hosts

This ensures the WordPress plugin works on hosts disabling shell functions by falling back to PHP-based export, enhancing compatibility and security.

Author: devlifeX

backend/wordpress/generator.go

@@ -14,7 +14,7 @@ const pluginTemplate = `<?php
 /**
  * Plugin Name: DB Sync Connector
  * Description: generated by DB Sync Manager App. Handles database export/import securely.
- * Version: 1.0.0
+ * Version: 1.0.2
  * Author: DB Sync Manager
  */
 
@@ -49,47 +49,76 @@ class DBack_Sync_API {
     return $auth_header === DBACK_API_KEY;
   }
 
+  /**
+   * Safe replacement for escapeshellarg() if disabled by host
+   */
+  private function safe_arg($string) {
+    if (function_exists('escapeshellarg')) {
+      return escapeshellarg($string);
+    }
+    // Fallback: wrap in single quotes and escape existing single quotes
+    return "'" . str_replace("'", "'\\''", $string) . "'";
+  }
+
+  /**
+   * Check if shell execution is available
+   */
+  private function can_use_shell() {
+    return function_exists('exec') && !in_array('exec', array_map('trim', explode(',', ini_get('disable_functions'))));
+  }
+
   public function handle_export($request) {
     // Increase limits
-    set_time_limit(0);
-    ini_set('memory_limit', '512M');
+    @set_time_limit(0);
+    @ini_set('memory_limit', '512M');
 
     global $wpdb;
-    $db_name = DB_NAME;
-    $db_user = DB_USER;
-    $db_pass = DB_PASSWORD;
-    $db_host = DB_HOST;
-
-    // Use mysqldump via exec if available (fastest)
     $dump_file = wp_upload_dir()['basedir'] . '/dback_dump_' . time() . '.sql.gz';
 
-    // Command: mysqldump ... | gzip > file
-    // Note: We rely on system mysqldump.
-    $cmd = sprintf(
-      'mysqldump -h %s -u %s -p%s %s | gzip > %s',
-      escapeshellarg($db_host),
-      escapeshellarg($db_user),
-      escapeshellarg($db_pass),
-      escapeshellarg($db_name),
-      escapeshellarg($dump_file)
-    );
-
-    // Execute
-    exec($cmd, $output, $return_var);
+    // 1. Try System Shell (mysqldump) if allowed
+    $shell_success = false;
+
+    if ($this->can_use_shell()) {
+        $db_name = DB_NAME;
+        $db_user = DB_USER;
+        $db_pass = DB_PASSWORD;
+        $db_host = DB_HOST;
+
+        $cmd = sprintf(
+          'mysqldump -h %s -u %s -p%s %s | gzip > %s',
+          $this->safe_arg($db_host),
+          $this->safe_arg($db_user),
+          $this->safe_arg($db_pass),
+          $this->safe_arg($db_name),
+          $this->safe_arg($dump_file)
+        );
+
+        @exec($cmd, $output, $return_var);
+
+        if ($return_var === 0 && file_exists($dump_file) && filesize($dump_file) > 0) {
+            $shell_success = true;
+        }
+    }
 
-    if ($return_var !== 0) {
-      return new WP_Error('export_failed', 'mysqldump command failed', array('status' => 500));
+    // 2. Fallback to PHP Native Export if shell failed or is disabled
+    if (!$shell_success) {
+        $res = $this->export_php_native($dump_file);
+        if (is_wp_error($res)) {
+            return $res;
+        }
     }
 
+    // Stream file download
     if (!file_exists($dump_file)) {
-      return new WP_Error('export_failed', 'Dump file not found', array('status' => 500));
+      return new WP_Error('export_failed', 'Dump file generation failed', array('status' => 500));
     }
 
-    // Stream file download
     $file_size = filesize($dump_file);
 
     // Clean buffer
-    if (ob_get_level()) ob_end_clean();
+    while (ob_get_level()) {
+        ob_end_clean();
+    }
 
     header('Content-Description: File Transfer');
     header('Content-Type: application/gzip');
@@ -106,45 +135,94 @@ class DBack_Sync_API {
     exit;
   }
 
