Migrate nine front-end modules (forum, help, jokes, links, main, media, money, news, order) from head()/foot() to setHead()/setFoot(), pass SEO metadata via the new API, and fix remaining raw SQL interpolation with named placeholders.
Core changes:
- forum/index.php:
- head() → setHead(seo); foot() → setFoot()
- Pass title, desc, img, time, ctitle, author to setHead()
- help/index.php:
- head() → setHead(seo); foot() → setFoot()
- jokes/index.php:
- head() → setHead(seo); foot() → setFoot()
- links/index.php:
- head() → setHead(seo); foot() → setFoot()
- main/index.php:
- head() → setHead(); foot() → setFoot()
- Remove unused \$confn / \$confrs locals
- media/index.php:
- head() → setHead(seo); foot() → setFoot()
- money/index.php:
- head() → setHead(); foot() → setFoot()
- news/index.php:
- head() → setHead(seo); foot() → setFoot()
- SQL: category WHERE clause uses named placeholders (:ncat1, :ncat_re, :ncat2)
- catid IN() list uses intval() cast to prevent injection
- \$admin_file → \$afile global alignment
- order/index.php:
- head() → setHead(seo); foot() → setFoot()
Benefits: - SEO data (title, author, img, time) flows cleanly through setHead() API - Eliminates remaining raw SQL string interpolation in news category queries - Consistent global naming (\$afile) across module layer
Technical notes: - news/index.php catid IN() uses intval() map — safe for any array content - Functional behavior preserved in all nine modules
Migrate eight front-end module index files from head()/foot() to setHead()/setFoot(), use \$conf['users'] instead of the \$confu alias, and fix raw SQL string interpolation to use prepared statements with named placeholders where applicable.
Core changes:
- account/index.php:
- head() → setHead(); foot() → setFoot()
- \$confu['…'] → \$conf['users']['…'] throughout
- SQL queries for user_name/user_email use named placeholders
- Remove unused \$confn/\$confrs globals
- auto_links/index.php:
- head() → setHead(); foot() → setFoot()
- Minor getVar() and SQL cleanup
- changelog/index.php:
- head() → setHead(); foot() → setFoot()
- clients/index.php:
- head() → setHead(); foot() → setFoot()
- Prepared statements for client queries
- contact/index.php:
- head() → setHead(); foot() → setFoot()
- content/index.php:
- head() → setHead(); foot() → setFoot()
- Pass SEO fields (title, desc, img, time, ctitle, author) to setHead()
- faq/index.php:
- head() → setHead(); foot() → setFoot()
- files/index.php:
- head() → setHead(); foot() → setFoot()
Benefits: - Modules now pass structured SEO data to setHead() instead of setting globals - Prepared statements eliminate raw string interpolation in SQL - Removed dependency on legacy \$confu alias
Technical notes: - \$conf['users'] array was always available; \$confu was an alias - setHead() / setFoot() are backward compatible with empty-array calls
Apply uniform refactoring to all 22 module admin index files: replace header()+exit; redirect pairs with setRedirect(), and replace list() destructuring with short array syntax [].
Core changes:
- All modules/*/admin/index.php (22 files):
setRedirect() replaces header('Location: …')+exit; patterns * account, auto_links, changelog, clients, contact, content, faq,
files, forum, help, jokes, links, media, money, news, order,
pages, rss, shop, sitemap, voting, whois- list() → [] for sql_fetchrow() and array destructuring
- Minor getVar() default corrections where applicable
Benefits: - All admin entry points now use centralized redirect helper - Consistent array destructuring syntax across entire admin layer
Technical notes: - Functional behavior unchanged - No DB schema or API contract changes
Complete the admin module migration: list()->[], setRedirect(), getVar() for all remaining admin panel modules. Includes security.php IP/ban management and statistic/uploads modules.
Core changes:
- privat.php:
- setRedirect() replaces header()+exit; pairs
- ratings.php:
- list() → [] for sql_fetchrow() destructuring
- setRedirect() replaces header()+exit; pairs
- referers.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- replace.php:
- setRedirect() replaces header()+exit; pairs
- security.php (admin module):
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- statistic.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- template.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- uploads.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
Benefits: - All 22 admin modules now use uniform redirect and array destructuring - No direct superglobal header() calls remain in admin module layer
Technical notes: - Purely syntactic/convention migration; zero logic changes - Backward compatible with existing sessions and DB state
Continue the list()->[], setRedirect(), and getVar() migration across seven more admin modules. All header()+exit; redirect pairs replaced with the centralized setRedirect() helper.
Core changes:
- favorites.php:
- setRedirect() replaces header()+exit; pairs
- fields.php:
- list() → [] for sql_fetchrow() destructuring
- setRedirect() replaces header()+exit; pairs
- groups.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- lang.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- messages.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- modules.php:
- setRedirect() replaces header()+exit; pairs
- newsletter.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
Benefits: - Consistent redirect handling across all admin modules - Eliminates legacy list() syntax — short array syntax throughout
Technical notes: - Logic and DB queries unchanged - Backward compatible
Replace deprecated list() with short array syntax [], use setRedirect() instead of header()+exit; pairs, switch $_COOKIE reads to getVar(), and fix null-default values on getVar() calls across seven admin modules.
