Журнал изменений

Uniform cleanup pass across all frontend and admin module files to align with the PHP 8.4 migration already applied to core.

Core changes:

1. Admin modules — function renames (24 files):

2. head() → setHead(), foot() → setFoot() across all admin entry points * account, auto_links, changelog, clients, contact, content, faq * files, forum, help, jokes, links, media, money, news, order * pages, rss, shop, sitemap, voting, whois

3. Indentation normalisation (all 39 files):
4. Tabs replaced with 4-space indentation (PSR-12 style)
5. Trailing blank lines removed from switch/case blocks
6. clients/index.php — additional refactoring:
7. systems() renamed to clients(); save_hidden() renamed to hidden()
8. All internal call sites updated accordingly
9. status column removed from SELECT (was fetched but never used)
10. global $conf removed from download() and generator() (unused)
11. Mojibake in $output substitution table fixed (© § Ц № Ў etc.)
12. Mojibake in Russian comments decoded to proper UTF-8 Cyrillic
13. Minor improvements in individual modules:
14. changelog/index.php: $retcode initialised before by-ref use
15. faq/index.php: intermediate $ncat variable eliminated
16. news/index.php: spacing normalisation in type-hint default value

Benefits: - Consistent code style across all module files - Dead globals and unused SELECT columns removed - Broken substitution table in clients module corrected

Technical notes: - No behaviour changes in admin modules; rename-only - clients/index.php mojibake fix corrects runtime substitution values

Largest core file (5 800+ lines) fully migrated to PHP 8.4 standards: type declarations on all 103+ functions, array-syntax modernisation, mojibake elimination, and error-suppression removal.

Core changes:

1. Type declarations (103+ functions):

2. Return types added across all public functions * void, never, string, ?string, int, bool, ?bool, array, array|false * int|string (is_bot, from_bot), mixed for heterogeneous params

3. render_blocks(): void → ?string — function returns string in cases 'p'/'o'
4. getBlocks(): return render_blocks() split to call + return (void compliance)
5. isArray(): ?bool → bool; logic simplified to always return bool
6. Array syntax (65 single-line conversions + 3 manual fixes):
7. array() → [] everywhere except string literals
8. Multi-line stream_context_create([...]) fixed manually
9. Nested array() inside already-converted [...] on engine line fixed
10. Mojibake elimination (runtime + comments):
11. 6 em-dash occurrences (triple-encoded U+2014 → —)
12. Cyrillic HTML transliteration table (lines 4815-4817) restored: А–Я
13. 17 Russian comment lines translated to English
14. Error suppression removal:
15. @mkdir → mkdir (result already checked with if)
16. @fopen → fopen (result already checked with if)

Benefits: - Complete type coverage enables reliable static analysis - Runtime mojibake in transliteration table eliminated - All error paths now explicit, no silent suppression

Technical notes: - No behaviour changes; refactor-only - Dead code mb_strtolower polyfill (PHP 8.4 built-in) left untouched

Migrate three core bootstrap files to PHP 8.4 standards: add return-type declarations to all functions, modernize array syntax, remove error suppression and update copyright year.

Core changes:

1. Type declarations (access.php, security.php, user.php):

2. Add return type hints to all functions * setUnauthorized(): never, setExit(): never, getIp(): string * checkSecurity(): void, checkBot(): void, getBotList(): array * setLang(): void, getLang(): string, getusrinfo(): array|false * checklogin(): void, getAgent(): string, and more

3. Syntax modernisation (all three files):
4. array() constructors → short [] syntax throughout
5. Remove @ error-suppression operators where result is already checked
6. Housekeeping:
7. Copyright year updated to 2026 (mojibake © → ©)
8. Remaining Russian inline comments translated to English

Benefits: - Static analysis can now verify return types across call sites - Eliminates silent failures from suppressed errors - Consistent modern PHP 8.4 syntax

Technical notes: - No behaviour changes; refactor-only - setUnauthorized() and setExit() typed never — both call exit

Systematically replaces all legacy \$confXX alias references with direct \$conf['section']['key'] access across admin modules, core, blocks, and module files as part of the centralized config architecture migration.

