The rewrite.php file contained regex-based URL transformation rules managed through the admin editor. This functionality has been superseded: URL rewriting is now controlled exclusively by $conf['rewrite'] and server-level .htaccess rules. All include() calls and the rewrite() function were removed from the codebase in a prior cleanup.
Core changes:
- config/rewrite.php:
- File deleted (122 lines of legacy regex rewrite rules)
- admin/info/editor-*.html (6 language files):
- Remove "System SEF" tab description (referencing config/rewrite.php)
- Rename "Server SEF" tab to "Apache rules" for clarity
Benefits: - Removes dead code with no callers - Admin editor UI reflects the actual available tabs - Reduces confusion between PHP-level and server-level URL rewriting
Technical notes: - $conf['rewrite'] config key is preserved; controls mod_rewrite behavior - .htaccess-based rewriting remains fully functional
Protect reserved config files from being merged into $conf via getConfig() or accidentally overwritten via setConfigFile(). Three files serve system injection purposes (not config arrays) and must be excluded from glob merge.
Core changes:
- getConfig() (core/system.php):
- Replace single local.php check with explicit $skip array
- Skip list: local.php, system.php, header.php, chmod.php
- setConfigFile() (core/system.php):
- Add static $reserved guard at function entry point
- Reserved: system.php, header.php, chmod.php, local.php
- Calls with reserved filenames return silently without writing
Benefits: - Prevents accidental overwrite of system injection files - Eliminates false config merges from null-returning reserved files - Explicit skip list is self-documenting
Technical notes: - config/system.php, header.php, chmod.php return null by design - config/local.php provides per-environment overrides, must not be merged - Backward compatible: existing callers are unaffected
Remove the configurable anonymous user name ($confu['anonym']) and replace it with the static language constant _ANONYM defined in all six root language files. This eliminates a config option that had no practical need for per-site customization.
Core changes:
- Language files (language/*.php — 6 files):
Add define("_ANONYM", "...") between _AND and _ANSWER in all 6 languages * en: "Guest", ru: "Гость", de: "Gast", fr: "Invité", pl: "Gość", uk: "Гість"
- Admin language files (admin/language/*.php — 6 files):
- Remove define("_ANONYMOUSNAME", "...") from all 6 files
- Config and core (config/users.php, core/admin.php, core/security.php, core/user.php):
- Remove 'anonym' key from config/users.php
- Replace all $confu['anonym'] with _ANONYM
- Admin modules (modules/*/admin/index.php — 10 modules + account):
- Remove anonym form field from modules/account/admin/index.php
- Replace $confu['anonym'] with _ANONYM in 10 module admin files
- Block (blocks/block-user_info.php):
- Replace $confu['anonym'] with _ANONYM
Benefits: - Simplifies configuration (removes non-essential option) - Consistent anonymous name via i18n constant system - _ANONYM resides in language/*.php (globally loaded, not admin-only)
Technical notes: - _ANONYM is defined in language/.php, not admin/language/.php - core/security.php: collapsed $anon initialization into substr(_ANONYM, 0, 25)
Apply full PHP 8.4 modernization across all 26 front-end modules. Each module receives type-safe function signatures, setHead() for SEO metadata, prepared SQL with named placeholders, getVar() for all user input, and setFoot() replacing legacy foot() calls.
Core changes:
- SEO and head output (all modules):
- Replace head($conf['defis'].' '._MODULE) with setHead(['title' => _MODULE])
- Replace foot() with setFoot()
- SQL queries (all modules):
- Convert string-concatenated queries to prepared statements
- Add PREFIX_DB constant to all table references
- Input handling (all modules):
- Replace $_GET/$_POST direct access with getVar()
- Add type hints to all function parameters and return types
- Template variables (all modules):
- Fix placeholder syntax: 'title' => ... to '{%title%}' => ...
- Use setTemplateBasic() / setTemplateWarning() exclusively
Anonymous user display (faq, files, forum, help, jokes, links, media, news, pages, search, shop, whois, account):
- Replace $confu['anonym'] with _ANONYM constant
Benefits: - Full PHP 8.4 compatibility across all public-facing modules - Eliminates SQL injection attack surface in 26 modules - Consistent anonymous user display via _ANONYM constant - Uniform SEO metadata via setHead()
Technical notes: - modules/forum/index.php: largest single-module change (~1469 lines) - modules/news/index.php: second largest (~566 lines) - All 26 front-end modules now fully modernized (100% complete)
Complete the head()/foot() → setHead()/setFoot() migration for the last nine front-end modules, and update both basic.html templates to render the article title as <h1> when in single-view mode and <h3> in list mode.
Core changes:
- pages/index.php → setHead(seo); setFoot()
- recommend/index.php → setHead(); setFoot()
- rss/index.php → setHead(); setFoot()
- search/index.php → setHead(); setFoot()
shop/index.php → setHead(seo); setFoot() - Pass title, desc, img, time, ctitle, author
- sitemap/index.php → setHead(); setFoot()
- users/index.php → setHead(); setFoot()
- voting/index.php → setHead(seo); setFoot()
- whois/index.php → setHead(); setFoot()
- templates/default/basic.html and templates/lite/basic.html:
Wrap title in {%if is_view%}<h1>…</h1>{%else%}<h3>…</h3>{%endif%} * Single-article view uses semantically correct <h1> for SEO * List views retain <h3> for visual hierarchy
Benefits: - All front-end modules now use the unified SEO-aware setHead() API - Templates emit correct heading hierarchy — <h1> on detail pages improves Schema.org headline alignment and core-web-vitals LCP
Technical notes: - head()/foot() aliases can be removed in a future cleanup pass - {%if is_view%} is evaluated by the template engine; no PHP changes needed - Backward compatible: basic.html change is purely additive
Migrate nine front-end modules (forum, help, jokes, links, main, media, money, news, order) from head()/foot() to setHead()/setFoot(), pass SEO metadata via the new API, and fix remaining raw SQL interpolation with named placeholders.
