changelog

Complete the head()/foot() → setHead()/setFoot() migration for the last
nine front-end modules, and update both basic.html templates to render
the article title as <h1> when in single-view mode and <h3> in list mode.

Core changes:

1. pages/index.php → setHead(seo); setFoot()
2. recommend/index.php → setHead(); setFoot()
3. rss/index.php → setHead(); setFoot()
4. search/index.php → setHead(); setFoot()
5. shop/index.php → setHead(seo); setFoot()
- Pass title, desc, img, time, ctitle, author
6. sitemap/index.php → setHead(); setFoot()
7. users/index.php → setHead(); setFoot()
8. voting/index.php → setHead(seo); setFoot()
9. whois/index.php → setHead(); setFoot()

10. templates/default/basic.html and templates/lite/basic.html:
• Wrap title in {%if is_view%}<h1>…</h1>{%else%}<h3>…</h3>{%endif%}
* Single-article view uses semantically correct <h1> for SEO
* List views retain <h3> for visual hierarchy

Benefits:
• All front-end modules now use the unified SEO-aware setHead() API
• Templates emit correct heading hierarchy — <h1> on detail pages
improves Schema.org headline alignment and core-web-vitals LCP

Technical notes:
• head()/foot() aliases can be removed in a future cleanup pass
• {%if is_view%} is evaluated by the template engine; no PHP changes needed
• Backward compatible: basic.html change is purely additive

Migrate nine front-end modules (forum, help, jokes, links, main, media,
money, news, order) from head()/foot() to setHead()/setFoot(), pass SEO
metadata via the new API, and fix remaining raw SQL interpolation with
named placeholders.

Core changes:

1. forum/index.php:
• head() → setHead(seo); foot() → setFoot()
• Pass title, desc, img, time, ctitle, author to setHead()

2. help/index.php:
• head() → setHead(seo); foot() → setFoot()

3. jokes/index.php:
• head() → setHead(seo); foot() → setFoot()

4. links/index.php:
• head() → setHead(seo); foot() → setFoot()

5. main/index.php:
• head() → setHead(); foot() → setFoot()
• Remove unused \$confn / \$confrs locals

6. media/index.php:
• head() → setHead(seo); foot() → setFoot()

7. money/index.php:
• head() → setHead(); foot() → setFoot()

8. news/index.php:
• head() → setHead(seo); foot() → setFoot()
• SQL: category WHERE clause uses named placeholders (:ncat1, :ncat_re, :ncat2)
• catid IN() list uses intval() cast to prevent injection
• \$admin_file → \$afile global alignment

9. order/index.php:
• head() → setHead(seo); foot() → setFoot()

Benefits:
• SEO data (title, author, img, time) flows cleanly through setHead() API
• Eliminates remaining raw SQL string interpolation in news category queries
• Consistent global naming (\$afile) across module layer

Technical notes:
• news/index.php catid IN() uses intval() map — safe for any array content
• Functional behavior preserved in all nine modules

Migrate eight front-end module index files from head()/foot() to
setHead()/setFoot(), use \$conf['users'] instead of the \$confu alias,
and fix raw SQL string interpolation to use prepared statements with
named placeholders where applicable.

Core changes:

1. account/index.php:
• head() → setHead(); foot() → setFoot()
• \$confu['…'] → \$conf['users']['…'] throughout
• SQL queries for user_name/user_email use named placeholders
• Remove unused \$confn/\$confrs globals

2. auto_links/index.php:
• head() → setHead(); foot() → setFoot()
• Minor getVar() and SQL cleanup

3. changelog/index.php:
• head() → setHead(); foot() → setFoot()

4. clients/index.php:
• head() → setHead(); foot() → setFoot()
• Prepared statements for client queries

5. contact/index.php:
• head() → setHead(); foot() → setFoot()

6. content/index.php:
• head() → setHead(); foot() → setFoot()
• Pass SEO fields (title, desc, img, time, ctitle, author) to setHead()