Core changes:

1. Admin modules (admin/modules/*.php — 20 files):

2. Replace \$confu, \$confn, \$confst, \$confr, \$confpr, \$conffo etc. with direct \$conf['users'], \$conf['news'], \$conf['statistic'] etc. access

3. Remove now-unused alias variables from global declarations
4. Core files (core/admin.php, core/access.php, core/template.php, core/classes/pdo.php):
5. Migrate remaining \$confXX references to \$conf['section'] pattern
6. Align with getConfig() unified config architecture
7. Blocks and templates (blocks/.php, templates//.php):
8. \$confu, \$conffav, \$confal, \$confv references replaced with direct access
9. Module admin and frontend (modules/*/admin/index.php, modules/shop/index.php):
10. \$confXX aliases replaced; global declarations trimmed accordingly
11. Supporting files (index.php, setup/index.php, phpstan-bootstrap.php):
12. Remaining alias usages updated to direct \$conf path

Benefits: - Single source of truth: all config reads go through \$conf loaded by getConfig() - Eliminates transition alias block dependencies; aliases can be removed incrementally - Reduces global variable pollution in functions

Technical notes: - Transition alias block in security.php retained for remaining consumers; individual aliases removed as their last usage is migrated - No behavior change: \$conf['key'] values are identical to former \$confXX aliases

Removes redundant config file re-inclusion in sitemap functions and fixes a variable name regression introduced during the $confXX → $conf migration.

Core changes:

1. Sitemap config access (core/system.php):

2. doSitemap(): replace include('config/sitemap.php') + \$confma extraction with direct \$conf['sitemap']['key'] — config already loaded by getConfig()

3. setHead(): same fix — removes duplicate filesystem read on every page load
4. All \$confma['...'] references replaced with \$conf['sitemap']['...']
5. \$sitemap_data intermediate variable eliminated
6. Bug fix (core/user.php):

7. favorliste(): \$a = (\$num) ? ... used undefined \$num after renaming to \$cid during config migration; fixed to \$a = (\$cid) ? \$offset + 1 : 1

Benefits: - Eliminates one file_get_contents / include per sitemap check per request - No stale intermediate variable; config path is uniform across codebase - Pagination counter in favorliste() now correctly reflects current page

Technical notes: - \$confma transition alias in security.php is now fully unused; safe to remove - \$conf['sitemap'] is populated by getConfig() from config/sitemap.php return value

Fixes an intermittent session_start() failure caused by three independent issues in core/security.php that together prevented reliable output buffering.

Core changes:

1. Bootstrap output buffering (core/security.php):

2. Remove UTF-8 BOM that was emitting 3 bytes before <?php on every cold request, committing HTTP headers before session_start() could set its cookie

3. Move ob_start() to line 10 — before getConfig(), setLang(), and DB connection — so any PHP notices/warnings from bootstrap are also buffered

4. Remove duplicate ob_start() block that was placed after all bootstrap ops
5. Legacy cleanup (core/security.php):

6. Remove '# Murder variables' unset() block — dead code from register_globals era (PHP 4.x); register_globals was removed in PHP 5.4 (2012); all listed variables are either function-scoped or assigned immediately after

Benefits: - session_start() no longer fails with 'headers already sent' - Bootstrap is clean and deterministic regardless of OPcache state - Dead code removed: 3 lines of unset() with zero security value in PHP 8.4

Technical notes: - output_buffering = 0 in OSPanel php.ini confirmed — ob_start() in security is the only buffer; must be first executable line after FUNC_FILE check - BOM removal applied via binary file_put_contents; no content change

After setLang() was introduced as the sole bootstrap initializer for \$locale, two categories of dead code emerged and are now removed.