-  public function handle_import($request) {
-    // Logic to receive file and pipe to mysql
-    // PHP REST API usually handles small bodies. For large dumps, we normally stream.
-    // But WP REST API buffers body?
-    // Ideally, we should read from php://input.
+  /**
+   * PHP-based fallback for generating SQL dump
+   */
+  private function export_php_native($filepath) {
+      global $wpdb;
+
+      $fp = gzopen($filepath, 'w9');
+      if (!$fp) {
+          return new WP_Error('export_failed', 'Cannot open file for writing. Check permissions.', array('status' => 500));
+      }
+
+      $tables = $wpdb->get_col("SHOW TABLES");
+
+      foreach ($tables as $table) {
+          // Get Create Table
+          $create_table = $wpdb->get_row("SHOW CREATE TABLE $table", ARRAY_N);
+          gzwrite($fp, "DROP TABLE IF EXISTS $table;\n");
+          gzwrite($fp, $create_table[1] . ";\n\n");
+
+          // Get Data
+          // Using unbuffered query via mysqli to save memory if available
+          if (isset($wpdb->dbh) && ($wpdb->dbh instanceof mysqli)) {
+              $result = mysqli_query($wpdb->dbh, "SELECT * FROM $table", MYSQLI_USE_RESULT);
+              if ($result) {
+                  while ($row = mysqli_fetch_row($result)) {
+                      $values = array_map(function($val) {
+                          if ($val === null) return 'NULL';
+                          return "'" . esc_sql($val) . "'";
+                      }, $row);
+                      gzwrite($fp, "INSERT INTO $table VALUES (" . implode(',', $values) . ");\n");
+                  }
+                  mysqli_free_result($result);
+              }
+          } else {
+             // Fallback for older systems (high memory usage)
+             $rows = $wpdb->get_results("SELECT * FROM $table", ARRAY_N);
+             foreach ($rows as $row) {
+                 $values = array_map(function($val) {
+                      if ($val === null) return 'NULL';
+                      return "'" . esc_sql($val) . "'";
+                 }, $row);
+                 gzwrite($fp, "INSERT INTO $table VALUES (" . implode(',', $values) . ");\n");
+             }
+          }
+          gzwrite($fp, "\n");
+      }
+
+      gzclose($fp);
+      return true;
+  }
 
-    set_time_limit(0);
+  public function handle_import($request) {
+    @set_time_limit(0);
 
     global $wpdb;
+
+    // Check if shell is possible
+    if (!$this->can_use_shell()) {
+        return new WP_Error('import_failed', 'Server shell access is disabled. Cannot run mysql import command.', array('status' => 500));
+    }
+
     $db_name = DB_NAME;
     $db_user = DB_USER;
     $db_pass = DB_PASSWORD;
     $db_host = DB_HOST;
 
-    // We can't easily pipe php://input to mysql directly in some setups if body is parsed.
-    // But let's try saving to temp file first.
     $upload_dir = wp_upload_dir()['basedir'];
     $temp_file = $upload_dir . '/dback_import_' . time() . '.sql.gz';
 
+    // Write input to temp file
     $input = fopen('php://input', 'rb');
     $file = fopen($temp_file, 'wb');
     stream_copy_to_stream($input, $file);
     fclose($input);
     fclose($file);
 
-    // Now run mysql command
-    // gunzip -c file | mysql ...
     $cmd = sprintf(
       'gunzip -c %s | mysql -h %s -u %s -p%s %s',
-      escapeshellarg($temp_file),
-      escapeshellarg($db_host),
-      escapeshellarg($db_user),
-      escapeshellarg($db_pass),
-      escapeshellarg($db_name)
+      $this->safe_arg($temp_file),
+      $this->safe_arg($db_host),
+      $this->safe_arg($db_user),
+      $this->safe_arg($db_pass),
+      $this->safe_arg($db_name)
     );
 
-    exec($cmd, $output, $return_var);
+    @exec($cmd, $output, $return_var);
 
-    unlink($temp_file);
+    if (file_exists($temp_file)) unlink($temp_file);
 
     if ($return_var !== 0) {
       return new WP_Error('import_failed', 'mysql command failed', array('status' => 500));