7. faq/index.php:
• head() → setHead(); foot() → setFoot()

8. files/index.php:
• head() → setHead(); foot() → setFoot()

Benefits:
• Modules now pass structured SEO data to setHead() instead of setting globals
• Prepared statements eliminate raw string interpolation in SQL
• Removed dependency on legacy \$confu alias

Technical notes:
• \$conf['users'] array was always available; \$confu was an alias
• setHead() / setFoot() are backward compatible with empty-array calls

Apply uniform refactoring to all 22 module admin index files:
replace header()+exit; redirect pairs with setRedirect(), and
replace list() destructuring with short array syntax [].

Core changes:

1. All modules/*/admin/index.php (22 files):
• setRedirect() replaces header('Location: …')+exit; patterns
* account, auto_links, changelog, clients, contact, content, faq,
files, forum, help, jokes, links, media, money, news, order,
pages, rss, shop, sitemap, voting, whois
• list() → [] for sql_fetchrow() and array destructuring
• Minor getVar() default corrections where applicable

Benefits:
• All admin entry points now use centralized redirect helper
• Consistent array destructuring syntax across entire admin layer

Technical notes:
• Functional behavior unchanged
• No DB schema or API contract changes

Complete the admin module migration: list()->[], setRedirect(), getVar()
for all remaining admin panel modules. Includes security.php IP/ban
management and statistic/uploads modules.

Core changes:

1. privat.php:
• setRedirect() replaces header()+exit; pairs

2. ratings.php:
• list() → [] for sql_fetchrow() destructuring
• setRedirect() replaces header()+exit; pairs

3. referers.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

4. replace.php:
• setRedirect() replaces header()+exit; pairs

5. security.php (admin module):
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

6. statistic.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

7. template.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

8. uploads.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

Benefits:
• All 22 admin modules now use uniform redirect and array destructuring
• No direct superglobal header() calls remain in admin module layer

Technical notes:
• Purely syntactic/convention migration; zero logic changes
• Backward compatible with existing sessions and DB state

Continue the list()->[], setRedirect(), and getVar() migration across
seven more admin modules. All header()+exit; redirect pairs replaced
with the centralized setRedirect() helper.

Core changes:

1. favorites.php:
• setRedirect() replaces header()+exit; pairs

2. fields.php:
• list() → [] for sql_fetchrow() destructuring
• setRedirect() replaces header()+exit; pairs

3. groups.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

4. lang.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

5. messages.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

6. modules.php:
• setRedirect() replaces header()+exit; pairs

7. newsletter.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

Benefits:
• Consistent redirect handling across all admin modules
• Eliminates legacy list() syntax — short array syntax throughout

Technical notes:
• Logic and DB queries unchanged
• Backward compatible

Replace deprecated list() with short array syntax [], use setRedirect()
instead of header()+exit; pairs, switch $_COOKIE reads to getVar(), and
fix null-default values on getVar() calls across seven admin modules.

Core changes:

1. admins.php:
• list() → [] for sql_fetchrow() destructuring
• getVar('post', 'amodules[]', 'var', []) — explicit empty default
• $_COOKIE['sl_close_9'] → getVar('cookie', 'sl_close_9', 'num', 0)
• setRedirect() replaces header()+exit; pairs
• del(): guard $id > 0 before DELETE query

2. blocks.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs
• getVar defaults corrected

3. categories.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

4. comments.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

5. config.php:
• setRedirect() replaces header()+exit; pairs

6. database.php:
• setRedirect() replaces header()+exit; pairs

7. editor.php:
• list() → [] throughout
• setRedirect() replaces header()+exit; pairs

Benefits:
• Eliminates silent header()/exit anti-pattern; redirects now centralized
• Short array syntax aligns with PHP 7.1+ codebase conventions
• getVar() for cookies prevents direct superglobal access

Technical notes:
• Behavior preserved; no logic changes
• Backward compatible with existing DB schema

Replace the ad-hoc plaintext error log with an AI-ready NDJSON schema
(one JSON object per line). Inline closure helpers replace global named
functions to avoid namespace pollution, and all sensitive fields are
redacted before logging.