Core changes:

1. admin/index.php — two global declarations:

2. getAdminPanelBlocks(): remove \$locale from global list * Was needed for require_once \$path.'/language/'.\$locale.'.php' * Now replaced by getLang(\$name, true) which reads \$locale internally

3. getAdminPanel(): remove \$locale from global list * Same reason as above

4. core/user.php — two no-op calls removed:

5. rss_channel(): remove getLang() * setLang() in bootstrap already loaded language/{\$locale}.php * _CHARSET constant is available before rss_channel() is ever called

6. open_search(): remove getLang() * Same reason — \$locale and all main constants set at bootstrap

Benefits: - global declarations reflect actual dependencies (no phantom imports) - No dead function calls in the hot path of rss and opensearch endpoints

Extracts locale determination and main file loading into a dedicated setLang(): void called once per request from bootstrap. getLang() now only loads module language files and returns \$locale — locale detection code no longer runs on every module getLang() call.

Core changes:

1. setLang() (new, core/security.php):
2. Determines active \$locale from config, \$_REQUEST, cookie
3. Loads main language/\{locale\}.php with fallback to \$mlang
4. Sets language cookie when locale changes
5. void return — init function, called once in bootstrap
6. getLang() (simplified, core/security.php):
7. Removes locale detection block (moved to setLang)
8. Removes static \$mload flag — no longer needed
9. Guards: if (\$module === '') return \$locale; — no-op for bare calls
10. Only responsibility: load module language file + return locale
11. Bootstrap (core/security.php:26):
12. getLang() → setLang()

Benefits: - Locale detection runs exactly once per request (was N times) - getCookies() / getVar() called once instead of per getLang() call - getLang() responsibility is now single: load module file - set/get verb split matches coding-standards §3: set=side-effect init, get=return value — previously get was doing set work (cookie, locale) - \$mload static removed — setLang() handles main file, require_once deduplicates

Technical notes: - All existing getLang(\$name) / getLang(\$name, true) call sites unchanged - getLang() bare calls in user.php (rss_channel, open_search) return \$locale — no-op, harmless - \$locale global is set by setLang() before any module code executes

Leftover uncommitted fixes from previous refactoring session.

Core changes:

1. changelog/admin/index.php:

2. Extract exec() call into gitexec() wrapper with safety guards * Validates function exists, rejects control chars, checks 'git log' presence

3. Change rencom(array, array) to rencom(array) — \$conf accessed via global

4. Fix config key refs: \$conf['showstat'] → \$conf['changelog']['showstat'], \$conf['showfile'] → \$conf['changelog']['showfile']

5. Add missing \$conf to global declarations in changelog() and conf()
6. rss/admin/index.php:
7. Add \$conf to global declarations in rss() and save()
8. voting/admin/index.php:
9. Add \$conf to global declaration in conf()
10. auto_links/admin/index.php:
11. Remove redundant inline comment on safe SQL concatenation

Benefits: - exec() now wrapped in a safety-checked helper — reduces attack surface - Config access uses correct \$conf['changelog'] sub-key path

All call sites migrated to getLang(). The temporary get_lang() shim added during staged rollout is removed from core/security.php. All occurrences of the old function name are now gone from the codebase (exception: 'get_lang' string literal in filemanager plugin switch-case, which is unrelated to the language loader).

Core changes:

1. core/user.php — 6 call sites:
2. navi() line 74: get_lang('account') → getLang('account')
3. navi() line 88: get_lang('clients') → getLang('clients')
4. navi() line 95: get_lang('shop') → getLang('shop')
5. navi() line 109: get_lang('help') → getLang('help')
6. rss_channel() line 713: get_lang() → getLang()
7. open_search() line 824: get_lang() → getLang()
8. core/security.php:
9. Remove get_lang() backward-compat shim (3 lines)

Benefits: - Codebase fully migrated to getLang() — single consistent API - Dead shim code eliminated - Refactoring CSV entry: get_lang,getLang,get,Lang,string,rename+extend

Technical notes: - plugins/filemanager/ajax_calls.php uses 'get_lang' as a string constant in a switch-case — not a function call, not modified