Core changes:
- forum/index.php:
- head() → setHead(seo); foot() → setFoot()
- Pass title, desc, img, time, ctitle, author to setHead()
- help/index.php:
- head() → setHead(seo); foot() → setFoot()
- jokes/index.php:
- head() → setHead(seo); foot() → setFoot()
- links/index.php:
- head() → setHead(seo); foot() → setFoot()
- main/index.php:
- head() → setHead(); foot() → setFoot()
- Remove unused \$confn / \$confrs locals
- media/index.php:
- head() → setHead(seo); foot() → setFoot()
- money/index.php:
- head() → setHead(); foot() → setFoot()
- news/index.php:
- head() → setHead(seo); foot() → setFoot()
- SQL: category WHERE clause uses named placeholders (:ncat1, :ncat_re, :ncat2)
- catid IN() list uses intval() cast to prevent injection
- \$admin_file → \$afile global alignment
- order/index.php:
- head() → setHead(seo); foot() → setFoot()
Benefits: - SEO data (title, author, img, time) flows cleanly through setHead() API - Eliminates remaining raw SQL string interpolation in news category queries - Consistent global naming (\$afile) across module layer
Technical notes: - news/index.php catid IN() uses intval() map — safe for any array content - Functional behavior preserved in all nine modules
Migrate eight front-end module index files from head()/foot() to setHead()/setFoot(), use \$conf['users'] instead of the \$confu alias, and fix raw SQL string interpolation to use prepared statements with named placeholders where applicable.
Core changes:
- account/index.php:
- head() → setHead(); foot() → setFoot()
- \$confu['…'] → \$conf['users']['…'] throughout
- SQL queries for user_name/user_email use named placeholders
- Remove unused \$confn/\$confrs globals
- auto_links/index.php:
- head() → setHead(); foot() → setFoot()
- Minor getVar() and SQL cleanup
- changelog/index.php:
- head() → setHead(); foot() → setFoot()
- clients/index.php:
- head() → setHead(); foot() → setFoot()
- Prepared statements for client queries
- contact/index.php:
- head() → setHead(); foot() → setFoot()
- content/index.php:
- head() → setHead(); foot() → setFoot()
- Pass SEO fields (title, desc, img, time, ctitle, author) to setHead()
- faq/index.php:
- head() → setHead(); foot() → setFoot()
- files/index.php:
- head() → setHead(); foot() → setFoot()
Benefits: - Modules now pass structured SEO data to setHead() instead of setting globals - Prepared statements eliminate raw string interpolation in SQL - Removed dependency on legacy \$confu alias
Technical notes: - \$conf['users'] array was always available; \$confu was an alias - setHead() / setFoot() are backward compatible with empty-array calls
Apply uniform refactoring to all 22 module admin index files: replace header()+exit; redirect pairs with setRedirect(), and replace list() destructuring with short array syntax [].
Core changes:
- All modules/*/admin/index.php (22 files):
setRedirect() replaces header('Location: …')+exit; patterns * account, auto_links, changelog, clients, contact, content, faq,
files, forum, help, jokes, links, media, money, news, order,
pages, rss, shop, sitemap, voting, whois- list() → [] for sql_fetchrow() and array destructuring
- Minor getVar() default corrections where applicable
Benefits: - All admin entry points now use centralized redirect helper - Consistent array destructuring syntax across entire admin layer
Technical notes: - Functional behavior unchanged - No DB schema or API contract changes
Complete the admin module migration: list()->[], setRedirect(), getVar() for all remaining admin panel modules. Includes security.php IP/ban management and statistic/uploads modules.
Core changes:
- privat.php:
- setRedirect() replaces header()+exit; pairs
- ratings.php:
- list() → [] for sql_fetchrow() destructuring
- setRedirect() replaces header()+exit; pairs
- referers.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- replace.php:
- setRedirect() replaces header()+exit; pairs
- security.php (admin module):
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- statistic.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- template.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- uploads.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
Benefits: - All 22 admin modules now use uniform redirect and array destructuring - No direct superglobal header() calls remain in admin module layer
Technical notes: - Purely syntactic/convention migration; zero logic changes - Backward compatible with existing sessions and DB state
Continue the list()->[], setRedirect(), and getVar() migration across seven more admin modules. All header()+exit; redirect pairs replaced with the centralized setRedirect() helper.
Core changes:
- favorites.php:
- setRedirect() replaces header()+exit; pairs
- fields.php:
- list() → [] for sql_fetchrow() destructuring
- setRedirect() replaces header()+exit; pairs
- groups.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- lang.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- messages.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
- modules.php:
- setRedirect() replaces header()+exit; pairs
- newsletter.php:
- list() → [] throughout
- setRedirect() replaces header()+exit; pairs
Benefits: - Consistent redirect handling across all admin modules - Eliminates legacy list() syntax — short array syntax throughout
Technical notes: - Logic and DB queries unchanged - Backward compatible