Core changes:

1. Error log engine (core/security.php):
• New schema: timestamp, level, type, message, req_id, ip, method, url,
referer, ua, context (query/post/cookie_keys/session_keys), file, line,
trace, mem_mb, mem_peak_mb, duration_ms, php_version, slaed_version
• Inline closures: \$ls (sanitize/truncate), \$lredact (mask secrets),
\$lbound (cap array size), \$lctx (bounded request context), \$lreq,
\$lmem, \$lwrite (atomic file append with flock)
• HTTP error handler: logs 403/404/503 with request context + referer
• PHP error handler: logs warnings/notices/fatals with file+line+trace
• Exception handler: logs uncaught exceptions with full stack trace
• Unhandled rejection: register_shutdown_function for fatal errors

Benefits:
• Log entries are machine-parseable — compatible with log aggregators
• Sensitive keys (pass, token, auth, secret, etc.) auto-redacted
• No more log injection: \r \n \0 stripped before writing
• Atomic flock()-based writes prevent concurrent log corruption

Technical notes:
• Log format: NDJSON — one JSON per line, UTF-8, no BOM
• Max 50 GET/POST keys per entry; string values capped at 1024 chars
• Stack traces capped at 10 frames to control log size
• Replaces previous plaintext format — existing log files remain valid

Extend the SEO pipeline with two new template tokens ([headline], [author])
and align core utility functions with the codebase conventions: getVar()
for input, resolved absolute paths in checkPerms(), improved getImgText()
with [img] BBCode support, and the renamed head()->setHead(array \$seo).

Core changes:

1. Schema.org default config (config/global.php):
• Replace "headline": "0" with "headline": "[headline]"
• Replace "name": "[site]" (author) with "name": "[author]"

2. System utilities (core/system.php):
• Rename head() to setHead(array \$seo = []) — accepts optional SEO fields
* New keys: title, desc, img, time, ctitle, author
* Derive \$headline from \$seo['title'] (plain text, no compound suffix)
• Add [headline] and [author] to SEO from/to replacement arrays
• Refactor checkPerms(string \$fp, int \$id) to checkPerms(string \$fp)
* Callers now pass absolute path directly; no id-based base resolution
• Extend getImgText() with \$check=true param and [img=…][/img] BBCode
* Supports [img=type]url[/img] and [img]url[/img] forms
* \$check=false skips file_exists() for remote/virtual images
• Fix fields_in(): explode('|', \$fieldb ?? '') — null-safe coalesce

3. Admin core (core/admin.php):
• Replace func_get_args() in getStatistic() with getVar('get', …)
• Fix checkPerms() calls: prepend BASE_DIR.'/' to construct absolute paths
• Declare getStatistic(): void return type

Benefits:
• Schema.org headline and author now populated with real article data
• setHead() API eliminates scattered global variable mutations in modules
• getImgText() handles [img] BBCode variants without regex fragility

Technical notes:
• setHead() is backward-compatible when called with empty array
• All old call sites of head()/foot() must migrate to setHead()/setFoot()

Update the SEO template variable reference string (_TPLVARS) in all six
admin UI languages. The [title] description is also clarified to reflect
the full composite SEO title (article + category + module + site).

Core changes:

1. Language files (admin/language/de.php, en.php, fr.php, pl.php, ru.php, uk.php):
• Add [headline] variable — article headline (plain text, no suffixes)
* Used in Schema.org "headline" field
• Add [author] variable — article author display name
* Used in Schema.org "author.name" field
• Clarify [title] description to reflect full SEO composition

Benefits:
• Editors can now understand all available SEO tokens at a glance
• Consistent variable docs across all 6 UI languages

Technical notes:
• Change is documentation only (help text); no PHP logic altered
• Backward compatible — existing templates not affected