Core changes:
- admins.php:
- list() → [] for sql_fetchrow() destructuring
- getVar('post', 'amodules[]', 'var', []) — explicit empty default
- $_COOKIE['sl_close_9'] → getVar('cookie', 'sl_close_9', 'num', 0)
- setRedirect() replaces header()+exit; pairs
- del(): guard $id > 0 before DELETE query
- blocks.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- getVar defaults corrected
- categories.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- comments.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- config.php:
- setRedirect() replaces header()+exit; pairs
- database.php:
- setRedirect() replaces header()+exit; pairs
- editor.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
Benefits: - Eliminates silent header()/exit anti-pattern; redirects now centralized - Short array syntax aligns with PHP 7.1+ codebase conventions - getVar() for cookies prevents direct superglobal access
Technical notes: - Behavior preserved; no logic changes - Backward compatible with existing DB schema
Replace the ad-hoc plaintext error log with an AI-ready NDJSON schema (one JSON object per line). Inline closure helpers replace global named functions to avoid namespace pollution, and all sensitive fields are redacted before logging.
Core changes:
- Error log engine (core/security.php):
New schema: timestamp, level, type, message, req_id, ip, method, url, referer, ua, context (query/post/cookie_keys/session_keys), file, line, trace, mem_mb, mem_peak_mb, duration_ms, php_version, slaed_version
Inline closures: \$ls (sanitize/truncate), \$lredact (mask secrets), \$lbound (cap array size), \$lctx (bounded request context), \$lreq, \$lmem, \$lwrite (atomic file append with flock)
- HTTP error handler: logs 403/404/503 with request context + referer
- PHP error handler: logs warnings/notices/fatals with file+line+trace
- Exception handler: logs uncaught exceptions with full stack trace
- Unhandled rejection: register_shutdown_function for fatal errors
Benefits: - Log entries are machine-parseable — compatible with log aggregators - Sensitive keys (pass, token, auth, secret, etc.) auto-redacted - No more log injection: \r \n \0 stripped before writing - Atomic flock()-based writes prevent concurrent log corruption
Technical notes: - Log format: NDJSON — one JSON per line, UTF-8, no BOM - Max 50 GET/POST keys per entry; string values capped at 1024 chars - Stack traces capped at 10 frames to control log size - Replaces previous plaintext format — existing log files remain valid
Extend the SEO pipeline with two new template tokens ([headline], [author]) and align core utility functions with the codebase conventions: getVar() for input, resolved absolute paths in checkPerms(), improved getImgText() with [img] BBCode support, and the renamed head()->setHead(array \$seo).
Core changes:
- Schema.org default config (config/global.php):
- Replace "headline": "0" with "headline": "[headline]"
- Replace "name": "[site]" (author) with "name": "[author]"
- System utilities (core/system.php):
Rename head() to setHead(array \$seo = []) — accepts optional SEO fields * New keys: title, desc, img, time, ctitle, author * Derive \$headline from \$seo['title'] (plain text, no compound suffix)
- Add [headline] and [author] to SEO from/to replacement arrays
Refactor checkPerms(string \$fp, int \$id) to checkPerms(string \$fp) * Callers now pass absolute path directly; no id-based base resolution
Extend getImgText() with \$check=true param and [img=…][/img] BBCode * Supports
and
- Fix fields_in(): explode('|', \$fieldb ?? '') — null-safe coalesce
- Admin core (core/admin.php):
- Replace func_get_args() in getStatistic() with getVar('get', …)
- Fix checkPerms() calls: prepend BASE_DIR.'/' to construct absolute paths
- Declare getStatistic(): void return type
Benefits: - Schema.org headline and author now populated with real article data - setHead() API eliminates scattered global variable mutations in modules - getImgText() handles [img] BBCode variants without regex fragility
Technical notes: - setHead() is backward-compatible when called with empty array - All old call sites of head()/foot() must migrate to setHead()/setFoot()
Update the SEO template variable reference string (_TPLVARS) in all six admin UI languages. The [title] description is also clarified to reflect the full composite SEO title (article + category + module + site).
Core changes:
- Language files (admin/language/de.php, en.php, fr.php, pl.php, ru.php, uk.php):
Add [headline] variable — article headline (plain text, no suffixes) * Used in Schema.org "headline" field
Add [author] variable — article author display name * Used in Schema.org "author.name" field
- Clarify [title] description to reflect full SEO composition
Benefits: - Editors can now understand all available SEO tokens at a glance - Consistent variable docs across all 6 UI languages
Technical notes: - Change is documentation only (help text); no PHP logic altered - Backward compatible — existing templates not affected
The regex used to extract table names from INSERT statements could match partial identifiers where a word character preceded the underscore prefix, producing false-positive table matches.
Core changes:
- tests/InsertValidationTest.php:
- Add negative lookbehind (?<!\w) before _(\w+) in INSERT pattern
- Ensures the prefix underscore is only matched at a word boundary
Benefits: - Eliminates false-positive table name matches in test assertions - Test results more accurately reflect actual INSERT targets
Technical notes: - Pattern change is regex-only; test logic and assertions unchanged - Lookbehind is zero-width and does not affect captured groups
