Fix command injection vulnerabilities in sqlite_create and sqlite_reset

- Use Utils\esc_cmd to properly escape database path arguments
- Add is_sqlite3_available() helper to check for sqlite3 binary
- Add preflight check with clear error message if sqlite3 not found
- Addresses security concerns about unescaped shell commands

Co-authored-by: swissspidy <841956+swissspidy@users.noreply.github.com>

Author: Copilot

src/DB_Command_SQLite.php

@@ -11,6 +11,22 @@
  */
 trait DB_Command_SQLite {
 
+	/**
+	 * Check if sqlite3 CLI binary is available.
+	 *
+	 * @return bool True if sqlite3 is available, false otherwise.
+	 */
+	protected function is_sqlite3_available() {
+		static $available = null;
+
+		if ( null === $available ) {
+			$result    = \WP_CLI\Process::create( 'which sqlite3', null, null )->run();
+			$available = 0 === $result->return_code;
+		}
+
+		return $available;
+	}
+
 	/**
 	 * Check if SQLite is being used.
 	 *
@@ -103,7 +119,13 @@ protected function sqlite_create() {
 			WP_CLI::error( 'Database already exists.' );
 		}
 
-		$command = "sqlite3 $db_path \"\"";
+		// Check if sqlite3 binary is available.
+		if ( ! $this->is_sqlite3_available() ) {
+			WP_CLI::error( 'The sqlite3 CLI binary is required but not found. Please install SQLite3.' );
+		}
+
+		// Use Utils\esc_cmd to properly escape the command and arguments.
+		$command = Utils\esc_cmd( 'sqlite3 %s %s', $db_path, '' );
 
 		WP_CLI::debug( "Running shell command: {$command}", 'db' );
 
@@ -162,7 +184,13 @@ protected function sqlite_reset() {
 			}
 		}
 
-		$command = "sqlite3 $db_path \"\"";
+		// Check if sqlite3 binary is available.
+		if ( ! $this->is_sqlite3_available() ) {
+			WP_CLI::error( 'The sqlite3 CLI binary is required but not found. Please install SQLite3.' );
+		}
+
+		// Use Utils\esc_cmd to properly escape the command and arguments.
+		$command = Utils\esc_cmd( 'sqlite3 %s %s', $db_path, '' );
 
 		WP_CLI::debug( "Running shell command: {$command}", 'db' );